diff --git a/kallithea/lib/base.py b/kallithea/lib/base.py
--- a/kallithea/lib/base.py
+++ b/kallithea/lib/base.py
@@ -393,11 +393,11 @@ class BaseController(TGController):
         # Authenticate by API key
         if api_key is not None:
             dbuser = User.get_by_api_key(api_key)
-            au = AuthUser.make(dbuser=dbuser, authenticating_api_key=api_key, is_external_auth=True, ip_addr=ip_addr)
-            if au is None or au.is_anonymous:
-                log.warning('API key ****%s is NOT valid', api_key[-4:])
-                raise webob.exc.HTTPForbidden(_('Invalid API key'))
-            return au
+            if dbuser is None:
+                log.info('No db user found for authentication with API key ****%s from %s',
+                         api_key[-4:], ip_addr)
+                return None
+            return AuthUser.make(dbuser=dbuser, authenticating_api_key=api_key, is_external_auth=True, ip_addr=ip_addr)
 
         # Authenticate by session cookie
         # In ancient login sessions, 'authuser' may not be a dict.
diff --git a/kallithea/model/db.py b/kallithea/model/db.py
--- a/kallithea/model/db.py
+++ b/kallithea/model/db.py
@@ -598,6 +598,8 @@ class User(Base, BaseDbModel):
             _res = UserApiKeys.query().filter_by(api_key=api_key, is_expired=False).first()
             if _res:
                 res = _res.user
+        if res is None or not res.active or res.is_default_user:
+            return None
         return res
 
     @classmethod