diff --git a/app/handle-websocket.go b/app/handle-websocket.go
index 62452d5..e932752 100644
--- a/app/handle-websocket.go
+++ b/app/handle-websocket.go
@@ -7,6 +7,7 @@ import (
 	"strings"
 	"time"
 
+	"encoders.orly/envelopes/authenvelope"
 	"encoders.orly/hex"
 	"github.com/coder/websocket"
 	"lol.mleku.dev/chk"
@@ -70,6 +71,14 @@ whitelist:
 	chal := make([]byte, 32)
 	rand.Read(chal)
 	listener.challenge.Store([]byte(hex.Enc(chal)))
+	// If admins are configured, immediately prompt client to AUTH (NIP-42)
+	if len(s.Config.Admins) > 0 {
+		log.D.F("sending initial AUTH challenge to %s", remote)
+		if err = authenvelope.NewChallengeWith(listener.challenge.Load()).
+			Write(listener); chk.E(err) {
+			return
+		}
+	}
 	ticker := time.NewTicker(DefaultPingWait)
 	go s.Pinger(ctx, conn, ticker, cancel)
 	defer func() {
diff --git a/scripts/relaytester-test.sh b/scripts/relaytester-test.sh
index f9e14cd..e93da94 100755
--- a/scripts/relaytester-test.sh
+++ b/scripts/relaytester-test.sh
@@ -7,6 +7,7 @@ if ! command -v "relay-tester" &> /dev/null; then
     echo "./scripts/relaytester-install.sh"
     exit
 fi
+rm -rf ~/.local/share/ORLY
 export ORLY_LOG_LEVEL=off
 export ORLY_LISTEN=127.0.0.1
 export ORLY_PORT=3334