diff --git a/pkg/services/authz/client.go b/pkg/services/authz/client.go
index dc6ef3aa514..6a83fb3ebe9 100644
--- a/pkg/services/authz/client.go
+++ b/pkg/services/authz/client.go
@@ -55,7 +55,7 @@ func ProvideAuthZClient(
 			return nil, err
 		}
 	case ModeGRPC:
-		client, err = newGrpcLegacyClient(authCfg.remoteAddress)
+		client, err = newGrpcLegacyClient(authCfg)
 		if err != nil {
 			return nil, err
 		}
@@ -83,7 +83,7 @@ func ProvideStandaloneAuthZClient(
 		return nil, err
 	}
 
-	return newGrpcLegacyClient(authCfg.remoteAddress)
+	return newGrpcLegacyClient(authCfg)
 }
 
 func newInProcLegacyClient(server *legacyServer) (authzlib.MultiTenantClient, error) {
@@ -109,7 +109,7 @@ func newInProcLegacyClient(server *legacyServer) (authzlib.MultiTenantClient, er
 	)
 }
 
-func newGrpcLegacyClient(address string) (authzlib.MultiTenantClient, error) {
+func newGrpcLegacyClient(authCfg *Cfg) (authzlib.MultiTenantClient, error) {
 	// This client interceptor is a noop, as we don't send an access token
 	grpcClientConfig := authnlib.GrpcClientConfig{}
 	clientInterceptor, err := authnlib.NewGrpcClientInterceptor(&grpcClientConfig,
@@ -119,13 +119,10 @@ func newGrpcLegacyClient(address string) (authzlib.MultiTenantClient, error) {
 		return nil, err
 	}
 
-	cfg := authzlib.MultiTenantClientConfig{RemoteAddress: address}
+	cfg := authzlib.MultiTenantClientConfig{RemoteAddress: authCfg.remoteAddress}
 	client, err := authzlib.NewLegacyClient(&cfg,
-		// TODO(drclau): make this configurable (e.g. allow to use insecure connections)
 		authzlib.WithGrpcDialOptionsLCOption(
-			grpc.WithTransportCredentials(insecure.NewCredentials()),
-			grpc.WithUnaryInterceptor(clientInterceptor.UnaryClientInterceptor),
-			grpc.WithStreamInterceptor(clientInterceptor.StreamClientInterceptor),
+			getDialOpts(clientInterceptor, authCfg.allowInsecure)...,
 		),
 		authzlib.WithNamespaceFormatterLCOption(authnlib.OnPremNamespaceFormatter),
 		// TODO(drclau): remove this once we have access token support on-prem
@@ -157,11 +154,8 @@ func newCloudLegacyClient(authCfg *Cfg) (authzlib.MultiTenantClient, error) {
 
 	clientCfg := authzlib.MultiTenantClientConfig{RemoteAddress: authCfg.remoteAddress}
 	client, err := authzlib.NewLegacyClient(&clientCfg,
-		// TODO(drclau): make this configurable (e.g. allow to use insecure connections)
 		authzlib.WithGrpcDialOptionsLCOption(
-			grpc.WithTransportCredentials(insecure.NewCredentials()),
-			grpc.WithUnaryInterceptor(clientInterceptor.UnaryClientInterceptor),
-			grpc.WithStreamInterceptor(clientInterceptor.StreamClientInterceptor),
+			getDialOpts(clientInterceptor, authCfg.allowInsecure)...,
 		),
 	)
 	if err != nil {
@@ -170,3 +164,16 @@ func newCloudLegacyClient(authCfg *Cfg) (authzlib.MultiTenantClient, error) {
 
 	return client, nil
 }
+
+func getDialOpts(interceptor *authnlib.GrpcClientInterceptor, allowInsecure bool) []grpc.DialOption {
+	dialOpts := []grpc.DialOption{
+		grpc.WithUnaryInterceptor(interceptor.UnaryClientInterceptor),
+		grpc.WithStreamInterceptor(interceptor.StreamClientInterceptor),
+	}
+	if allowInsecure {
+		// allow insecure connections in development mode to facilitate testing
+		dialOpts = append(dialOpts, grpc.WithTransportCredentials(insecure.NewCredentials()))
+	}
+
+	return dialOpts
+}
diff --git a/pkg/services/authz/config.go b/pkg/services/authz/config.go
index c8e8c00a99e..68aa0c89807 100644
--- a/pkg/services/authz/config.go
+++ b/pkg/services/authz/config.go
@@ -30,6 +30,8 @@ type Cfg struct {
 	token            string
 	tokenExchangeURL string
 	tokenNamespace   string
+
+	allowInsecure bool
 }
 
 func ReadCfg(cfg *setting.Cfg) (*Cfg, error) {
@@ -55,5 +57,6 @@ func ReadCfg(cfg *setting.Cfg) (*Cfg, error) {
 		token:            token,
 		tokenExchangeURL: tokenExchangeURL,
 		tokenNamespace:   tokenNamespace,
+		allowInsecure:    cfg.Env == "development",
 	}, nil
 }
diff --git a/pkg/storage/unified/sql/service.go b/pkg/storage/unified/sql/service.go
index 30ae51df144..817b6f09c64 100644
--- a/pkg/storage/unified/sql/service.go
+++ b/pkg/storage/unified/sql/service.go
@@ -80,9 +80,11 @@ func ProvideService(
 		// },
 	}
 
-	// TODO(drclau): only allow insecure connections when app_mode = development
-	tr := &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}
-	client := &http.Client{Transport: tr}
+	client := http.DefaultClient
+	if cfg.Env == "development" {
+		// allow insecure connections in development mode to facilitate testing
+		client = &http.Client{Transport: &http.Transport{TLSClientConfig: &tls.Config{InsecureSkipVerify: true}}}
+	}
 	keyRetriever := authnlib.NewKeyRetriever(grpcAuthCfg.KeyRetrieverConfig, authnlib.WithHTTPClientKeyRetrieverOpt(client))
 
 	grpcOpts := []authnlib.GrpcAuthenticatorOption{}
@@ -92,12 +94,16 @@ func ProvideService(
 		// TODO(drclau): do we need orgId?
 	case grpcutils.ModeGRPC:
 		grpcOpts = append(grpcOpts,
+			// Access token are not yet available on-prem
 			authnlib.WithDisableAccessTokenAuthOption(),
 			authnlib.WithIDTokenAuthOption(true),
 			authnlib.WithKeyRetrieverOption(keyRetriever),
 		)
 	case grpcutils.ModeCloud:
-		grpcOpts = append(grpcOpts, authnlib.WithIDTokenAuthOption(true))
+		grpcOpts = append(grpcOpts,
+			authnlib.WithIDTokenAuthOption(true),
+			authnlib.WithKeyRetrieverOption(keyRetriever),
+		)
 	}
 
 	authn, err := authnlib.NewGrpcAuthenticator(