diff --git a/authentik/api/auth.py b/authentik/api/auth.py
index 6bcd511f7..a2f36c208 100644
--- a/authentik/api/auth.py
+++ b/authentik/api/auth.py
@@ -1,5 +1,5 @@
 """API Authentication"""
-from base64 import b64decode
+from base64 import b64decode, b64encode
 from binascii import Error
 from typing import Any, Optional, Union
 
@@ -15,9 +15,14 @@ LOGGER = get_logger()
 def token_from_header(raw_header: bytes) -> Optional[Token]:
     """raw_header in the Format of `Basic dGVzdDp0ZXN0`"""
     auth_credentials = raw_header.decode()
-    # Accept headers with Type format and without
+    # Legacy, accept basic auth thats fully encoded (2021.3 outposts)
     if " " not in auth_credentials:
-        return None
+        try:
+            plain = b64decode(auth_credentials.encode()).decode()
+            auth_type, body = plain.split()
+            auth_credentials = f"{auth_type} {b64encode(body.encode()).decode()}"
+        except (UnicodeDecodeError, Error):
+            return None
     auth_type, auth_credentials = auth_credentials.split()
     if auth_type.lower() not in ["basic", "bearer"]:
         LOGGER.debug("Unsupported authentication type, denying", type=auth_type.lower())
diff --git a/outpost/pkg/ak/api.go b/outpost/pkg/ak/api.go
index 2cb94517a..88dd96306 100644
--- a/outpost/pkg/ak/api.go
+++ b/outpost/pkg/ak/api.go
@@ -44,7 +44,7 @@ func NewAPIController(pbURL url.URL, token string) *APIController {
 	transport.Transport = SetUserAgent(getTLSTransport(), fmt.Sprintf("authentik-proxy@%s", pkg.VERSION))
 
 	// create the transport
-	auth := httptransport.BasicAuth("", token)
+	auth := httptransport.BearerToken(token)
 
 	// create the API client, with the transport
 	apiClient := client.New(transport, strfmt.Default)