diff --git a/app/handle-count.go b/app/handle-count.go
index ff17402..d3dd1d6 100644
--- a/app/handle-count.go
+++ b/app/handle-count.go
@@ -9,6 +9,7 @@ import (
 	"lol.mleku.dev/chk"
 	"lol.mleku.dev/log"
 	"next.orly.dev/pkg/acl"
+	"next.orly.dev/pkg/crypto/ec/schnorr"
 	"next.orly.dev/pkg/encoders/envelopes/authenvelope"
 	"next.orly.dev/pkg/encoders/envelopes/countenvelope"
 	"next.orly.dev/pkg/utils/normalize"
@@ -28,7 +29,7 @@ func (l *Listener) HandleCount(msg []byte) (err error) {
 	log.D.C(func() string { return fmt.Sprintf("COUNT sub=%s filters=%d", env.Subscription, len(env.Filters)) })
 
 	// If ACL is active, auth is required, or AuthToWrite is enabled, send a challenge (same as REQ path)
-	if acl.Registry.Active.Load() != "none" || l.Config.AuthRequired || l.Config.AuthToWrite {
+	if len(l.authedPubkey.Load()) != schnorr.PubKeyBytesLen && (acl.Registry.Active.Load() != "none" || l.Config.AuthRequired || l.Config.AuthToWrite) {
 		if err = authenvelope.NewChallengeWith(l.challenge.Load()).Write(l); chk.E(err) {
 			return
 		}
diff --git a/app/handle-req.go b/app/handle-req.go
index 441c801..3886f46 100644
--- a/app/handle-req.go
+++ b/app/handle-req.go
@@ -52,7 +52,7 @@ func (l *Listener) HandleReq(msg []byte) (err error) {
 		},
 	)
 	// send a challenge to the client to auth if an ACL is active, auth is required, or AuthToWrite is enabled
-	if acl.Registry.Active.Load() != "none" || l.Config.AuthRequired || l.Config.AuthToWrite {
+	if len(l.authedPubkey.Load()) == 0 && (acl.Registry.Active.Load() != "none" || l.Config.AuthRequired || l.Config.AuthToWrite) {
 		if err = authenvelope.NewChallengeWith(l.challenge.Load()).
 			Write(l); chk.E(err) {
 			return
diff --git a/pkg/version/version b/pkg/version/version
index ac4f5fc..9ca2c5e 100644
--- a/pkg/version/version
+++ b/pkg/version/version
@@ -1 +1 @@
-v0.25.6
\ No newline at end of file
+v0.25.7
\ No newline at end of file