diff --git a/app/controllers/api/base_controller.rb b/app/controllers/api/base_controller.rb
index 0187315d89..8a1b3e4b02 100644
--- a/app/controllers/api/base_controller.rb
+++ b/app/controllers/api/base_controller.rb
@@ -9,6 +9,7 @@ module Api
     include ActionController::UrlFor
     include Rails.application.routes.url_helpers
     use_renderers :json
+    check_authorization
 
     def respond_with_conflict(json_hash)
       render json: json_hash, status: :conflict
@@ -21,5 +22,13 @@ module Api
       @current_api_user = try_spree_current_user
       super
     end
+
+    # Allows API access without authentication, but only for OFN controllers which inherit
+    # from Api::BaseController. @current_api_user will now initialize an empty Spree::User
+    # unless one is present. We now also apply devise's `check_authorization`. See here for
+    # details: https://github.com/CanCanCommunity/cancancan/wiki/Ensure-Authorization
+    def requires_authentication?
+      false
+    end
   end
 end
diff --git a/app/controllers/api/customers_controller.rb b/app/controllers/api/customers_controller.rb
index 32b74b0e9d..2d72513982 100644
--- a/app/controllers/api/customers_controller.rb
+++ b/app/controllers/api/customers_controller.rb
@@ -1,5 +1,7 @@
 module Api
   class CustomersController < BaseController
+    skip_authorization_check only: :index
+
     def index
       @customers = current_api_user.customers
       render json: @customers, each_serializer: CustomerSerializer
diff --git a/app/controllers/api/enterprises_controller.rb b/app/controllers/api/enterprises_controller.rb
index 72ea3d9655..092edd08b7 100644
--- a/app/controllers/api/enterprises_controller.rb
+++ b/app/controllers/api/enterprises_controller.rb
@@ -5,6 +5,7 @@ module Api
     before_filter :override_sells, only: [:create, :update]
     before_filter :override_visible, only: [:create, :update]
     respond_to :json
+    skip_authorization_check only: [:shopfront, :managed]
 
     def managed
       @enterprises = Enterprise.ransack(params[:q]).result.managed_by(current_api_user)
diff --git a/spec/controllers/api/enterprises_controller_spec.rb b/spec/controllers/api/enterprises_controller_spec.rb
index df8ba4fc38..d2b27c1254 100644
--- a/spec/controllers/api/enterprises_controller_spec.rb
+++ b/spec/controllers/api/enterprises_controller_spec.rb
@@ -82,7 +82,7 @@ module Api
       end
     end
 
-    describe "fetching shopfronts data" do
+    context "as a non-authenticated user" do
       let!(:hub) {
         create(:distributor_enterprise, with_payment_and_shipping: true, name: 'Shopfront Test Hub')
       }
@@ -92,15 +92,17 @@ module Api
       let!(:relationship) { create(:enterprise_relationship, parent: hub, child: producer) }
 
       before do
-        allow(controller).to receive(:spree_current_user) { Spree::User.anonymous! }
+        allow(controller).to receive(:spree_current_user) { nil }
       end
 
-      it "returns data for an enterprise" do
-        spree_get :shopfront, id: producer.id, format: :json
+      describe "fetching shopfronts data" do
+        it "returns data for an enterprise" do
+          spree_get :shopfront, id: producer.id, format: :json
 
-        expect(json_response['name']).to eq 'Shopfront Test Producer'
-        expect(json_response['hubs'][0]['name']).to eq 'Shopfront Test Hub'
-        expect(json_response['supplied_taxons'][0]['name']).to eq 'Fruit'
+          expect(json_response['name']).to eq 'Shopfront Test Producer'
+          expect(json_response['hubs'][0]['name']).to eq 'Shopfront Test Hub'
+          expect(json_response['supplied_taxons'][0]['name']).to eq 'Fruit'
+        end
       end
     end
   end