diff --git a/app/auth/views/api_to_cookie.py b/app/auth/views/api_to_cookie.py
index abd26170..eccd4dac 100644
--- a/app/auth/views/api_to_cookie.py
+++ b/app/auth/views/api_to_cookie.py
@@ -1,6 +1,6 @@
 import arrow
 from flask import redirect, url_for, request, flash
-from flask_login import login_user
+from flask_login import current_user, login_user
 
 from app.auth.base import auth_bp
 from app.models import ApiToCookieToken
@@ -14,7 +14,11 @@ def api_to_cookie():
         flash("Missing token", "error")
         return redirect(url_for("auth.login"))
 
-    token = ApiToCookieToken.get_by(code=code)
+    if current_user and current_user.is_authenticated:
+        token = ApiToCookieToken.get_by(code=code, user_id=current_user.id)
+    else:
+        token = ApiToCookieToken.get_by(code=code)
+
     if not token or token.created_at < arrow.now().shift(minutes=-5):
         flash("Missing token", "error")
         return redirect(url_for("auth.login"))
@@ -26,5 +30,5 @@ def api_to_cookie():
     next_url = sanitize_next_url(request.args.get("next"))
     if next_url:
         return redirect(next_url)
-    else:
-        return redirect(url_for("dashboard.index"))
+
+    return redirect(url_for("dashboard.index"))
diff --git a/tests/auth/test_api_to_cookie.py b/tests/auth/test_api_to_cookie.py
index 8ff12c4c..b9f6e23e 100644
--- a/tests/auth/test_api_to_cookie.py
+++ b/tests/auth/test_api_to_cookie.py
@@ -1,7 +1,7 @@
 from flask import url_for
 
 from app.models import ApiToCookieToken, ApiKey
-from tests.utils import create_new_user
+from tests.utils import create_new_user, login
 
 
 def test_get_cookie(flask_client):
@@ -27,3 +27,30 @@ def test_get_cookie(flask_client):
 
     assert ApiToCookieToken.get(token_id) is None
     assert r.headers.getlist("Set-Cookie") is not None
+
+
+def test_get_cookie_does_not_allow_to_change_user(flask_client):
+    user = create_new_user()
+    api_key = ApiKey.create(
+        user_id=user.id,
+        commit=True,
+    )
+    token = ApiToCookieToken.create(
+        user_id=user.id,
+        api_key_id=api_key.id,
+        commit=True,
+    )
+    token_code = token.code
+
+    other_user = create_new_user()
+    login(flask_client, other_user)
+
+    r = flask_client.get(
+        url_for(
+            "auth.api_to_cookie", token=token_code, next=url_for("dashboard.setting")
+        ),
+        follow_redirects=False,
+    )
+
+    assert r.status_code == 302
+    assert r.location.endswith("/auth/login")