diff --git a/CHANGELOG.md b/CHANGELOG.md
index ee04c11b35c89018d8f6c0df760081bd3c411b6f..ef709603373e63560aa9ecf93c7ff1f3c57f2dd9 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@ All notable changes to this project are documented below.
 The format is based on [keep a changelog](http://keepachangelog.com) and this project uses [semantic versioning](http://semver.org).
 
 ## [Unreleased]
+### Added
+- Allow the socket acceptor to read session tokens from request headers.
+
 ### Changed
 - Stricter validation of limit in runtime storage list operations.
 - Allow subdomain variance in Facebook Limited Login token issuer field.
diff --git a/server/matchmaker.go b/server/matchmaker.go
index f86d6cd042b54bc2f7ac0247423d3a4001979e47..cef50ed22b7746415f230e7843b054778e3df2dd 100644
--- a/server/matchmaker.go
+++ b/server/matchmaker.go
@@ -550,7 +550,7 @@ func (m *LocalMatchmaker) Process() {
 					// We've removed something, update the known size of the currently considered combo.
 					l = len(foundCombo) + index.Count
 
-					if (len(foundCombo)+index.Count)%index.CountMultiple != 0 {
+					if l%index.CountMultiple != 0 {
 						// Removal was insufficient, the combo is still not valid for the required multiple.
 						continue
 					}
diff --git a/server/socket_ws.go b/server/socket_ws.go
index 2a2396e1b229ad752370a8e33b23e6f5a9fff3e2..40ed50eab7dbbed30958daf6b2310fc1ac94137c 100644
--- a/server/socket_ws.go
+++ b/server/socket_ws.go
@@ -18,6 +18,7 @@ import (
 	"net"
 	"net/http"
 	"strconv"
+	"strings"
 
 	"github.com/gofrs/uuid"
 	"github.com/gorilla/websocket"
@@ -55,7 +56,19 @@ func NewSocketWsAcceptor(logger *zap.Logger, config Config, sessionRegistry Sess
 		}
 
 		// Check authentication.
-		token := r.URL.Query().Get("token")
+		var token string
+		if auth := r.Header["Authorization"]; len(auth) >= 1 {
+			// Attempt header based authentication.
+			const prefix = "Bearer "
+			if !strings.HasPrefix(auth[0], prefix) {
+				http.Error(w, "Missing or invalid token", 401)
+				return
+			}
+			token = auth[0][len(prefix):]
+		} else {
+			// Attempt query parameter based authentication.
+			token = r.URL.Query().Get("token")
+		}
 		if token == "" {
 			http.Error(w, "Missing or invalid token", 401)
 			return