diff --git a/pagure/api/fork.py b/pagure/api/fork.py
index 14252cf..9068994 100644
--- a/pagure/api/fork.py
+++ b/pagure/api/fork.py
@@ -24,7 +24,7 @@ import pagure.lib.tasks
 from pagure.api import (API, api_method, api_login_required, APIERROR,
                         get_authorized_api_project)
 from pagure.config import config as pagure_config
-from pagure.utils import is_repo_committer, api_authenticated, is_true
+from pagure.utils import is_repo_committer, is_true
 
 
 _log = logging.getLogger(__name__)
@@ -852,10 +852,9 @@ def api_subscribe_pull_request(
         raise pagure.exceptions.APIError(
             404, error_code=APIERROR.EPULLREQUESTSDISABLED)
 
-    if api_authenticated():
-        if flask.g.token.project and repo != flask.g.token.project:
-            raise pagure.exceptions.APIError(
-                401, error_code=APIERROR.EINVALIDTOK)
+    if flask.g.token.project and repo != flask.g.token.project:
+        raise pagure.exceptions.APIError(
+            401, error_code=APIERROR.EINVALIDTOK)
 
     request = pagure.lib.search_pull_requests(
         flask.g.session, project_id=repo.id, requestid=requestid)
@@ -994,6 +993,10 @@ def api_pull_request_create(repo, username=None, namespace=None):
     if repo is None:
         raise pagure.exceptions.APIError(404, error_code=APIERROR.ENOPROJECT)
 
+    if flask.g.token.project and repo != flask.g.token.project:
+        raise pagure.exceptions.APIError(
+            401, error_code=APIERROR.EINVALIDTOK)
+
     form = pagure.forms.RequestPullForm(csrf_enabled=False)
     if not form.validate_on_submit():
         raise pagure.exceptions.APIError(
diff --git a/pagure/api/project.py b/pagure/api/project.py
index da07b9d..c1fcc1e 100644
--- a/pagure/api/project.py
+++ b/pagure/api/project.py
@@ -964,6 +964,10 @@ def api_modify_project(repo, namespace=None):
         raise pagure.exceptions.APIError(
             404, error_code=APIERROR.ENOPROJECT)
 
+    if flask.g.token.project and project != flask.g.token.project:
+        raise pagure.exceptions.APIError(
+            401, error_code=APIERROR.EINVALIDTOK)
+
     is_site_admin = pagure.utils.is_admin()
     admins = [u.username for u in project.get_project_users('admin')]
     # Only allow the main admin, the admins of the project, and Pagure site
@@ -1192,6 +1196,10 @@ def api_generate_acls(repo, username=None, namespace=None):
     if not project:
         raise pagure.exceptions.APIError(404, error_code=APIERROR.ENOPROJECT)
 
+    if flask.g.token.project and project != flask.g.token.project:
+        raise pagure.exceptions.APIError(
+            401, error_code=APIERROR.EINVALIDTOK)
+
     # Check if it's JSON or form data
     if flask.request.headers.get('Content-Type') == 'application/json':
         # Set force to True to ignore the mimetype. Set silent so that None is