diff --git a/services/reports/src/service.rs b/services/reports/src/service.rs
--- a/services/reports/src/service.rs
+++ b/services/reports/src/service.rs
@@ -203,7 +203,7 @@
   #[inline]
   fn from_request(
     req: &actix_web::HttpRequest,
-    _payload: &mut actix_web::dev::Payload,
+    payload: &mut actix_web::dev::Payload,
   ) -> Self::Future {
     use actix_web::error::{ErrorForbidden, ErrorInternalServerError};
     use actix_web::HttpMessage;
@@ -227,14 +227,16 @@
       });
 
     let request_auth_value =
-      req.extensions().get::<AuthorizationCredential>().cloned();
+      AuthorizationCredential::from_request(req, payload);
 
     Box::pin(async move {
       let auth_service = auth_service?;
       let base_service = base_service?;
 
+      let credential = request_auth_value.await.ok();
+
       // This is Some for endpoints hidden behind auth validation middleware
-      let auth_token = match request_auth_value {
+      let auth_token = match credential {
         Some(token @ AuthorizationCredential::UserToken(_)) => token,
         Some(_) => {
           // Reports service shouldn't be called by other services