diff --git a/lib/App/Netdisco/DB/Result/Virtual/UserRole.pm b/lib/App/Netdisco/DB/Result/Virtual/UserRole.pm
index bd24737c..7746112e 100644
--- a/lib/App/Netdisco/DB/Result/Virtual/UserRole.pm
+++ b/lib/App/Netdisco/DB/Result/Virtual/UserRole.pm
@@ -19,6 +19,9 @@ __PACKAGE__->result_source_instance->view_definition(<<ENDSQL
   UNION
   SELECT username, 'ldap' AS role FROM users
     WHERE ldap
+  UNION
+  SELECT username, 'api', AS role FROM users
+    WHERE token AND token_from
 ENDSQL
 );
 
diff --git a/lib/App/Netdisco/Web/AuthN.pm b/lib/App/Netdisco/Web/AuthN.pm
index 6ca382ff..d8bd6613 100644
--- a/lib/App/Netdisco/Web/AuthN.pm
+++ b/lib/App/Netdisco/Web/AuthN.pm
@@ -59,7 +59,16 @@ hook 'before' => sub {
 };
 
 get qr{^/(?:login(?:/denied)?)?} => sub {
-    template 'index', { return_url => param('return_url') };
+    if (param('return_url') and param('return_url') =~ m{^/api/}) {
+      status 403;
+      return to_json {
+        error => 'not authorized',
+        return_url => param('return_url'),
+      };
+    }
+    else {
+      template 'index', { return_url => param('return_url') };
+    }
 };
 
 # override default login_handler so we can log access in the database