diff --git a/pkg/services/authz/zanzana.go b/pkg/services/authz/zanzana.go
index e6ddd458d55..35ac04151f2 100644
--- a/pkg/services/authz/zanzana.go
+++ b/pkg/services/authz/zanzana.go
@@ -234,6 +234,9 @@ func (z *Zanzana) running(ctx context.Context) error {
 				z.logger.Error("failed to create OpenFGA HTTP server", "error", err)
 			} else {
 				z.logger.Info("Starting OpenFGA HTTP server")
+				if z.cfg.ZanzanaServer.AllowInsecure {
+					z.logger.Warn("Allowing unauthenticated connections!")
+				}
 				if err := srv.ListenAndServe(); err != nil {
 					z.logger.Error("failed to start OpenFGA HTTP server", "error", err)
 				}
diff --git a/pkg/services/authz/zanzana/server/auth.go b/pkg/services/authz/zanzana/server/auth.go
index ca1fc911328..e86aaa81ebb 100644
--- a/pkg/services/authz/zanzana/server/auth.go
+++ b/pkg/services/authz/zanzana/server/auth.go
@@ -3,13 +3,21 @@ package server
 import (
 	"context"
 
+	"github.com/grafana/grafana/pkg/infra/log"
+	"github.com/grafana/grafana/pkg/setting"
+
 	"google.golang.org/grpc/codes"
 	"google.golang.org/grpc/status"
 
 	claims "github.com/grafana/authlib/types"
 )
 
-func authorize(ctx context.Context, namespace string) error {
+func authorize(ctx context.Context, namespace string, ss setting.ZanzanaServerSettings) error {
+	logger := log.New("zanzana.server.auth")
+	if ss.AllowInsecure {
+		logger.Debug("AllowInsecure=true; skipping authorization check")
+		return nil
+	}
 	c, ok := claims.AuthInfoFrom(ctx)
 	if !ok {
 		return status.Errorf(codes.Unauthenticated, "unauthenticated")
diff --git a/pkg/services/authz/zanzana/server/server_batch_check.go b/pkg/services/authz/zanzana/server/server_batch_check.go
index 8b9195b01c8..ecc86712950 100644
--- a/pkg/services/authz/zanzana/server/server_batch_check.go
+++ b/pkg/services/authz/zanzana/server/server_batch_check.go
@@ -14,7 +14,7 @@ func (s *Server) BatchCheck(ctx context.Context, r *authzextv1.BatchCheckRequest
 	ctx, span := s.tracer.Start(ctx, "server.BatchCheck")
 	defer span.End()
 
-	if err := authorize(ctx, r.GetNamespace()); err != nil {
+	if err := authorize(ctx, r.GetNamespace(), s.cfg); err != nil {
 		return nil, err
 	}
 
diff --git a/pkg/services/authz/zanzana/server/server_check.go b/pkg/services/authz/zanzana/server/server_check.go
index 33b0892b1b8..0faadea7d0a 100644
--- a/pkg/services/authz/zanzana/server/server_check.go
+++ b/pkg/services/authz/zanzana/server/server_check.go
@@ -30,7 +30,7 @@ func (s *Server) Check(ctx context.Context, r *authzv1.CheckRequest) (*authzv1.C
 }
 
 func (s *Server) check(ctx context.Context, r *authzv1.CheckRequest) (*authzv1.CheckResponse, error) {
-	if err := authorize(ctx, r.GetNamespace()); err != nil {
+	if err := authorize(ctx, r.GetNamespace(), s.cfg); err != nil {
 		return nil, err
 	}
 
diff --git a/pkg/services/authz/zanzana/server/server_list.go b/pkg/services/authz/zanzana/server/server_list.go
index d81c9a9f1f1..b8dfcfab4a5 100644
--- a/pkg/services/authz/zanzana/server/server_list.go
+++ b/pkg/services/authz/zanzana/server/server_list.go
@@ -33,7 +33,7 @@ func (s *Server) List(ctx context.Context, r *authzv1.ListRequest) (*authzv1.Lis
 }
 
 func (s *Server) list(ctx context.Context, r *authzv1.ListRequest) (*authzv1.ListResponse, error) {
-	if err := authorize(ctx, r.GetNamespace()); err != nil {
+	if err := authorize(ctx, r.GetNamespace(), s.cfg); err != nil {
 		return nil, err
 	}
 
diff --git a/pkg/services/authz/zanzana/server/server_read.go b/pkg/services/authz/zanzana/server/server_read.go
index 88dbf5c9fd9..da4141dce1c 100644
--- a/pkg/services/authz/zanzana/server/server_read.go
+++ b/pkg/services/authz/zanzana/server/server_read.go
@@ -25,7 +25,7 @@ func (s *Server) Read(ctx context.Context, req *authzextv1.ReadRequest) (*authze
 }
 
 func (s *Server) read(ctx context.Context, req *authzextv1.ReadRequest) (*authzextv1.ReadResponse, error) {
-	if err := authorize(ctx, req.GetNamespace()); err != nil {
+	if err := authorize(ctx, req.GetNamespace(), s.cfg); err != nil {
 		return nil, err
 	}
 
diff --git a/pkg/services/authz/zanzana/server/server_write.go b/pkg/services/authz/zanzana/server/server_write.go
index c0c249d36a5..9ca10a38ec5 100644
--- a/pkg/services/authz/zanzana/server/server_write.go
+++ b/pkg/services/authz/zanzana/server/server_write.go
@@ -25,7 +25,7 @@ func (s *Server) Write(ctx context.Context, req *authzextv1.WriteRequest) (*auth
 }
 
 func (s *Server) write(ctx context.Context, req *authzextv1.WriteRequest) (*authzextv1.WriteResponse, error) {
-	if err := authorize(ctx, req.GetNamespace()); err != nil {
+	if err := authorize(ctx, req.GetNamespace(), s.cfg); err != nil {
 		return nil, err
 	}