diff --git a/onadata/apps/api/tests/viewsets/test_xform_list_viewset.py b/onadata/apps/api/tests/viewsets/test_xform_list_viewset.py
index e21b183469..6f4709c2ea 100644
--- a/onadata/apps/api/tests/viewsets/test_xform_list_viewset.py
+++ b/onadata/apps/api/tests/viewsets/test_xform_list_viewset.py
@@ -44,6 +44,21 @@ def test_get_xform_list(self):
             self.assertTrue(response.has_header("Date"))
             self.assertEqual(response["Content-Type"], "text/xml; charset=utf-8")
 
+    def test_get_xform_list_w_token_auth(self):
+        request = self.factory.get("/", **self.extra)
+        response = self.view(request)
+        self.assertEqual(response.status_code, 200)
+        path = os.path.join(os.path.dirname(__file__), "..", "fixtures", "formList.xml")
+        with open(path, encoding="utf-8") as f:
+            form_list_xml = f.read().strip()
+            data = {"hash": self.xform.hash, "pk": self.xform.pk}
+            content = response.render().content.decode("utf-8")
+            self.assertEqual(content, form_list_xml % data)
+            self.assertTrue(response.has_header("X-OpenRosa-Version"))
+            self.assertTrue(response.has_header("X-OpenRosa-Accept-Content-Length"))
+            self.assertTrue(response.has_header("Date"))
+            self.assertEqual(response["Content-Type"], "text/xml; charset=utf-8")
+
     def test_get_xform_list_xform_pk_filter_anon(self):
         """
         Test formList xform_pk filter for anonymous user.
@@ -720,6 +735,27 @@ def test_retrieve_xform_xml(self):
             self.assertTrue(response.has_header("Date"))
             self.assertEqual(response["Content-Type"], "text/xml; charset=utf-8")
 
+    def test_retrieve_xform_xml_w_token_auth(self):
+        self.view = XFormListViewSet.as_view({"get": "retrieve"})
+        request = self.factory.get("/", **self.extra)
+        response = self.view(request, pk=self.xform.pk)
+        self.assertEqual(response.status_code, 200)
+
+        path = os.path.join(
+            os.path.dirname(__file__), "..", "fixtures", "Transportation Form.xml"
+        )
+
+        with open(path, encoding="utf-8") as f:
+            form_xml = f.read().strip()
+            data = {"form_uuid": self.xform.uuid}
+            content = response.render().content.decode("utf-8").strip()
+            content = content.replace(self.xform.version, "20141112071722")
+            self.assertEqual(content, form_xml % data)
+            self.assertTrue(response.has_header("X-OpenRosa-Version"))
+            self.assertTrue(response.has_header("X-OpenRosa-Accept-Content-Length"))
+            self.assertTrue(response.has_header("Date"))
+            self.assertEqual(response["Content-Type"], "text/xml; charset=utf-8")
+
     def _load_metadata(self, xform=None):
         data_value = "screenshot.png"
         data_type = "media"
@@ -758,6 +794,28 @@ def test_retrieve_xform_manifest(self):
         self.assertTrue(response.has_header("Date"))
         self.assertEqual(response["Content-Type"], "text/xml; charset=utf-8")
 
+    def test_retrieve_xform_manifest_w_token_auth(self):
+        self._load_metadata(self.xform)
+        self.view = XFormListViewSet.as_view({"get": "manifest"})
+        request = self.factory.get("/", **self.extra)
+        response = self.view(request, pk=self.xform.pk)
+        self.assertEqual(response.status_code, 200)
+
+        manifest_xml = """<?xml version="1.0" encoding="utf-8"?><manifest xmlns="http://openrosa.org/xforms/xformsManifest"><mediaFile><filename>screenshot.png</filename><hash>%(hash)s</hash><downloadUrl>http://testserver/bob/xformsMedia/%(xform)s/%(pk)s.png</downloadUrl></mediaFile></manifest>"""  # noqa
+        data = {
+            "hash": self.metadata.hash,
+            "pk": self.metadata.pk,
+            "xform": self.xform.pk,
+        }
+        content = "".join(
+            [i.decode("utf-8").strip() for i in response.streaming_content]
+        )
+        self.assertEqual(content, manifest_xml % data)
+        self.assertTrue(response.has_header("X-OpenRosa-Version"))
+        self.assertTrue(response.has_header("X-OpenRosa-Accept-Content-Length"))
+        self.assertTrue(response.has_header("Date"))
+        self.assertEqual(response["Content-Type"], "text/xml; charset=utf-8")
+
     def test_retrieve_xform_manifest_anonymous_user(self):
         self._load_metadata(self.xform)
         self.view = XFormListViewSet.as_view({"get": "manifest"})
@@ -808,6 +866,15 @@ def test_retrieve_xform_media(self):
         )
         self.assertEqual(response.status_code, 200)
 
+    def test_retrieve_xform_media_w_token_auth(self):
+        self._load_metadata(self.xform)
+        self.view = XFormListViewSet.as_view({"get": "media", "head": "media"})
+        request = self.factory.get("/", **self.extra)
+        response = self.view(
+            request, pk=self.xform.pk, metadata=self.metadata.pk, format="png"
+        )
+        self.assertEqual(response.status_code, 200)
+
     def test_retrieve_xform_media_anonymous_user(self):
         self._load_metadata(self.xform)
         self.view = XFormListViewSet.as_view({"get": "media"})
diff --git a/onadata/apps/api/viewsets/xform_list_viewset.py b/onadata/apps/api/viewsets/xform_list_viewset.py
index 318d2d2c4d..e0be32bfe1 100644
--- a/onadata/apps/api/viewsets/xform_list_viewset.py
+++ b/onadata/apps/api/viewsets/xform_list_viewset.py
@@ -9,6 +9,7 @@
 
 from django_filters import rest_framework as django_filter_filters
 from rest_framework import permissions, viewsets
+from rest_framework.authentication import TokenAuthentication
 from rest_framework.decorators import action
 from rest_framework.response import Response
 
@@ -48,6 +49,7 @@ class XFormListViewSet(ETagsMixin, BaseViewset, viewsets.ReadOnlyModelViewSet):
     authentication_classes = (
         DigestAuthentication,
         EnketoTokenAuthentication,
+        TokenAuthentication,
     )
     content_negotiation_class = MediaFileContentNegotiation
     filter_class = filters.FormIDFilter