diff --git a/server/server.go b/server/server.go
index e77d1497..7a78156a 100644
--- a/server/server.go
+++ b/server/server.go
@@ -1140,7 +1140,7 @@ func (s *Server) withAuth(next handleFunc, perm auth.Permission) handleFunc {
 		if s.auth == nil {
 			return next(w, r, v)
 		}
-		t, err := s.topicFromPath(r.URL.Path)
+		topics, _, err := s.topicsFromPath(r.URL.Path)
 		if err != nil {
 			return err
 		}
@@ -1152,9 +1152,11 @@ func (s *Server) withAuth(next handleFunc, perm auth.Permission) handleFunc {
 				return errHTTPUnauthorized
 			}
 		}
-		if err := s.auth.Authorize(user, t.ID, perm); err != nil {
-			log.Printf("unauthorized: %s", err.Error())
-			return errHTTPForbidden
+		for _, t := range topics {
+			if err := s.auth.Authorize(user, t.ID, perm); err != nil {
+				log.Printf("unauthorized: %s", err.Error())
+				return errHTTPForbidden
+			}
 		}
 		return next(w, r, v)
 	}
diff --git a/server/server_test.go b/server/server_test.go
index 990be399..3d1e32fb 100644
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -549,7 +549,7 @@ func TestServer_Auth_Success_User(t *testing.T) {
 
 	manager := s.auth.(auth.Manager)
 	require.Nil(t, manager.AddUser("ben", "ben", auth.RoleUser))
-	require.Nil(t, manager.AllowAccess("ben", "mytopic", true, true)) // Not mytopic!
+	require.Nil(t, manager.AllowAccess("ben", "mytopic", true, true))
 
 	response := request(t, s, "GET", "/mytopic/auth", "", map[string]string{
 		"Authorization": basicAuth("ben:ben"),
@@ -557,6 +557,29 @@ func TestServer_Auth_Success_User(t *testing.T) {
 	require.Equal(t, 200, response.Code)
 }
 
+func TestServer_Auth_Success_User_MultipleTopics(t *testing.T) {
+	c := newTestConfig(t)
+	c.AuthFile = filepath.Join(t.TempDir(), "user.db")
+	c.AuthDefaultRead = false
+	c.AuthDefaultWrite = false
+	s := newTestServer(t, c)
+
+	manager := s.auth.(auth.Manager)
+	require.Nil(t, manager.AddUser("ben", "ben", auth.RoleUser))
+	require.Nil(t, manager.AllowAccess("ben", "mytopic", true, true))
+	require.Nil(t, manager.AllowAccess("ben", "anothertopic", true, true))
+
+	response := request(t, s, "GET", "/mytopic,anothertopic/auth", "", map[string]string{
+		"Authorization": basicAuth("ben:ben"),
+	})
+	require.Equal(t, 200, response.Code)
+
+	response = request(t, s, "GET", "/mytopic,anothertopic,NOT-THIS-ONE/auth", "", map[string]string{
+		"Authorization": basicAuth("ben:ben"),
+	})
+	require.Equal(t, 403, response.Code)
+}
+
 func TestServer_Auth_Fail_InvalidPass(t *testing.T) {
 	c := newTestConfig(t)
 	c.AuthFile = filepath.Join(t.TempDir(), "user.db")