diff --git a/src/PublicApi/AuthEndpoints/Authenticate.cs b/src/PublicApi/AuthEndpoints/Authenticate.cs
index d542f60..f2dfcb8 100644
--- a/src/PublicApi/AuthEndpoints/Authenticate.cs
+++ b/src/PublicApi/AuthEndpoints/Authenticate.cs
@@ -42,7 +42,11 @@ namespace Microsoft.eShopWeb.PublicApi.AuthEndpoints
             response.IsNotAllowed = result.IsNotAllowed;
             response.RequiresTwoFactor = result.RequiresTwoFactor;
             response.Username = request.Username;
-            response.Token = await _tokenClaimsService.GetTokenAsync(request.Username);
+
+            if (result.Succeeded)
+            {
+                response.Token = await _tokenClaimsService.GetTokenAsync(request.Username);
+            }
 
             return response;
         }
diff --git a/tests/FunctionalTests/PublicApi/AuthEndpoints/AuthenticateEndpoint.cs b/tests/FunctionalTests/PublicApi/AuthEndpoints/AuthenticateEndpoint.cs
index 4232e9c..19c0de4 100644
--- a/tests/FunctionalTests/PublicApi/AuthEndpoints/AuthenticateEndpoint.cs
+++ b/tests/FunctionalTests/PublicApi/AuthEndpoints/AuthenticateEndpoint.cs
@@ -24,6 +24,7 @@ namespace Microsoft.eShopWeb.FunctionalTests.Web.Controllers
         [Theory]
         [InlineData("demouser@microsoft.com", AuthorizationConstants.DEFAULT_PASSWORD, true)]
         [InlineData("demouser@microsoft.com", "badpassword", false)]
+        [InlineData("baduser@microsoft.com", "badpassword", false)]
         public async Task ReturnsExpectedResultGivenCredentials(string testUsername, string testPassword, bool expectedResult)
         {
             var request = new AuthenticateRequest() 
@@ -38,6 +39,6 @@ namespace Microsoft.eShopWeb.FunctionalTests.Web.Controllers
             var model = stringResponse.FromJson<AuthenticateResponse>();
 
             Assert.Equal(expectedResult, model.Result);
-        }
+        }        
     }
 }