diff --git a/config.go b/config.go
index 080af6ad3..28d4d9b49 100644
--- a/config.go
+++ b/config.go
@@ -38,6 +38,7 @@ func newDefaultConfig() *Config {
 		ClientAuthMethod:              authMethodBasic,
 		CookieAccessName:              accessCookie,
 		CookieRefreshName:             refreshCookie,
+		UseAuthorizationHeader:        true,
 		EnableAuthorizationCookies:    true,
 		EnableAuthorizationHeader:     true,
 		EnableDefaultDeny:             true,
diff --git a/doc.go b/doc.go
index b5cf9e5be..575fbb619 100644
--- a/doc.go
+++ b/doc.go
@@ -197,6 +197,9 @@ type Config struct {
 	// ResponseHeader is a map of response headers to add to the response
 	ResponseHeaders map[string]string `json:"response-headers" yaml:"response-headers" usage:"custom headers to added to the http response key=value"`
 
+	// UseAuthorizationHeader indicates if we should read the token from the Authorization header
+	UseAuthorizationHeader bool `json:"use-authorization-header" yaml:"use-authorization-header" usage:"indicates if we should read token from Authorization header" env:"USE_AUTHORIZATION_HEADER"`
+
 	// EnableSelfSignedTLS indicates we should create a self-signed ceritificate for the service
 	EnabledSelfSignedTLS bool `json:"enable-self-signed-tls" yaml:"enable-self-signed-tls" usage:"create self signed certificates for the proxy" env:"ENABLE_SELF_SIGNED_TLS"`
 	// SelfSignedTLSHostnames is the list of hostnames to place on the certificate
diff --git a/session.go b/session.go
index d58ce67b9..0e764d7f9 100644
--- a/session.go
+++ b/session.go
@@ -29,7 +29,7 @@ import (
 func (r *oauthProxy) getIdentity(req *http.Request) (*userContext, error) {
 	var isBearer bool
 	// step: check for a bearer token or cookie with jwt token
-	access, isBearer, err := getTokenInRequest(req, r.config.CookieAccessName)
+	access, isBearer, err := getTokenInRequest(req, r.config.CookieAccessName, r.config.UseAuthorizationHeader)
 	if err != nil {
 		return nil, err
 	}
@@ -69,18 +69,27 @@ func (r *oauthProxy) getRefreshTokenFromCookie(req *http.Request) (string, error
 }
 
 // getTokenInRequest returns the access token from the http request
-func getTokenInRequest(req *http.Request, name string) (string, bool, error) {
+func getTokenInRequest(req *http.Request, name string, useAuthorizationHeader bool) (string, bool, error) {
 	bearer := true
-	// step: check for a token in the authorization header
-	token, err := getTokenInBearer(req)
-	if err != nil {
-		if err != ErrSessionNotFound {
-			return "", false, err
-		}
-		if token, err = getTokenInCookie(req, name); err != nil {
-			return token, false, err
+	var token string
+	if useAuthorizationHeader {
+		// step: check for a token in the authorization header
+		token, err := getTokenInBearer(req)
+		if err != nil {
+			bearer = false
+			if err != ErrSessionNotFound {
+				return "", bearer, err
+			}
+			if token, err = getTokenInCookie(req, name); err != nil {
+				return token, bearer, err
+			}
 		}
+	} else {
+		// step: check for a token in cookie
 		bearer = false
+		if token, err := getTokenInCookie(req, name); err != nil {
+			return token, bearer, err
+		}
 	}
 
 	return token, bearer, nil
diff --git a/session_test.go b/session_test.go
index ea91ab697..c0649f2c0 100644
--- a/session_test.go
+++ b/session_test.go
@@ -124,7 +124,7 @@ func TestGetTokenInRequest(t *testing.T) {
 				})
 			}
 		}
-		access, bearer, err := getTokenInRequest(req, defaultName)
+		access, bearer, err := getTokenInRequest(req, defaultName, true)
 		switch x.Error {
 		case nil:
 			assert.NoError(t, err, "case %d should not have thrown an error", i)