diff --git a/htsget_server/authz.py b/htsget_server/authz.py
index ea1bcba7..dbb3ef81 100644
--- a/htsget_server/authz.py
+++ b/htsget_server/authz.py
@@ -29,7 +29,7 @@ def has_full_authz(request):
     """
     if is_testing(request):
         return True
-    if request_is_from_ingest(request) or request_is_from_query(request):
+    if request_is_from_ingest(request) or request_is_from_query(request) or request_is_from_candig_api(request):
         return True
     if "Authorization" in request.headers:
         try:
@@ -57,3 +57,8 @@ def request_is_from_ingest(request):
     if "X-Service-Token" in request.headers:
         return authx.auth.verify_service_token(service="candig-ingest", token=request.headers["X-Service-Token"])
     return False
+
+def request_is_from_candig_api(request):
+    if "X-Service-Token" in request.headers:
+        return authx.auth.verify_service_token(service="candig-api", token=request.headers["X-Service-Token"])
+    return False