diff --git a/app/controllers/api/v1/emails/confirmations_controller.rb b/app/controllers/api/v1/emails/confirmations_controller.rb
index 29ff897b91..16e91b4497 100644
--- a/app/controllers/api/v1/emails/confirmations_controller.rb
+++ b/app/controllers/api/v1/emails/confirmations_controller.rb
@@ -5,6 +5,7 @@ class Api::V1::Emails::ConfirmationsController < Api::BaseController
   before_action -> { doorkeeper_authorize! :write, :'write:accounts' }, except: :check
   before_action :require_user_owned_by_application!, except: :check
   before_action :require_user_not_confirmed!, except: :check
+  before_action :require_authenticated_user!, only: :check
 
   def create
     current_user.update!(email: params[:email]) if params.key?(:email)
diff --git a/spec/controllers/api/v1/emails/confirmations_controller_spec.rb b/spec/controllers/api/v1/emails/confirmations_controller_spec.rb
index 219b5075df..80d6c8799d 100644
--- a/spec/controllers/api/v1/emails/confirmations_controller_spec.rb
+++ b/spec/controllers/api/v1/emails/confirmations_controller_spec.rb
@@ -130,5 +130,13 @@ RSpec.describe Api::V1::Emails::ConfirmationsController do
         end
       end
     end
+
+    context 'without an oauth token and an authentication cookie' do
+      it 'returns http unauthorized' do
+        get :check
+
+        expect(response).to have_http_status(401)
+      end
+    end
   end
 end