diff --git a/kallithea/model/db.py b/kallithea/model/db.py
--- a/kallithea/model/db.py
+++ b/kallithea/model/db.py
@@ -542,6 +542,9 @@ class User(Base, BaseModel):
 
     @classmethod
     def get_by_api_key(cls, api_key, cache=False, fallback=True):
+        if len(api_key) != 40 or not api_key.isalnum():
+            return None
+
         q = cls.query().filter(cls.api_key == api_key)
 
         if cache:
diff --git a/kallithea/tests/functional/test_login.py b/kallithea/tests/functional/test_login.py
--- a/kallithea/tests/functional/test_login.py
+++ b/kallithea/tests/functional/test_login.py
@@ -325,6 +325,8 @@ class TestLoginController(TestController
         ('none', None, 302),
         ('empty_string', '', 302),
         ('fake_number', '123456', 302),
+        ('fake_not_alnum', 'a-z', 302),
+        ('fake_api_key', '0123456789abcdef0123456789ABCDEF01234567', 302),
         ('proper_api_key', None, 200)
     ])
     def test_access_whitelisted_page_via_api_key(self, test_name, api_key, code):