diff --git a/packages/api/src/routes/page/getPageConfig.js b/packages/api/src/routes/page/getPageConfig.js
index 5d5b5b3cf..d4ff1cc16 100644
--- a/packages/api/src/routes/page/getPageConfig.js
+++ b/packages/api/src/routes/page/getPageConfig.js
@@ -14,10 +14,12 @@
   limitations under the License.
 */
 
-// TODO: strip auth prop from page before we send it to the client
 async function getPageConfig({ authorize, readConfigFile }, { pageId }) {
   const pageConfig = await readConfigFile(`pages/${pageId}/${pageId}.json`);
-  if (pageConfig && authorize(pageConfig)) return pageConfig;
+  if (pageConfig && authorize(pageConfig)) {
+    delete pageConfig.auth;
+    return pageConfig;
+  }
   return null;
 }
 
diff --git a/packages/api/src/routes/page/getPageConfig.test.js b/packages/api/src/routes/page/getPageConfig.test.js
index 1f52cc130..abec309b3 100644
--- a/packages/api/src/routes/page/getPageConfig.test.js
+++ b/packages/api/src/routes/page/getPageConfig.test.js
@@ -40,9 +40,6 @@ test('getPageConfig, public', async () => {
   const res = await getPageConfig(context, { pageId: 'pageId' });
   expect(res).toEqual({
     id: 'page:pageId',
-    auth: {
-      public: true,
-    },
   });
 });
 
@@ -81,9 +78,6 @@ test('getPageConfig, protected, with user', async () => {
   );
   expect(res).toEqual({
     id: 'page:pageId',
-    auth: {
-      public: false,
-    },
   });
 });