diff --git a/api/admin/canned/index.php b/api/admin/canned/index.php
index 39312959..210f7a97 100644
--- a/api/admin/canned/index.php
+++ b/api/admin/canned/index.php
@@ -5,7 +5,9 @@ define('API_PATH', '../../');
 require_once(HESK_PATH . 'hesk_settings.inc.php');
 require_once(HESK_PATH . 'inc/common.inc.php');
 require_once(API_PATH . 'core/output.php');
+require_once(API_PATH . 'core/');
 require_once(API_PATH . 'dao/canned_dao.php');
+require_once(API_PATH . 'businesslogic/security_retriever.php');
 
 hesk_load_api_database_functions();
 hesk_dbConnect();
@@ -13,6 +15,21 @@ hesk_dbConnect();
 // Routing
 $request_method = $_SERVER['REQUEST_METHOD'];
 if ($request_method == 'GET') {
+    $headers = getallheaders();
+    $token = NULL;
+    if (isset($headers['X-Auth-Token'])) {
+        $token = $headers['X-Auth-Token'];
+    }
+
+    try {
+        get_user_for_token($token, $hesk_settings);
+    } catch (AccessException $e) {
+        if ($e->getCode() == 422) {
+            print_error($e->getMessage(), $e->getMessage());
+        }
+        return http_response_code($e->getCode());
+    }
+
     if (isset($_GET['id'])) {
         $results = get_canned_response($hesk_settings, $_GET['id']);
     } else {
@@ -22,7 +39,7 @@ if ($request_method == 'GET') {
     if ($results == NULL) {
         return http_response_code(404);
     }
-    output($results);
+    return output($results);
 }
 
 return http_response_code(405);
\ No newline at end of file
diff --git a/api/businesslogic/security_retriever.php b/api/businesslogic/security_retriever.php
index ef2fbfe9..742d97c7 100644
--- a/api/businesslogic/security_retriever.php
+++ b/api/businesslogic/security_retriever.php
@@ -2,6 +2,7 @@
 require_once(API_PATH . 'dao/security_dao.php');
 
 function get_user_for_token($token, $hesk_settings) {
+
     $hash = hash('sha512', $token);
 
     return get_user_for_token_hash($hash, $hesk_settings);
diff --git a/api/core/headers.php b/api/core/headers.php
new file mode 100644
index 00000000..892fafb0
--- /dev/null
+++ b/api/core/headers.php
@@ -0,0 +1,9 @@
+<?php
+
+function get_header($key) {
+    $headers = getallheaders();
+
+    return isset($headers[$key])
+        ? $headers[$key]
+        : NULL;
+}
\ No newline at end of file
diff --git a/api/dao/security_dao.php b/api/dao/security_dao.php
index 2d80b3be..d9f7c10b 100644
--- a/api/dao/security_dao.php
+++ b/api/dao/security_dao.php
@@ -1,12 +1,18 @@
 <?php
+define('NULL_OR_EMPTY_STRING', 'cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e');
+require_once(API_PATH . 'exception/AccessException.php');
 
 function get_user_for_token_hash($hash, $hesk_settings) {
+    if ($hash == NULL_OR_EMPTY_STRING) {
+        throw new AccessException(404);
+    }
+
     $user_id_sql = "SELECT `user_id` FROM `" . hesk_dbEscape($hesk_settings['db_pfix']) . "user_api_tokens`
         WHERE `token` = '" . hesk_dbEscape($hash) . "'";
 
     $user_id_rs = hesk_dbQuery($user_id_sql);
     if (hesk_dbNumRows($user_id_rs) == 0) {
-        return http_response_code(422);
+        throw new AccessException(422);
     }
     $user_id = hesk_dbFetchAssoc($user_id_rs);
 
diff --git a/api/exception/AccessException.php b/api/exception/AccessException.php
new file mode 100644
index 00000000..1894e29e
--- /dev/null
+++ b/api/exception/AccessException.php
@@ -0,0 +1,11 @@
+<?php
+class AccessException extends Exception {
+    public function __construct($code)
+    {
+        $message = '';
+        if ($code == 422) {
+            $message = 'The X-Auth-Token is invalid';
+        }
+        parent::__construct($message, $code);
+    }
+}
\ No newline at end of file