diff --git a/index.js b/index.js
index e55fc03..2b29924 100644
--- a/index.js
+++ b/index.js
@@ -18,6 +18,8 @@ const _isEmpty = require('lodash/isEmpty'),
   { setDb } = require('./services/storage'),
   { setBus } = require('./controllers/users');
 
+let authMiddlewares = [];
+
 /**
  * determine if a route is protected
  * protected routes are ?edit=true and any method other than GET
@@ -165,7 +167,9 @@ function init({ router, providers, store, site, storage, bus }) {
   setDb(storage);
   setBus(bus);
 
-  const currentProviders = getProviders(providers, site);
+  const currentProviders = getProviders(providers, site),
+    protectRoutesMiddleware = protectRoutes(site),
+    checkAuthenticationMiddleware = checkAuthentication(site);
 
   strategyService.createStrategy(providers, site); // allow mocking this in tests
 
@@ -175,25 +179,35 @@ function init({ router, providers, store, site, storage, bus }) {
   router.use(passport.session());
   router.use(flash());
 
-  // protect routes
-  router.use(protectRoutes(site));
+  authMiddlewares = [
+    // handle de-authentication errors. This occurs when a user is logged in
+    // and someone removes them as a user. We need to catch the error
+    protectRoutesMiddleware,
+    checkAuthenticationMiddleware,
+    addUser
+  ];
 
   // add authorization routes
   // note: these (and the provider routes) are added here,
   // rather than as route controllers in lib/routes/
-  router.get('/_auth/login', onLogin(site, currentProviders));
-  router.get('/_auth/logout', onLogout(site));
+  router.get('/_auth/login', protectRoutesMiddleware, onLogin(site, currentProviders), checkAuthenticationMiddleware, addUser);
+  router.get('/_auth/logout', protectRoutesMiddleware, onLogout(site), checkAuthenticationMiddleware, addUser);
   strategyService.addAuthRoutes(providers, router, site); // allow mocking this in tests
 
-  // handle de-authentication errors. This occurs when a user is logged in
-  // and someone removes them as a user. We need to catch the error
-  router.use(checkAuthentication(site));
-  router.use(addUser);
-
   return currentProviders; // for testing/verification
 }
 
+/**
+ * Adds authentication middlewares to the router
+ *
+ * @param {Object} router
+ */
+function useAuth(router) {
+  authMiddlewares.forEach(middleware => router.use(middleware));
+}
+
 module.exports = init;
+module.exports.useAuth = useAuth;
 module.exports.withAuthLevel = withAuthLevel;
 module.exports.authLevels = AUTH_LEVELS;
 module.exports.addRoutes = require('./routes/_users');
diff --git a/index.test.js b/index.test.js
index ef2b1dd..81cfadb 100644
--- a/index.test.js
+++ b/index.test.js
@@ -12,7 +12,7 @@ describe(_startCase(filename), function () {
     const fn = lib[this.description];
 
     it('is true if edit mode', function () {
-      expect(fn({ query: { edit: true }})).toEqual(true);
+      expect(fn({ query: { edit: true } })).toEqual(true);
     });
 
     it('is true if POST to api', function () {
@@ -67,7 +67,7 @@ describe(_startCase(filename), function () {
 
   describe('checkAuthentication', function () {
     const fn = lib[this.description],
-      cb = fn({ path: '/foo', prefix: 'domain.com/foo', port: '80'});
+      cb = fn({ path: '/foo', prefix: 'domain.com/foo', port: '80' });
 
     it('calls `next` if no error', function () {
       const nextSpy = jest.fn();
@@ -172,16 +172,18 @@ describe(_startCase(filename), function () {
 
       lib(options);
 
-      // Should call router use 7 times to set the required middlewares
-      expect(router.use).toBeCalledTimes(7);
+      // Should call router use 4 times to set the required middlewares
+      expect(router.use).toBeCalledTimes(4);
     });
 
     it('should add authorization routes', function () {
+      const middlewares = Array(4).fill(expect.any(Function));
+
       lib(options);
 
       expect(router.get).toBeCalledTimes(2);
-      expect(router.get).toBeCalledWith('/_auth/login', expect.any(Function));
-      expect(router.get).toBeCalledWith('/_auth/logout', expect.any(Function));
+      expect(router.get).toBeCalledWith('/_auth/login', ...middlewares);
+      expect(router.get).toBeCalledWith('/_auth/logout', ...middlewares);
     });
   });
 
@@ -199,4 +201,15 @@ describe(_startCase(filename), function () {
       expect(next).toBeCalled();
     });
   });
+
+  describe('useAuth', function () {
+    const fn = lib[this.description];
+
+    it('should add the middlewares to the router', function () {
+      const router = { use: jest.fn() };
+
+      fn(router);
+      expect(router.use).toBeCalledTimes(3);
+    });
+  });
 });
diff --git a/package.json b/package.json
index dc37a6d..3ca07b7 100644
--- a/package.json
+++ b/package.json
@@ -19,6 +19,7 @@
     "connect-redis": "^3.4.0",
     "express-flash": "0.0.2",
     "express-session": "^1.15.6",
+    "lodash": "^4.17.11",
     "passport": "^0.3.2",
     "passport-google-oauth": "^1.0.0",
     "passport-http-header-token": "^1.1.0",