diff --git a/ckan-backend-dev/.env.example b/ckan-backend-dev/.env.example
index 2653a1468..466a493d3 100644
--- a/ckan-backend-dev/.env.example
+++ b/ckan-backend-dev/.env.example
@@ -101,3 +101,6 @@ CKAN___SCHEMING__DATASET_SCHEMAS=ckanext.wri.schema:ckan_dataset.yaml
 CKAN___SCHEMING__ORGANIZATION_SCHEMAS=ckanext.scheming:custom_org_with_address.json
 CKAN___SCHEMING__GROUP_SCHEMAS=ckanext.scheming:custom_group_with_status.json
 CKAN___SCHEMING__PRESETS=ckanext.wri.schema:presets.json
+
+# auth
+CKANEXT__AUTH__INCLUDE_FRONTEND_LOGIN_TOKEN=True
diff --git a/ckan-backend-dev/ckan/Dockerfile.dev b/ckan-backend-dev/ckan/Dockerfile.dev
index 488919936..6e8f4debc 100644
--- a/ckan-backend-dev/ckan/Dockerfile.dev
+++ b/ckan-backend-dev/ckan/Dockerfile.dev
@@ -27,8 +27,7 @@ RUN pip3 install -e 'git+https://github.com/datopian/ckanext-scheming.git@ckan-2
     pip3 install -e 'git+https://github.com/datopian/ckanext-s3filestore.git@wri/cost-splitting-orgs#egg=ckanext-s3filestore' && \
     pip3 install -r 'https://raw.githubusercontent.com/datopian/ckanext-s3filestore/wri/cost-splitting-orgs/requirements.txt' && \
     pip3 install -r 'https://raw.githubusercontent.com/datopian/ckanext-s3filestore/wri/cost-splitting-orgs/dev-requirements.txt' && \
-    # We're using the v2.10 branch of ckanext-auth, but I'm adding a commit to force a rebuild of the image. This can be removed once ckanext-auth is approved
-    pip3 install -e 'git+https://github.com/datopian/ckanext-auth.git@e45cccf43abbdf9d9069047e646b3e42307e81e1#egg=ckanext-auth'
+    pip3 install -e 'git+https://github.com/datopian/ckanext-auth.git@auth-object-return-token#egg=ckanext-auth'
 
 # Update ckanext-s3filestore test.ini with minio credentials
 RUN sed -i "s|ckanext.s3filestore.aws_access_key_id = test-access-key|ckanext.s3filestore.aws_access_key_id = ${AWS_ACCESS_KEY_ID}|g" src/ckanext-s3filestore/test.ini && \
@@ -62,4 +61,19 @@ COPY setup/start_ckan_development.sh.override ${APP_DIR}/start_ckan_development.
 RUN chmod +x ${APP_DIR}/start_ckan_development.sh
 RUN chown ckan:ckan ${APP_DIR}/start_ckan_development.sh
 
+USER root
+
+RUN apk --no-cache add openssl
+
+USER ckan
+
+RUN openssl genpkey -algorithm RSA -out ${APP_DIR}/jwtRS256.key && \
+    openssl rsa -in ${APP_DIR}/jwtRS256.key -pubout -outform PEM -out ${APP_DIR}/jwtRS256.key.pub && \
+    chown ckan:ckan ${APP_DIR}/jwtRS256.key && \
+    chown ckan:ckan ${APP_DIR}/jwtRS256.key.pub
+
+RUN ckan config-tool ${CKAN_INI} "api_token.jwt.algorithm = RS256" && \
+    ckan config-tool ${CKAN_INI} "api_token.jwt.encode.secret = file:${APP_DIR}/jwtRS256.key" && \
+    ckan config-tool ${CKAN_INI} "api_token.jwt.decode.secret = file:${APP_DIR}/jwtRS256.key.pub"
+
 CMD ["sh", "-c", "${APP_DIR}/start_ckan_development.sh"]
\ No newline at end of file
diff --git a/deployment/ckan/Dockerfile b/deployment/ckan/Dockerfile
index f8e2f1c89..146f0a08a 100644
--- a/deployment/ckan/Dockerfile
+++ b/deployment/ckan/Dockerfile
@@ -9,8 +9,7 @@ RUN pip3 install -e 'git+https://github.com/datopian/ckanext-scheming.git@ckan-2
     pip3 install -e 'git+https://github.com/datopian/ckanext-s3filestore.git@wri/cost-splitting-orgs#egg=ckanext-s3filestore' && \
     pip3 install -r 'https://raw.githubusercontent.com/datopian/ckanext-s3filestore/wri/cost-splitting-orgs/requirements.txt' && \
     pip3 install -r 'https://raw.githubusercontent.com/datopian/ckanext-s3filestore/wri/cost-splitting-orgs/dev-requirements.txt' && \
-    # We're using the v2.10 branch of ckanext-auth, but I'm adding a commit to force a rebuild of the image. This can be removed once ckanext-auth is approved
-    pip3 install -e 'git+https://github.com/datopian/ckanext-auth.git@e45cccf43abbdf9d9069047e646b3e42307e81e1#egg=ckanext-auth'
+    pip3 install -e 'git+https://github.com/datopian/ckanext-auth.git@auth-object-return-token#egg=ckanext-auth'
 
 COPY ckanext-wri ${APP_DIR}/src/ckanext-wri
 USER root
@@ -34,4 +33,16 @@ RUN ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}"
 COPY setup/prerun.py.override ${APP_DIR}/prerun.py
 USER root
 RUN chmod +x ${APP_DIR}/prerun.py
+
+RUN apk --no-cache add openssl
+
 USER ckan
+
+RUN openssl genpkey -algorithm RSA -out ${APP_DIR}/jwtRS256.key && \
+    openssl rsa -in ${APP_DIR}/jwtRS256.key -pubout -outform PEM -out ${APP_DIR}/jwtRS256.key.pub && \
+    chown ckan:ckan ${APP_DIR}/jwtRS256.key && \
+    chown ckan:ckan ${APP_DIR}/jwtRS256.key.pub
+
+RUN ckan config-tool ${CKAN_INI} "api_token.jwt.algorithm = RS256" && \
+    ckan config-tool ${CKAN_INI} "api_token.jwt.encode.secret = file:${APP_DIR}/jwtRS256.key" && \
+    ckan config-tool ${CKAN_INI} "api_token.jwt.decode.secret = file:${APP_DIR}/jwtRS256.key.pub"
diff --git a/deployment/helm-templates/values.yaml.dev.template b/deployment/helm-templates/values.yaml.dev.template
index 55f32b9fd..3ece11e4a 100644
--- a/deployment/helm-templates/values.yaml.dev.template
+++ b/deployment/helm-templates/values.yaml.dev.template
@@ -41,6 +41,7 @@ ckan:
       CKAN___SCHEMING__ORGANIZATION_SCHEMAS: ckanext.scheming:custom_org_with_address.json
       CKAN___SCHEMING__GROUP_SCHEMAS: ckanext.scheming:custom_group_with_status.json
       CKAN___SCHEMING__PRESETS: ckanext.wri.schema:presets.json
+      CKANEXT__AUTH__INCLUDE_FRONTEND_LOGIN_TOKEN: "True"
     hpa:
       enable: true
       minReplicas: 2