diff --git a/docker/nginx/conf.d/client.conf b/docker/nginx/conf.d/client.conf
index 4515bda9..eb388469 100644
--- a/docker/nginx/conf.d/client.conf
+++ b/docker/nginx/conf.d/client.conf
@@ -1,5 +1,11 @@
 proxy_cache_path /data/nginx/cache levels=1:2 keys_zone=skynet:10m max_size=10g inactive=24h use_temp_path=off;
 
+# this runs before forking out nginx worker processes
+init_by_lua_block { 
+	require "cjson" 
+	require "socket.http"
+}
+
 # ratelimit specified IPs
 geo $limit {
 	default 0;
@@ -458,6 +464,24 @@ server {
 		proxy_pass http://127.0.0.1/$uri?attachment=true&$args;
 	}
 
+	location /__internal/do/not/use {
+		content_by_lua_block {
+			local json = require('cjson')
+			-- this block runs only when accounts are enabled
+			if os.getenv("ACCOUNTS_ENABLED", "0") == "0" then
+				return ngx.say(json.encode{authenticated = false})
+			end
+
+			local res = ngx.location.capture("/accounts/user/limits", { copy_all_vars = true })
+			if res.status == ngx.HTTP_OK then
+				local limits = json.decode(res.body)
+				return ngx.say(json.encode{authenticated = limits.tier > 0})
+			end
+
+			ngx.say(json.encode{authenticated = false})
+		}
+	}
+
 	location /accounts {
 		internal; # internal endpoint only
 		access_log off; # do not log traffic