diff --git a/app/controllers/api/auth/episodes_controller.rb b/app/controllers/api/auth/episodes_controller.rb
index 67917f92c..6ae3cb4eb 100644
--- a/app/controllers/api/auth/episodes_controller.rb
+++ b/app/controllers/api/auth/episodes_controller.rb
@@ -1,10 +1,7 @@
 class Api::Auth::EpisodesController < Api::EpisodesController
-  include ApiAdminToken
   include ApiAuthenticated
   include ApiUpdatedSince
 
-  skip_before_action :authenticate_user!, if: :api_admin_token?
-
   api_versions :v1
   represent_with Api::Auth::EpisodeRepresenter
   filter_resources_by :podcast_id
@@ -31,11 +28,6 @@ def sorted(res)
   end
 
   def resources_base
-    @resources_base ||=
-      if api_admin_token?
-        super
-      else
-        super.merge(authorization.token_auth_episodes)
-      end
+    authorization.token_auth_episodes
   end
 end
diff --git a/app/controllers/api/auth/feeds_controller.rb b/app/controllers/api/auth/feeds_controller.rb
index 0b91d831c..95f7cd727 100644
--- a/app/controllers/api/auth/feeds_controller.rb
+++ b/app/controllers/api/auth/feeds_controller.rb
@@ -6,12 +6,17 @@ class Api::Auth::FeedsController < Api::BaseController
   filter_resources_by :podcast_id
 
   after_action :publish, only: [:create, :update, :destroy]
+  allow_params :index, [:format, :api_version, :podcast_id, :page, :per]
 
   def publish
     resource.podcast.publish! if resource&.podcast
   end
 
+  def included(relation)
+    relation.includes(:podcast, :feed_images, :itunes_images, :feed_tokens)
+  end
+
   def resources_base
-    @feeds ||= super.merge(authorization.token_auth_feeds)
+    authorization.token_auth_feeds
   end
 end
diff --git a/app/controllers/api/auth/podcasts_controller.rb b/app/controllers/api/auth/podcasts_controller.rb
index 2311025d0..9ffdaf490 100644
--- a/app/controllers/api/auth/podcasts_controller.rb
+++ b/app/controllers/api/auth/podcasts_controller.rb
@@ -19,6 +19,6 @@ def visible?
   end
 
   def resources_base
-    @podcasts ||= super.merge(authorization.token_auth_podcasts)
+    authorization.token_auth_podcasts
   end
 end
diff --git a/app/controllers/api/authorizations_controller.rb b/app/controllers/api/authorizations_controller.rb
index cf802cbf6..c61412304 100644
--- a/app/controllers/api/authorizations_controller.rb
+++ b/app/controllers/api/authorizations_controller.rb
@@ -9,8 +9,7 @@ def resource
     authorization
   end
 
-  # this is the only auth#show endpoint not cached, since it's specific to a user
-  def cache_show?
-    false
+  def show_cache_path
+    authorization.cache_key
   end
 end
diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index 4f4eaa3a5..c8de87283 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -3,6 +3,7 @@
 
 class Api::BaseController < ApplicationController
   include HalApi::Controller
+  include ApiAdminToken
 
   # these API endpoints use PRX JWTs, not session based auth
   skip_before_action :verify_authenticity_token
@@ -33,7 +34,11 @@ def pundit_user
   end
 
   def authorization
-    Authorization.new(prx_auth_token) if prx_auth_token
+    if prx_auth_token
+      Authorization.new(prx_auth_token)
+    elsif api_admin_token?
+      Authorization.new(nil, true)
+    end
   end
 
   allow_params :show, [:api_version, :format, :zoom]
diff --git a/app/controllers/api/feeds_controller.rb b/app/controllers/api/feeds_controller.rb
index 8be36ab65..d4151d4de 100644
--- a/app/controllers/api/feeds_controller.rb
+++ b/app/controllers/api/feeds_controller.rb
@@ -1,6 +1,8 @@
 class Api::FeedsController < Api::BaseController
-  include ApiAdminToken
+  include ApiAuthenticated
 
+  # only allows admin tokens, not regular token users
+  skip_before_action :authenticate_user!
   before_action :api_admin_token!
 
   def index
diff --git a/app/controllers/concerns/api_authenticated.rb b/app/controllers/concerns/api_authenticated.rb
index 5b44fec92..2e0d3a9f8 100644
--- a/app/controllers/concerns/api_authenticated.rb
+++ b/app/controllers/concerns/api_authenticated.rb
@@ -7,15 +7,20 @@ module ApiAuthenticated
     before_action :authenticate_user!
   end
 
+  def authenticated?
+    api_admin_token? || prx_auth_token
+  end
+
   def authenticate_user!
-    user_not_authorized unless prx_auth_token
+    user_not_authorized unless authenticated?
   end
 
-  def cache_show?
-    true
+  # don't bother calculating cache keys if user will be 401'd anyways
+  def index_cache_path
+    super if authenticated?
   end
 
-  def cache_index?
-    false
+  def show_cache_path
+    super if authenticated?
   end
 end