diff --git a/app/Http/Middleware/ApiAuth.php b/app/Http/Middleware/ApiAuth.php
index 8e411b28..64ad52d2 100644
--- a/app/Http/Middleware/ApiAuth.php
+++ b/app/Http/Middleware/ApiAuth.php
@@ -5,6 +5,7 @@
 
 namespace App\Http\Middleware;
 
+use App\Models\Enums\UserState;
 use Auth;
 use Log;
 use Closure;
@@ -36,6 +37,10 @@ class ApiAuth
             return $this->unauthorized('User not found with key "'.$api_key.'"');
         }
 
+        if($user->state !== UserState::ACTIVE) {
+            return $this->unauthorized('User is not ACTIVE, please contact an administrator');
+        }
+
         // Set the user to the request
         Auth::setUser($user);
         $request->merge(['user' => $user]);
diff --git a/tests/ApiTest.php b/tests/ApiTest.php
index bd4e0bc3..576c2712 100644
--- a/tests/ApiTest.php
+++ b/tests/ApiTest.php
@@ -35,9 +35,8 @@ class ApiTest extends TestCase
             ->assertStatus(401);
 
         // Test upper/lower case of Authorization header, etc
-        $this->withHeaders($this->apiHeaders())->get($uri)
-            ->assertStatus(200)
-            ->assertJson(['id' => $pirep->id], true);
+        $response = $this->withHeaders($this->apiHeaders())->get($uri);
+        $response->assertStatus(200)->assertJson(['id' => $pirep->id], true);
 
         $this->withHeaders(['x-api-key' => $user->api_key])->get($uri)
             ->assertStatus(200)
@@ -52,6 +51,20 @@ class ApiTest extends TestCase
             ->assertJson(['id' => $pirep->id], true);
     }
 
+    /**
+     *
+     */
+    public function testApiDeniedOnInactiveUser()
+    {
+        $user = factory(User::class)->create([
+            'state' => UserState::PENDING
+        ]);
+
+        $uri = '/api/user';
+        $this->withHeaders(['x-api-key' => $user->api_key])->get($uri)
+            ->assertStatus(401);
+    }
+
     /**
      * Make sure the airport data is returned
      */