diff --git a/services/proxy/pkg/command/server.go b/services/proxy/pkg/command/server.go
index dd26ce29ec..8793651038 100644
--- a/services/proxy/pkg/command/server.go
+++ b/services/proxy/pkg/command/server.go
@@ -194,6 +194,7 @@ func Server(cfg *config.Config) *cli.Command {
 
 			{
 				middlewares := loadMiddlewares(logger, cfg, userInfoCache, signingKeyStore, traceProvider, *m, userProvider, gatewaySelector)
+
 				server, err := proxyHTTP.Server(
 					proxyHTTP.Handler(lh.Handler()),
 					proxyHTTP.Logger(logger),
@@ -246,10 +247,14 @@ func Server(cfg *config.Config) *cli.Command {
 	}
 }
 
+<<<<<<< HEAD
 func loadMiddlewares(logger log.Logger, cfg *config.Config,
 	userInfoCache, signingKeyStore microstore.Store, traceProvider trace.TracerProvider, metrics metrics.Metrics,
 	userProvider backend.UserBackend, gatewaySelector pool.Selectable[gateway.GatewayAPIClient]) alice.Chain {
 
+=======
+func loadMiddlewares(logger log.Logger, cfg *config.Config, userInfoCache, signingKeyStore microstore.Store, traceProvider trace.TracerProvider, metrics metrics.Metrics) alice.Chain {
+>>>>>>> a9df2a66b1 (feat: reva app auth)
 	rolesClient := settingssvc.NewRoleService("com.owncloud.api.settings", cfg.GrpcClient)
 	policiesProviderClient := policiessvc.NewPoliciesProviderService("com.owncloud.api.policies", cfg.GrpcClient)
 
@@ -293,6 +298,17 @@ func loadMiddlewares(logger log.Logger, cfg *config.Config,
 		})
 	}
 
+<<<<<<< HEAD
+=======
+	authenticators = append(authenticators, middleware.AppAuthAuthenticator{
+		Logger:              logger,
+		RevaGatewaySelector: gatewaySelector,
+	})
+	authenticators = append(authenticators, middleware.PublicShareAuthenticator{
+		Logger:              logger,
+		RevaGatewaySelector: gatewaySelector,
+	})
+>>>>>>> a9df2a66b1 (feat: reva app auth)
 	authenticators = append(authenticators, middleware.NewOIDCAuthenticator(
 		middleware.Logger(logger),
 		middleware.UserInfoCache(userInfoCache),
diff --git a/services/proxy/pkg/middleware/app_auth.go b/services/proxy/pkg/middleware/app_auth.go
new file mode 100644
index 0000000000..f03791b299
--- /dev/null
+++ b/services/proxy/pkg/middleware/app_auth.go
@@ -0,0 +1,45 @@
+package middleware
+
+import (
+	"net/http"
+
+	gateway "github.com/cs3org/go-cs3apis/cs3/gateway/v1beta1"
+	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
+	"github.com/owncloud/ocis/v2/ocis-pkg/log"
+)
+
+// AppAuthAuthenticator defines the app auth authenticator
+type AppAuthAuthenticator struct {
+	Logger              log.Logger
+	RevaGatewaySelector *pool.Selector[gateway.GatewayAPIClient]
+}
+
+// Authenticate implements the authenticator interface to authenticate requests via app auth.
+func (m AppAuthAuthenticator) Authenticate(r *http.Request) (*http.Request, bool) {
+	if isPublicPath(r.URL.Path) {
+		// The authentication of public path requests is handled by another authenticator.
+		// Since we can't guarantee the order of execution of the authenticators, we better
+		// implement an early return here for paths we can't authenticate in this authenticator.
+		return nil, false
+	}
+
+	username, password, ok := r.BasicAuth()
+	if !ok {
+		return nil, false
+	}
+	next, err := m.RevaGatewaySelector.Next()
+	if err != nil {
+		return nil, false
+	}
+	authenticateResponse, err := next.Authenticate(r.Context(), &gateway.AuthenticateRequest{
+		Type:         "appauth",
+		ClientId:     username,
+		ClientSecret: password,
+	})
+	if err != nil {
+		return nil, false
+	}
+	r.Header.Add(_headerRevaAccessToken, authenticateResponse.GetToken())
+
+	return r, true
+}