diff --git a/core/server/services/auth/authenticate.js b/core/server/services/auth/authenticate.js
index 566553ad51..76858b5367 100644
--- a/core/server/services/auth/authenticate.js
+++ b/core/server/services/auth/authenticate.js
@@ -5,7 +5,6 @@ const common = require('../../lib/common');
 const session = require('./session');
 const apiKeyAuth = require('./api-key');
 const members = require('./members');
-const labs = require('../labs');
 
 const authenticate = {
     // ### Authenticate Client Middleware
@@ -39,14 +38,6 @@ const authenticate = {
             req.body.client_secret = req.query.client_secret;
         }
 
-        if (labs.isSet('publicAPI') !== true) {
-            return next(new common.errors.NoPermissionError({
-                message: common.i18n.t('errors.middleware.auth.publicAPIDisabled.error'),
-                context: common.i18n.t('errors.middleware.auth.publicAPIDisabled.context'),
-                help: common.i18n.t('errors.middleware.auth.forInformationRead', {url: 'https://docs.ghost.org/api/content/'})
-            }));
-        }
-
         if (!req.body.client_id || !req.body.client_secret) {
             return next(new common.errors.UnauthorizedError({
                 message: common.i18n.t('errors.middleware.auth.accessDenied'),
diff --git a/core/server/services/auth/authorize.js b/core/server/services/auth/authorize.js
index ef8189a142..570cb34d0d 100644
--- a/core/server/services/auth/authorize.js
+++ b/core/server/services/auth/authorize.js
@@ -22,6 +22,15 @@ const authorize = {
             if (req.user && req.user.id) {
                 return next();
             } else {
+                // CASE: has no user access and public api is disabled
+                if (labs.isSet('publicAPI') !== true) {
+                    return next(new common.errors.NoPermissionError({
+                        message: common.i18n.t('errors.middleware.auth.publicAPIDisabled.error'),
+                        context: common.i18n.t('errors.middleware.auth.publicAPIDisabled.context'),
+                        help: common.i18n.t('errors.middleware.auth.forInformationRead', {url: 'https://docs.ghost.org/api/content/'})
+                    }));
+                }
+
                 return next(new common.errors.NoPermissionError({
                     message: common.i18n.t('errors.middleware.auth.pleaseSignIn')
                 }));
diff --git a/core/test/unit/services/auth/authenticate_spec.js b/core/test/unit/services/auth/authenticate_spec.js
index 6a7b3eece5..5d67c0430d 100644
--- a/core/test/unit/services/auth/authenticate_spec.js
+++ b/core/test/unit/services/auth/authenticate_spec.js
@@ -349,25 +349,6 @@ describe('Auth', function () {
             done();
         });
 
-        it('shouldn\'t authenticate when publicAPI is disabled', function (done) {
-            labs.isSet.restore();
-            sinon.stub(labs, 'isSet').withArgs('publicAPI').returns(false);
-
-            req.body = {};
-            req.body.client_id = testClient;
-            req.body.client_secret = testSecret;
-            req.headers = {};
-
-            var next = function next(err) {
-                err.statusCode.should.eql(403);
-                (err instanceof common.errors.NoPermissionError).should.eql(true);
-                done();
-            };
-
-            registerSuccessfulClientPasswordStrategy();
-            auth.authenticate.authenticateClient(req, res, next);
-        });
-
         it('shouldn\'t authenticate when error', function (done) {
             req.body = {};
             req.body.client_id = testClient;