diff --git a/services/tunnelbroker/src/websockets/session.rs b/services/tunnelbroker/src/websockets/session.rs
--- a/services/tunnelbroker/src/websockets/session.rs
+++ b/services/tunnelbroker/src/websockets/session.rs
@@ -34,6 +34,7 @@
   pub device_type: DeviceTypes,
   pub device_app_version: Option<String>,
   pub device_os: Option<String>,
+  pub is_authenticated: bool,
 }
 
 pub struct WebsocketSession<S> {
@@ -72,6 +73,7 @@
         device_type: session_info.device_type,
         device_app_version: session_info.device_app_version.take(),
         device_os: session_info.device_os.take(),
+        is_authenticated: true,
       };
 
       // Authenticate device
@@ -102,6 +104,21 @@
 
       Ok(device_info)
     }
+    Messages::AnonymousInitializationMessage(session_info) => {
+      debug!(
+        "Starting unauthenticated session with device: {}",
+        &session_info.device_id
+      );
+      let device_info = DeviceInfo {
+        device_id: session_info.device_id,
+        device_type: session_info.device_type,
+        device_app_version: session_info.device_app_version,
+        device_os: session_info.device_os,
+        is_authenticated: false,
+        notify_token: None,
+      };
+      Ok(device_info)
+    }
     _ => {
       debug!("Received invalid request");
       Err(SessionError::InvalidMessage)
@@ -262,6 +279,14 @@
         None
       }
       Messages::MessageToDeviceRequest(message_request) => {
+        // unauthenticated clients cannot send messages
+        if !self.device_info.is_authenticated {
+          debug!(
+            "Unauthenticated device {} tried to send text message. Aborting.",
+            self.device_info.device_id
+          );
+          return Option::from(MessageSentStatus::Unauthenticated);
+        }
         debug!("Received message for {}", message_request.device_id);
 
         let result = self.handle_message_to_device(&message_request).await;