diff --git a/packages/auth/src/middleware/authenticated.js b/packages/auth/src/middleware/authenticated.js
index e8fbb56fb0..c79725233f 100644
--- a/packages/auth/src/middleware/authenticated.js
+++ b/packages/auth/src/middleware/authenticated.js
@@ -75,11 +75,15 @@ module.exports = (noAuthPatterns = [], opts) => {
         }
       }
       const apiKey = ctx.request.headers[Headers.API_KEY]
+      const tenantId = ctx.request.headers[Headers.TENANT_ID]
       // this is an internal request, no user made it
       if (!authenticated && apiKey && apiKey === env.INTERNAL_API_KEY) {
         authenticated = true
         internal = true
       }
+      if (!user && tenantId) {
+        user = { tenantId }
+      }
       // be explicit
       if (authenticated !== true) {
         authenticated = false