diff --git a/apiserver/apiserver/api/views.py b/apiserver/apiserver/api/views.py
index 6fd4300..ac98466 100644
--- a/apiserver/apiserver/api/views.py
+++ b/apiserver/apiserver/api/views.py
@@ -649,6 +649,8 @@ class BackupView(views.APIView):
             cache.set(backup_user['name'], datetime.datetime.now())
 
             return redirect(backup_url)
+        elif auth_token:
+            raise exceptions.PermissionDenied()
         else:
             backup_stats = []
             for backup_user in secrets.BACKUP_TOKENS.values():