diff --git a/packages/core/admin/server/strategies/api-token.js b/packages/core/admin/server/strategies/api-token.js
index eae039632c..92d655529c 100644
--- a/packages/core/admin/server/strategies/api-token.js
+++ b/packages/core/admin/server/strategies/api-token.js
@@ -76,7 +76,12 @@ const verify = (auth, config) => {
   }
 
   // Custom
-  else if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM && ability) {
+  else if (apiToken.type === constants.API_TOKEN_TYPE.CUSTOM) {
+    if (!ability) {
+      console.log('missing ability');
+      throw new ForbiddenError();
+    }
+
     const scopes = castArray(config.scope);
 
     const isAllowed = scopes.every(scope => ability.can(scope));