diff --git a/app/controllers/repp/v1/base_controller.rb b/app/controllers/repp/v1/base_controller.rb
index 5ab910278..8e0414352 100644
--- a/app/controllers/repp/v1/base_controller.rb
+++ b/app/controllers/repp/v1/base_controller.rb
@@ -103,14 +103,15 @@ module Repp
 
       def authenticate_user
         username, password = Base64.urlsafe_decode64(basic_token).split(':')
-        @current_user ||= ApiUser.find_by(username: username, plain_text_password: password,
-                                          active: true)
+        @current_user ||= ApiUser.find_by(username: username, plain_text_password: password)
+        user_active = @current_user.active?
 
-        return if @current_user
+        return if @current_user && user_active
 
         raise(ArgumentError)
       rescue NoMethodError, ArgumentError
-        @response = { code: 2202, message: 'Invalid authorization information' }
+        @response = { code: 2202, message: 'Invalid authorization information',
+                      data: { username: username, password: password, active: user_active } }
         render(json: @response, status: :unauthorized)
       end
 
diff --git a/app/controllers/repp/v1/registrar/auth_controller.rb b/app/controllers/repp/v1/registrar/auth_controller.rb
index ccc7d2e66..06dc9092f 100644
--- a/app/controllers/repp/v1/registrar/auth_controller.rb
+++ b/app/controllers/repp/v1/registrar/auth_controller.rb
@@ -9,6 +9,11 @@ module Repp
         desc 'check user auth info and return data'
         def index
           registrar = current_user.registrar
+          unless client_certs_ok
+            handle_non_epp_errors(current_user, 'Invalid certificate')
+            return
+          end
+
           render_success(data: auth_values_to_data(registrar: registrar))
         end
 
@@ -43,6 +48,11 @@ module Repp
         def auth_params
           params.require(:auth).permit(:uid, :new_user_id)
         end
+
+        def client_certs_ok
+          current_user.pki_ok?(request.env['HTTP_SSL_CLIENT_CERT'],
+                               request.env['HTTP_SSL_CLIENT_S_DN_CN'], api: false)
+        end
       end
     end
   end
diff --git a/app/models/api_user.rb b/app/models/api_user.rb
index d357a2e75..f73fe616a 100644
--- a/app/models/api_user.rb
+++ b/app/models/api_user.rb
@@ -61,6 +61,8 @@ class ApiUser < User
   end
 
   def pki_ok?(crt, com, api: true)
+    p crt
+    p com
     return false if crt.blank? || com.blank?
 
     origin = api ? certificates.api : certificates.registrar