diff --git a/NEWS.md b/NEWS.md
index 05f91ee4..a8ef32c9 100644
--- a/NEWS.md
+++ b/NEWS.md
@@ -11,6 +11,8 @@ Announcements:
  * Consider cancelled queries as platform limits.
  * Report fine-grained Garbage Collector stats
  * Both query endpoints as the same one in rate limits terms
+ * Adding Authorization to Access-Control-Allow-Headers (https://github.com/CartoDB/CartoDB-SQL-API/issues/534)
+
 
 ## 2.3.1
 Released 2018-12-23
diff --git a/app/middlewares/cors.js b/app/middlewares/cors.js
index 7f0ee42a..286ced9c 100644
--- a/app/middlewares/cors.js
+++ b/app/middlewares/cors.js
@@ -2,7 +2,7 @@
 
 module.exports = function cors(extraHeaders) {
     return function(req, res, next) {
-        var baseHeaders = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token';
+        var baseHeaders = 'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization';
 
         if(extraHeaders) {
             baseHeaders += ', ' + extraHeaders;
diff --git a/test/acceptance/app-configuration.js b/test/acceptance/app-configuration.js
index f7bf847b..418ccd35 100644
--- a/test/acceptance/app-configuration.js
+++ b/test/acceptance/app-configuration.js
@@ -60,7 +60,8 @@ describe('app-configuration', function() {
             method: 'GET'
         }, RESPONSE_OK, function(err, res) {
             assert.equal(
-                res.headers['access-control-allow-headers'], 'X-Requested-With, X-Prototype-Version, X-CSRF-Token'
+                res.headers['access-control-allow-headers'],
+                'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization'
             );
             assert.equal(res.headers['access-control-allow-origin'], '*');
             done();
@@ -76,7 +77,8 @@ describe('app-configuration', function() {
         }, RESPONSE_OK, function(err, res) {
             assert.equal(res.body, '');
             assert.equal(
-                res.headers['access-control-allow-headers'], 'X-Requested-With, X-Prototype-Version, X-CSRF-Token'
+                res.headers['access-control-allow-headers'],
+                'X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization'
             );
             assert.equal(res.headers['access-control-allow-origin'], '*');
             done();
@@ -158,7 +160,7 @@ describe('app-configuration', function() {
             assert.equal(res.headers['access-control-allow-origin'], '*');
             assert.equal(
                 res.headers['access-control-allow-headers'],
-                "X-Requested-With, X-Prototype-Version, X-CSRF-Token"
+                "X-Requested-With, X-Prototype-Version, X-CSRF-Token, Authorization"
             );
             done();
         });