diff --git a/pkg/service/auth.go b/pkg/service/auth.go
index d162eacb6..0f671762e 100644
--- a/pkg/service/auth.go
+++ b/pkg/service/auth.go
@@ -34,6 +34,10 @@ func NewAPIKeyAuthMiddleware(provider auth.KeyProvider) *APIKeyAuthMiddleware {
 }
 
 func (m *APIKeyAuthMiddleware) ServeHTTP(w http.ResponseWriter, r *http.Request, next http.HandlerFunc) {
+	if r.URL != nil && r.URL.Path == "/rtc/validate" {
+		w.Header().Set("Access-Control-Allow-Origin", "*")
+	}
+
 	authHeader := r.Header.Get(authorizationHeader)
 	var authToken string
 
diff --git a/pkg/service/rtcservice.go b/pkg/service/rtcservice.go
index 528e3edda..1f43516b4 100644
--- a/pkg/service/rtcservice.go
+++ b/pkg/service/rtcservice.go
@@ -45,7 +45,6 @@ func NewRTCService(conf *config.Config, roomManager *RoomManager, router routing
 
 func (s *RTCService) Validate(w http.ResponseWriter, r *http.Request) {
 	_, _, code, err := s.validate(r)
-	w.Header().Set("Access-Control-Allow-Origin", "*")
 	if err != nil {
 		handleError(w, code, err.Error())
 		return
@@ -54,6 +53,17 @@ func (s *RTCService) Validate(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *RTCService) validate(r *http.Request) (string, routing.ParticipantInit, int, error) {
+	claims := GetGrants(r.Context())
+	// require a claim
+	if claims == nil || claims.Video == nil {
+		return "", routing.ParticipantInit{}, http.StatusUnauthorized, rtc.ErrPermissionDenied
+	}
+
+	onlyName, err := EnsureJoinPermission(r.Context())
+	if err != nil {
+		return "", routing.ParticipantInit{}, http.StatusUnauthorized, err
+	}
+
 	roomName := r.FormValue("room")
 	reconnectParam := r.FormValue("reconnect")
 	protocolParam := r.FormValue("protocol")
@@ -61,10 +71,8 @@ func (s *RTCService) validate(r *http.Request) (string, routing.ParticipantInit,
 	// plan b does not work fully at the moment.
 	planBParam := r.FormValue("planb")
 
-	claims := GetGrants(r.Context())
-	// require a claim
-	if claims == nil || claims.Video == nil {
-		return "", routing.ParticipantInit{}, http.StatusUnauthorized, rtc.ErrPermissionDenied
+	if onlyName != "" {
+		roomName = onlyName
 	}
 
 	pi := routing.ParticipantInit{
@@ -89,15 +97,6 @@ func (s *RTCService) validate(r *http.Request) (string, routing.ParticipantInit,
 		}
 	}
 
-	onlyName, err := EnsureJoinPermission(r.Context())
-	if err != nil {
-		return "", routing.ParticipantInit{}, http.StatusUnauthorized, err
-	}
-
-	if onlyName != "" {
-		roomName = onlyName
-	}
-
 	return roomName, pi, http.StatusOK, nil
 }