diff --git a/lib/ext/Syncroton/Server.php b/lib/ext/Syncroton/Server.php
--- a/lib/ext/Syncroton/Server.php
+++ b/lib/ext/Syncroton/Server.php
@@ -67,6 +67,13 @@
                 break;
         
             case 'POST':
+                // All requests except OPTIONS must be authenticated
+                if (empty($this->_userId)) {
+                    header('WWW-Authenticate: Basic realm="' . $this->app_name .'"');
+                    header('HTTP/1.1 401 Unauthorized');
+                    exit;
+                }
+
                 $this->_handlePost();
                 break;
         
diff --git a/lib/kolab_sync.php b/lib/kolab_sync.php
--- a/lib/kolab_sync.php
+++ b/lib/kolab_sync.php
@@ -133,12 +133,6 @@
             $userid = $this->authenticate($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
         }
 
-        if (empty($userid)) {
-            header('WWW-Authenticate: Basic realm="' . $this->app_name .'"');
-            header('HTTP/1.1 401 Unauthorized');
-            exit;
-        }
-
         $this->plugins->exec_hook('ready', array('task' => 'syncroton'));
 
         // Set log directory per-user