diff --git a/app/controllers/service_provider_controller.rb b/app/controllers/service_provider_controller.rb
index cf96be3258f..cac91f6c920 100644
--- a/app/controllers/service_provider_controller.rb
+++ b/app/controllers/service_provider_controller.rb
@@ -25,6 +25,7 @@ def authorize
   end
 
   def authorization_token_valid?
+    return false if authorization_token.blank?
     ActiveSupport::SecurityUtils.secure_compare(
       authorization_token,
       IdentityConfig.store.dashboard_api_token,
diff --git a/spec/controllers/service_provider_controller_spec.rb b/spec/controllers/service_provider_controller_spec.rb
index 98933e8e359..742102d13f0 100644
--- a/spec/controllers/service_provider_controller_spec.rb
+++ b/spec/controllers/service_provider_controller_spec.rb
@@ -133,6 +133,16 @@
       end
     end
 
+    context 'missing token in header' do
+      let(:token) { nil }
+
+      it 'returns a 401' do
+        post :update
+
+        expect(response.status).to eq 401
+      end
+    end
+
     context 'feature off' do
       let(:use_feature) { false }
       before { post :update }