diff --git a/pagure/api/project.py b/pagure/api/project.py
index 73a58c1..da07b9d 100644
--- a/pagure/api/project.py
+++ b/pagure/api/project.py
@@ -1225,7 +1225,7 @@ def api_generate_acls(repo, username=None, namespace=None):
 @API.route('/fork/<username>/<repo>/git/branch', methods=['POST'])
 @API.route('/fork/<username>/<namespace>/<repo>/git/branch',
            methods=['POST'])
-@api_login_required(acls=['modify_project'])
+@api_login_required(acls=['create_branch'])
 @api_method
 def api_new_branch(repo, username=None, namespace=None):
     """
@@ -1273,6 +1273,10 @@ def api_new_branch(repo, username=None, namespace=None):
     if not project:
         raise pagure.exceptions.APIError(404, error_code=APIERROR.ENOPROJECT)
 
+    if flask.g.token.project and project != flask.g.token.project:
+        raise pagure.exceptions.APIError(
+            401, error_code=APIERROR.EINVALIDTOK)
+
     # Check if it's JSON or form data
     if flask.request.headers.get('Content-Type') == 'application/json':
         # Set force to True to ignore the mimetype. Set silent so that None is
diff --git a/pagure/default_config.py b/pagure/default_config.py
index 4233076..e81ffde 100644
--- a/pagure/default_config.py
+++ b/pagure/default_config.py
@@ -285,6 +285,7 @@ ACLS = {
     'modify_project': 'Modify an existing project',
     'generate_acls_project': 'Generate the Gitolite ACLs on a project',
     'commit_flag': 'Flag a commit',
+    'create_branch': 'Create a git branch on a project',
 }
 
 # List of ACLs which a regular user is allowed to associate to an API token
@@ -309,6 +310,7 @@ ADMIN_API_ACLS = [
     'pull_request_merge',
     'generate_acls_project',
     'commit_flag',
+    'create_branch',
 ]
 
 # Bootstrap URLS