diff --git a/src/router.rs b/src/router.rs
index a66479a..9ab8d80 100644
--- a/src/router.rs
+++ b/src/router.rs
@@ -62,13 +62,6 @@ async fn api_req(req: HttpRequest, body: String) -> HttpResponse {
     } else if !req.path().starts_with("/api") && !req.path().starts_with("/v1.0") {
         return webui::main(req);
     }
-    if headers.get("a6573cbe").is_none() && req.path().starts_with("/api") {
-        if args.hidden {
-            return not_found(&headers);
-        } else {
-            return webui::main(req);
-        }
-    }
     let blank_header = HeaderValue::from_static("");
     let uid = req.headers().get("aoharu-user-id").unwrap_or(&blank_header).to_str().unwrap_or("").parse::<i64>().unwrap_or(0);
     let resp: Option<JsonValue> = if req.method() == "POST" {
@@ -176,10 +169,18 @@ async fn api_req(req: HttpRequest, body: String) -> HttpResponse {
 
 pub async fn request(req: HttpRequest, body: String) -> HttpResponse {
     let args = crate::get_args();
+    let headers = req.headers();
     if args.hidden && req.path().starts_with("/api/webui/") {
-        return not_found(&req.headers());
+        return not_found(&headers);
     }
-    if req.path().starts_with("/v1.0") && req.headers().get("Authorization").is_none() {
+    if headers.get("a6573cbe").is_none() && req.path().starts_with("/api") {
+        if args.hidden {
+            return not_found(&headers);
+        } else {
+            return webui::main(req);
+        }
+    }
+    if req.path().starts_with("/v1.0") && headers.get("Authorization").is_none() {
         if args.hidden {
             return gree::not_found();
         } else {