diff --git a/lib/App/Netdisco/Web.pm b/lib/App/Netdisco/Web.pm
index 8ba004b0..2cde6f62 100644
--- a/lib/App/Netdisco/Web.pm
+++ b/lib/App/Netdisco/Web.pm
@@ -426,7 +426,7 @@ if (setting('trust_x_remote_user')) {
               name => 'X-REMOTE_USER',
               description => 'API client user name',
               in => 'header',
-              required => true,
+              required => false,
               type => 'string',
             };
         }
diff --git a/lib/App/Netdisco/Web/AuthN.pm b/lib/App/Netdisco/Web/AuthN.pm
index 87951a94..ec532b54 100644
--- a/lib/App/Netdisco/Web/AuthN.pm
+++ b/lib/App/Netdisco/Web/AuthN.pm
@@ -78,7 +78,7 @@ hook 'before' => sub {
         request->path_info('/');
     }
     # API calls must conform strictly to path and header requirements
-    elsif (request_is_api) {
+    elsif (request_is_api and request->header('Authorization')) {
         # from the internals of Dancer::Plugin::Auth::Extensible
         my $provider = Dancer::Plugin::Auth::Extensible::auth_provider('users');