diff --git a/packages/client/src/render/getAppId.js b/packages/client/src/render/getAppId.js
index 8ac2dbc79b..6d3df8eac2 100644
--- a/packages/client/src/render/getAppId.js
+++ b/packages/client/src/render/getAppId.js
@@ -1,8 +1,9 @@
-export const getAppId = cookie => {
-  const base64Token = cookie
-    .split(";")
-    .find(c => c.trim().startsWith("budibase:token"))
-    .substring(lengthOfKey)
+export const getAppId = docCookie => {
+  const cookie =
+    docCookie.split(";").find(c => c.trim().startsWith("budibase:token")) ||
+    docCookie.split(";").find(c => c.trim().startsWith("builder:token"))
+
+  const base64Token = cookie.substring(lengthOfKey)
 
   const user = JSON.parse(atob(base64Token.split(".")[1]))
   return user.appId
diff --git a/packages/client/src/render/screenRouter.js b/packages/client/src/render/screenRouter.js
index ae11c10949..fb0b005096 100644
--- a/packages/client/src/render/screenRouter.js
+++ b/packages/client/src/render/screenRouter.js
@@ -79,7 +79,7 @@ export const screenRouter = ({ screens, onScreenSelected, window }) => {
     )
       return
 
-    const target = x.target || "_self"
+    const target = (x && x.target) || "_self"
     if (!y || target !== "_self" || x.host !== location.host) return
 
     e.preventDefault()
diff --git a/packages/client/src/state/bbComponentApi.js b/packages/client/src/state/bbComponentApi.js
index b022ddca27..112e3e8534 100644
--- a/packages/client/src/state/bbComponentApi.js
+++ b/packages/client/src/state/bbComponentApi.js
@@ -9,16 +9,16 @@ export const bbFactory = ({
   componentLibraries,
   onScreenSlotRendered,
 }) => {
-  const apiCall = method => (url, body) =>
-    fetch(url, {
+  const apiCall = method => (url, body) => {
+    return fetch(url, {
       method: method,
       headers: {
         "Content-Type": "application/json",
-        "x-user-agent": "Budibase Builder",
       },
       body: body && JSON.stringify(body),
       credentials: "same-origin",
     })
+  }
 
   const api = {
     post: apiCall("POST"),
diff --git a/packages/server/src/api/controllers/auth.js b/packages/server/src/api/controllers/auth.js
index 88eb86c472..e9570e270f 100644
--- a/packages/server/src/api/controllers/auth.js
+++ b/packages/server/src/api/controllers/auth.js
@@ -55,9 +55,14 @@ exports.authenticate = async ctx => {
       expiresIn: "1 day",
     })
 
-    const ONE_DAY_FROM_NOW = new Date(Date.now() + 24 * 3600)
+    const expires = new Date()
+    expires.setDate(expires.getDate() + 1)
 
-    ctx.cookies.set("budibase:token", token, { expires: ONE_DAY_FROM_NOW })
+    ctx.cookies.set("budibase:token", token, {
+      expires,
+      path: "/",
+      httpOnly: false,
+    })
 
     ctx.body = {
       token,
diff --git a/packages/server/src/api/controllers/static.js b/packages/server/src/api/controllers/static.js
index 181af162c5..2f0ea8f4b0 100644
--- a/packages/server/src/api/controllers/static.js
+++ b/packages/server/src/api/controllers/static.js
@@ -6,10 +6,13 @@ const {
 } = require("../../utilities/budibaseDir")
 const setBuilderToken = require("../../utilities/builder/setBuilderToken")
 const { ANON_LEVEL_ID } = require("../../utilities/accessLevels")
+const jwt = require("jsonwebtoken")
 
 exports.serveBuilder = async function(ctx) {
   let builderPath = resolve(__dirname, "../../../builder")
-  setBuilderToken(ctx)
+  if (ctx.file === "index.html") {
+    setBuilderToken(ctx)
+  }
   await send(ctx, ctx.file, { root: ctx.devPath || builderPath })
 }
 
@@ -24,11 +27,12 @@ exports.serveApp = async function(ctx) {
   // only set the appId cookie for /appId .. we COULD check for valid appIds
   // but would like to avoid that DB hit
   if (looksLikeAppId(ctx.params.appId) && !ctx.isAuthenticated) {
-    const anonToken = {
+    const anonUser = {
       userId: "ANON",
       accessLevelId: ANON_LEVEL_ID,
       appId: ctx.params.appId,
     }
+    const anonToken = jwt.sign(anonUser, ctx.config.jwtSecret)
     ctx.cookies.set("budibase:token", anonToken, {
       path: "/",
       httpOnly: false,
diff --git a/packages/server/src/middleware/authenticated.js b/packages/server/src/middleware/authenticated.js
index 2318512eea..36e2776abe 100644
--- a/packages/server/src/middleware/authenticated.js
+++ b/packages/server/src/middleware/authenticated.js
@@ -16,12 +16,8 @@ module.exports = async (ctx, next) => {
 
   const appToken = ctx.cookies.get("budibase:token")
   const builderToken = ctx.cookies.get("builder:token")
-  const isBuilderAgent = ctx.headers["x-user-agent"] === "Budibase Builder"
 
-  // all admin api access should auth with buildertoken and 'Budibase Builder user agent
-  const shouldAuthAsBuilder = isBuilderAgent && builderToken
-
-  if (shouldAuthAsBuilder) {
+  if (builderToken) {
     try {
       const jwtPayload = jwt.verify(builderToken, ctx.config.jwtSecret)
       ctx.isAuthenticated = jwtPayload.accessLevelId === BUILDER_LEVEL_ID
diff --git a/packages/server/src/utilities/accessLevels.js b/packages/server/src/utilities/accessLevels.js
index d609d6fa2c..50ae559d07 100644
--- a/packages/server/src/utilities/accessLevels.js
+++ b/packages/server/src/utilities/accessLevels.js
@@ -94,6 +94,7 @@ module.exports = {
   USER_MANAGEMENT,
   BUILDER,
   LIST_USERS,
+  adminPermissions,
   generateAdminPermissions,
   generatePowerUserPermissions,
 }