diff --git a/.travis.yml b/.travis.yml
index da25b558..5b392be0 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -14,6 +14,8 @@ env:
     - AWS_ACCESS_KEY_ID=AKIAIJKCIEXQV7AKWAXA
     - secure: jaDeAzMUjWsjjFS43zCIYKi/z6kmzfRSs4/1vYXvSkZM/Hx2YtvHcVONdR/eZpzjv4g49Q/lRtghOjSw+I9FpE6XQgSE8BgpU2VY+55iNXKp1kviJXYAfB/OE2601Dpa8/phaRy7esNoxOCEg7rR51Y2TbSZKGLTjOVRUBl5v1JUQ8f5FbxX5lJzaorve3zALv/VKytZPT/8+8eAXKBtUDb6dm8eWHIsoEqcdl7sw+UswGCrK2dZXp0He+Qh3O1DOxXQ6lTFJF0+Chif1ag0DdOMjlfSvc6ohIGwUDS9F++YbdmEkGLbWsGkyKCwfZTSahXVW26LwgdcUD6rXHJUP+qKRz3wJfWTsOM1s0ZrQmRUsXM0p3sB+e5+pncDiPvDk+24JOLFdPI3hyTbX9fmEYOV1fzWdQ3Ju+vImtKH4HmJ68vkyutN/7TkBDskjaMaqiFOlfjiudZHGvETSFgPGu53a27MUo3uVYYEnLjOxynv0GxXvuQycPA1P4udBrJ8ppsiQ/BJF8YDq25ImfVJHTyVwKMShOPBhpUMMyI04I141dzxZS8mrO/KuNkwvUlSgbJIiHImUxnCTJWQRDAs4WC+QJwuYK2pO5MppTiAbiD0BLlidz4qztS1CKinhRtttDOlNs9EDziGYR2Jbeb+qQTQoopYydmP0nKm4bz8b4M=
 
+    #Allow GQL Anon (No JWT Tokens)
+    - ALLOW_ANON=true
 # list of build stages to run. Stages with the same name get run in parallel.
 jobs:
   include:
diff --git a/server/src/main.js b/server/src/main.js
index 7b790f2c..cae4df9c 100644
--- a/server/src/main.js
+++ b/server/src/main.js
@@ -54,7 +54,6 @@ const postJWTAuth = ({ id, device }) => {
       },
     });
   } else {
-    // If we didnt allow anon access we would reject the promise here
     returnUser = User.findById(DEFAULT_USER_ID);
     returnDevice = Device.findOne({
       where: {
@@ -63,7 +62,6 @@ const postJWTAuth = ({ id, device }) => {
       },
     });
   }
-
   return Promise.resolve({ user: returnUser, device: returnDevice });
 };
 
@@ -75,7 +73,7 @@ app.use(
   // used by later middleware for authorization and access control.
   jwt({
     secret: JWT_SECRET,
-    credentialsRequired: false,
+    credentialsRequired: !process.env.ALLOW_ANON,
   }),
   graphqlExpress(req => postJWTAuth(
     req.user ? { id: req.user.id, device: req.user.device } : { id: null, device: null },
@@ -85,8 +83,9 @@ app.use(
       user,
       device,
     },
-  })).catch(() => Promise.reject(Error('Unauthorised'))),
-  ));
+  })).catch(() => false),
+  ),
+);
 
 app.use('/graphiql', graphiqlExpress(req => ({
   endpointURL: '/graphql',
@@ -105,11 +104,15 @@ SubscriptionServer.create({
   subscribe,
   onConnect(connectionParams) {
     // theres no standard auth header in WS so we use jwt connection param
+    if (!connectionParams.jwt && !process.env.ALLOW_ANON) {
+      return Promise.reject(Error('Unauthorised'));
+    }
     return jsonwebtoken.verify(connectionParams.jwt || null, JWT_SECRET,
       (err, decoded) =>
         postJWTAuth(!err ? { id: decoded.id, device: decoded.device } : { id: null, device: null })
           .then(({ user, device }) => ({ user, device }))
-          .catch(() => Promise.error('Unauthorised')),
+          .catch(() => Promise.reject(Error('Unauthorised')),
+          ),
     );
   },
   // unpack the subscription request and load it into context