diff --git a/arkindex/images/tests/test_image_api.py b/arkindex/images/tests/test_image_api.py
index 01dcadbf6a262d31af47fb4af285ffad21f73c2c..96c9a865ae93f7c87b1a69fd226371b354d749e7 100644
--- a/arkindex/images/tests/test_image_api.py
+++ b/arkindex/images/tests/test_image_api.py
@@ -311,6 +311,16 @@ class TestImageApi(FixtureAPITestCase):
             }
         })
 
+    def test_create_iiif_image_requires_login(self):
+        response = self.client.post(
+            reverse('api:iiif-url-create'),
+            {'url': 'https://test-server.eu/images/image_path'}
+        )
+        self.assertEqual(response.status_code, status.HTTP_403_FORBIDDEN)
+        self.assertDictEqual(response.json(), {
+            'detail': 'Authentication credentials were not provided.'
+        })
+
     def test_create_iiif_image_scope(self):
         self.assertFalse(self.user.user_scopes.filter(scope=Scope.CreateIIIFImage).exists())
         self.client.force_login(self.user)
diff --git a/arkindex/project/permissions.py b/arkindex/project/permissions.py
index 473d9b83f04c5f72198656aebe9d5834db907a18..7c6301acbcbb7d699212cdcfaa155cda8580c9c6 100644
--- a/arkindex/project/permissions.py
+++ b/arkindex/project/permissions.py
@@ -39,8 +39,8 @@ class UserScopePermissionMixin(object):
 
     def has_permission(self, request, view):
         scopes = self.get_scopes(view, request.method)
-        # Skip this permission mixin if there are no defined scopes or if the user is an admin
-        if not scopes or (request.user.is_authenticated and request.user.is_admin):
+        # Skip this permission mixin if there are no defined scopes, if the user is not logged in or is an admin
+        if not scopes or not request.user.is_authenticated or request.user.is_admin:
             return super().has_permission(request, view)
 
         missing_scopes = set(scopes)