diff --git a/pkg/gordio/auth/jwt.go b/pkg/gordio/auth/jwt.go
index cd834ce..bc84034 100644
--- a/pkg/gordio/auth/jwt.go
+++ b/pkg/gordio/auth/jwt.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"golang.org/x/crypto/bcrypt"
@@ -115,7 +116,7 @@ func (a *authenticator) routeAuth(w http.ResponseWriter, r *http.Request) {
 		Name:     "jwt",
 		Value:    tok,
 		HttpOnly: true,
-		Secure:   true,
+		Secure:   !strings.HasPrefix(r.Host, "localhost:"),
 		Domain:   a.domain,
 	})
 
diff --git a/pkg/gordio/server/routes.go b/pkg/gordio/server/routes.go
index 214dce7..e1bd602 100644
--- a/pkg/gordio/server/routes.go
+++ b/pkg/gordio/server/routes.go
@@ -17,7 +17,7 @@ func (s *Server) setupRoutes() {
 
 	r.Group(func(r chi.Router) {
 		// authenticated routes
-		r.Use(s.auth.AuthMiddleware(), s.auth.VerifyMiddleware())
+		r.Use(s.auth.VerifyMiddleware(), s.auth.AuthMiddleware())
 		s.nex.InstallPrivateRoutes(r)
 	})