diff --git a/src/index.js b/src/index.js
index 003c756..043436d 100644
--- a/src/index.js
+++ b/src/index.js
@@ -18,8 +18,8 @@ export default {
     if (req.method === 'OPTIONS') return daResp({ status: 204 });
 
     const daCtx = await getDaCtx(pathname, req, env);
-    const authed = await isAuthorized(env, daCtx.org, daCtx.user);
-    if (!authed) {
+
+    if (!daCtx.authorized) {
       return daResp({ body: '', status: 401 });
     }
 
diff --git a/src/utils/auth.js b/src/utils/auth.js
index 68adab4..8d7790a 100644
--- a/src/utils/auth.js
+++ b/src/utils/auth.js
@@ -2,6 +2,11 @@ import { decodeJwt } from 'jose';
 
 async function setUser(user_id, expiration, headers, env) {
   const resp = await fetch(`${env.IMS_ORIGIN}/ims/profile/v1`, { headers });
+  if (!resp.ok) {
+    // Something went wrong - either with the connection or the token isn't valid
+    // assume we are anon for now (but don't cache so we can try again next time)
+    return;
+  }
   const json = await resp.json();
 
   console.log(json);
@@ -11,31 +16,45 @@ async function setUser(user_id, expiration, headers, env) {
   return value;
 }
 
-export async function getUser(req, env) {
+export async function getUsers(req, env) {
   const authHeader = req.headers.get('authorization');
+  const users = [];
   if (authHeader) {
-    const token = req.headers.get('authorization').split(' ').pop();
-    if (!token) return;
-
-    console.log(decodeJwt(token));
-
-    const { user_id, created_at, expires_in } = decodeJwt(token);
-    console.log(user_id, created_at, expires_in);
+    // We accept mutliple tokens as this might be a collab session
+    for (let auth of authHeader.split(',')) {
+      const token = auth.split(' ').pop();
+      // If we have an empty token there was an anon user in the session
+      if (!token || token.trim().length === 0) {
+        users.push({ email: 'anonymous' });
+        continue;
+      }
+      console.log(decodeJwt(token));
+      const { user_id, created_at, expires_in } = decodeJwt(token);
+      console.log(user_id, created_at, expires_in);
 
-    const expires = Number(created_at) + Number(expires_in);
-    const now = Math.floor(new Date().getTime() / 1000);
+      const expires = Number(created_at) + Number(expires_in);
+      const now = Math.floor(new Date().getTime() / 1000);
 
-    if (expires >= now) {
-      // Find the user
-      let user = await env.DA_AUTH.get(user_id);
-      // If not found, create them
-      if (!user) user = await setUser(user_id, Math.floor(expires / 1000), req.headers, env);
-      // If something went wrong, die.
-      if (!user) return;
-      return JSON.parse(user);
+      if (expires >= now) {
+        // Find the user
+        let user = await env.DA_AUTH.get(user_id);
+        let headers = new Headers(req.headers);
+        headers.delete('authorization');
+        headers.set('authorization', `Bearer ${token}`);
+        // If not found, create them
+        if (!user) user = await setUser(user_id, Math.floor(expires / 1000), {'authorization': `Bearer ${token}`}, env);
+        // If something went wrong, be anon.
+        if (!user) {
+          users.push({ email: 'anonymous' });
+        } else {
+          users.push(JSON.parse(user));
+        }
+      }
     }
+  } else {
+    users.push({ email: 'anonymous' });
   }
-  return { email: 'anonymous' };
+  return users;
 }
 
 export async function isAuthorized(env, org, user) {
diff --git a/src/utils/daCtx.js b/src/utils/daCtx.js
index 859a9c9..078e0b3 100644
--- a/src/utils/daCtx.js
+++ b/src/utils/daCtx.js
@@ -9,7 +9,7 @@
  */
 
 import getObject from '../storage/object/get';
-import { getUser, isAuthorized } from './auth';
+import { getUsers, isAuthorized } from './auth';
 
 /**
  * Gets Dark Alley Context
@@ -17,9 +17,9 @@ import { getUser, isAuthorized } from './auth';
  * @returns {DaCtx} The Dark Alley Context.
  */
 export async function getDaCtx(pathname, req, env) {
-  const user = await getUser(req, env);
+  const users = await getUsers(req, env);
 
-  console.log(user);
+  console.log(users);
 
   // Santitize the string
   const lower = pathname.slice(1).toLowerCase();
@@ -29,11 +29,16 @@ export async function getDaCtx(pathname, req, env) {
   const [api, org, ...parts] = sanitized.split('/');
 
   // Set base details
-  const daCtx = { api, org, user };
+  const daCtx = { api, org, users };
 
   // Get org properties
-  if (org) {
-    daCtx.authorized = await isAuthorized(env, org, user);
+  daCtx.authorized = true;
+  // check for all users in the session if they are authorized
+  for (let user in users) {
+    if (!await isAuthorized(env, org, user)) {
+      daCtx.authorized = false;
+      break;
+    }
   }
 
   // Sanitize the remaining path parts