diff --git a/api/admin/canned/index.php b/api/admin/canned/index.php
index 210f7a97..47c95fc6 100644
--- a/api/admin/canned/index.php
+++ b/api/admin/canned/index.php
@@ -5,7 +5,7 @@ define('API_PATH', '../../');
 require_once(HESK_PATH . 'hesk_settings.inc.php');
 require_once(HESK_PATH . 'inc/common.inc.php');
 require_once(API_PATH . 'core/output.php');
-require_once(API_PATH . 'core/');
+require_once(API_PATH . 'core/headers.php');
 require_once(API_PATH . 'dao/canned_dao.php');
 require_once(API_PATH . 'businesslogic/security_retriever.php');
 
@@ -15,11 +15,7 @@ hesk_dbConnect();
 // Routing
 $request_method = $_SERVER['REQUEST_METHOD'];
 if ($request_method == 'GET') {
-    $headers = getallheaders();
-    $token = NULL;
-    if (isset($headers['X-Auth-Token'])) {
-        $token = $headers['X-Auth-Token'];
-    }
+    $token = get_header('X-Auth-Token');
 
     try {
         get_user_for_token($token, $hesk_settings);
diff --git a/api/admin/ticket-template/index.php b/api/admin/ticket-template/index.php
index d7212970..83c3af5c 100644
--- a/api/admin/ticket-template/index.php
+++ b/api/admin/ticket-template/index.php
@@ -4,8 +4,10 @@ define('HESK_PATH', '../../../');
 define('API_PATH', '../../');
 require_once(HESK_PATH . 'hesk_settings.inc.php');
 require_once(HESK_PATH . 'inc/common.inc.php');
+require_once(API_PATH . 'core/headers.php');
 require_once(API_PATH . 'core/output.php');
 require_once(API_PATH . 'dao/ticket_template_dao.php');
+require_once(API_PATH . 'businesslogic/security_retriever.php');
 
 hesk_load_api_database_functions();
 hesk_dbConnect();
@@ -14,6 +16,17 @@ hesk_dbConnect();
 $request_method = $_SERVER['REQUEST_METHOD'];
 
 if ($request_method == 'GET') {
+    $token = get_header('X-Auth-Token');
+
+    try {
+        get_user_for_token($token, $hesk_settings);
+    } catch (AccessException $e) {
+        if ($e->getCode() == 422) {
+            print_error($e->getMessage(), $e->getMessage());
+        }
+        return http_response_code($e->getCode());
+    }
+
     if (isset($_GET['id'])) {
         $results = get_ticket_template($hesk_settings, $_GET['id']);
     } else {
diff --git a/api/admin/ticket/index.php b/api/admin/ticket/index.php
index c153457b..033cede5 100644
--- a/api/admin/ticket/index.php
+++ b/api/admin/ticket/index.php
@@ -4,8 +4,10 @@ define('HESK_PATH', '../../../');
 define('API_PATH', '../../');
 require_once(HESK_PATH . 'hesk_settings.inc.php');
 require_once(HESK_PATH . 'inc/common.inc.php');
+require_once(API_PATH . 'core/headers.php');
 require_once(API_PATH . 'core/output.php');
 require_once(API_PATH . 'dao/ticket_dao.php');
+require_once(API_PATH . 'businesslogic/security_retriever.php');
 
 hesk_load_api_database_functions();
 hesk_dbConnect();
@@ -13,6 +15,17 @@ hesk_dbConnect();
 // Routing
 $request_method = $_SERVER['REQUEST_METHOD'];
 if ($request_method == 'GET') {
+    $token = get_header('X-Auth-Token');
+
+    try {
+        get_user_for_token($token, $hesk_settings);
+    } catch (AccessException $e) {
+        if ($e->getCode() == 422) {
+            print_error($e->getMessage(), $e->getMessage());
+        }
+        return http_response_code($e->getCode());
+    }
+
     if (isset($_GET['id'])) {
         $results = get_ticket_for_id($hesk_settings, $_GET['id']);
     } elseif (isset($_GET['trackid'])) {