diff --git a/pkg/services/authz/zanzana.go b/pkg/services/authz/zanzana.go
index b735ba3b2c7..e6ddd458d55 100644
--- a/pkg/services/authz/zanzana.go
+++ b/pkg/services/authz/zanzana.go
@@ -177,19 +177,32 @@ func (z *Zanzana) start(ctx context.Context) error {
 		return fmt.Errorf("failed to start zanzana: %w", err)
 	}
 
-	authenticator := authnlib.NewAccessTokenAuthenticator(
-		authnlib.NewAccessTokenVerifier(
-			authnlib.VerifierConfig{AllowedAudiences: []string{AuthzServiceAudience}},
-			authnlib.NewKeyRetriever(authnlib.KeyRetrieverConfig{
-				SigningKeysURL: z.cfg.ZanzanaServer.SigningKeysURL,
-			}),
-		),
-	)
+	var authenticatorInterceptor interceptors.Authenticator
+	if z.cfg.ZanzanaServer.AllowInsecure && z.cfg.Env == setting.Dev {
+		z.logger.Info("Allowing insecure connections to OpenFGA HTTP server")
+		authenticatorInterceptor = noopAuthenticator{}
+	} else {
+		z.logger.Info("Requiring secure connections to OpenFGA HTTP server")
+		authenticator := authnlib.NewAccessTokenAuthenticator(
+			authnlib.NewAccessTokenVerifier(
+				authnlib.VerifierConfig{AllowedAudiences: []string{AuthzServiceAudience}},
+				authnlib.NewKeyRetriever(authnlib.KeyRetrieverConfig{
+					SigningKeysURL: z.cfg.ZanzanaServer.SigningKeysURL,
+				}),
+			),
+		)
+		authenticatorInterceptor = interceptors.AuthenticatorFunc(
+			grpcutils.NewAuthenticatorInterceptor(
+				authenticator,
+				tracer,
+			),
+		)
+	}
 
 	z.handle, err = grpcserver.ProvideService(
 		z.cfg,
 		z.features,
-		interceptors.AuthenticatorFunc(grpcutils.NewAuthenticatorInterceptor(authenticator, tracer)),
+		authenticatorInterceptor,
 		tracer,
 		prometheus.DefaultRegisterer,
 	)
@@ -238,3 +251,11 @@ func (z *Zanzana) stopping(err error) error {
 	}
 	return nil
 }
+
+// TODO this impl might be more broadly useful in authlib
+type noopAuthenticator struct {
+}
+
+func (n noopAuthenticator) Authenticate(ctx context.Context) (context.Context, error) {
+	return ctx, nil
+}
diff --git a/pkg/setting/settings_zanzana.go b/pkg/setting/settings_zanzana.go
index 544b2e78faf..410c62f01d9 100644
--- a/pkg/setting/settings_zanzana.go
+++ b/pkg/setting/settings_zanzana.go
@@ -46,6 +46,8 @@ type ZanzanaServerSettings struct {
 	UseStreamedListObjects bool
 	// URL for fetching signing keys.
 	SigningKeysURL string
+	// Allow insecure connections to the server for development purposes.
+	AllowInsecure bool
 }
 
 func (cfg *Cfg) readZanzanaSettings() {
@@ -77,6 +79,7 @@ func (cfg *Cfg) readZanzanaSettings() {
 	zs.ListObjectsMaxResults = uint32(serverSec.Key("list_objects_max_results").MustUint(1000))
 	zs.UseStreamedListObjects = serverSec.Key("use_streamed_list_objects").MustBool(false)
 	zs.SigningKeysURL = serverSec.Key("signing_keys_url").MustString("")
+	zs.AllowInsecure = serverSec.Key("allow_insecure").MustBool(false)
 
 	cfg.ZanzanaServer = zs
 }