diff --git a/app/api/base.py b/app/api/base.py
index a792e8d3..80f57b2a 100644
--- a/app/api/base.py
+++ b/app/api/base.py
@@ -5,6 +5,7 @@ import arrow
 from flask import Blueprint, request, jsonify, g
 from flask_login import current_user
 
+from app import constants
 from app.db import Session
 from app.models import ApiKey
 
@@ -18,7 +19,9 @@ def authorize_request() -> Optional[Tuple[str, int]]:
     api_key = ApiKey.get_by(code=api_code)
 
     if not api_key:
-        if current_user.is_authenticated:
+        if current_user.is_authenticated and request.headers.get(
+            constants.HEADER_ALLOW_API_COOKIES
+        ):
             g.user = current_user
         else:
             return jsonify(error="Wrong api key"), 401
diff --git a/app/constants.py b/app/constants.py
new file mode 100644
index 00000000..b20bc6af
--- /dev/null
+++ b/app/constants.py
@@ -0,0 +1 @@
+HEADER_ALLOW_API_COOKIES = "X-Sl-Allowcookies"
diff --git a/server.py b/server.py
index eda19939..04278dc5 100644
--- a/server.py
+++ b/server.py
@@ -29,7 +29,7 @@ from sentry_sdk.integrations.flask import FlaskIntegration
 from sentry_sdk.integrations.sqlalchemy import SqlalchemyIntegration
 from werkzeug.middleware.proxy_fix import ProxyFix
 
-from app import paddle_utils, config, paddle_callback
+from app import paddle_utils, config, paddle_callback, constants
 from app.admin_model import (
     SLAdminIndexView,
     UserAdmin,
@@ -430,6 +430,7 @@ def jinja2_filter(app):
             PAGE_LIMIT=PAGE_LIMIT,
             ZENDESK_ENABLED=ZENDESK_ENABLED,
             MAX_NB_EMAIL_FREE_PLAN=MAX_NB_EMAIL_FREE_PLAN,
+            HEADER_ALLOW_API_COOKIES=constants.HEADER_ALLOW_API_COOKIES,
         )
 
 
diff --git a/templates/dashboard/alias_contact_manager.html b/templates/dashboard/alias_contact_manager.html
index 886327a1..1fdc5188 100644
--- a/templates/dashboard/alias_contact_manager.html
+++ b/templates/dashboard/alias_contact_manager.html
@@ -264,6 +264,7 @@
           method: "POST",
           headers: {
             "Content-Type": "application/json",
+              '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
           }
         });
 
diff --git a/templates/dashboard/support.html b/templates/dashboard/support.html
index 81b7a68a..d51f697e 100644
--- a/templates/dashboard/support.html
+++ b/templates/dashboard/support.html
@@ -80,7 +80,10 @@
       },
       methods: {
         generateRandomAlias: async function (event) {
-          let result = await fetch('/api/alias/random/new', {method: 'POST'});
+          let result = await fetch('/api/alias/random/new', {method: 'POST',
+              headers: {
+              '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
+          }});
           if (result.ok) {
             let data = await result.json();
             this.ticket_email = data.alias;
diff --git a/templates/footer.html b/templates/footer.html
index 180b6c75..0aa7c338 100644
--- a/templates/footer.html
+++ b/templates/footer.html
@@ -216,6 +216,7 @@
           method: "POST",
           headers: {
             "Content-Type": "application/json",
+              '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
           }
         });
 
@@ -232,6 +233,7 @@
           method: "GET",
           headers: {
             "Content-Type": "application/json",
+              '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
           }
         });
         if (res.ok) {
@@ -249,6 +251,7 @@
         method: "GET",
         headers: {
           "Content-Type": "application/json",
+            '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
         }
       });
       if (res.ok) {
diff --git a/templates/phone/phone_reservation.html b/templates/phone/phone_reservation.html
index c1bb8b86..cf1ec3e6 100644
--- a/templates/phone/phone_reservation.html
+++ b/templates/phone/phone_reservation.html
@@ -87,6 +87,7 @@
             method: "GET",
             headers: {
               "Content-Type": "application/json",
+                '{{HEADER_ALLOW_API_COOKIES}}': 'allow'
             }
           });
           if (res.ok) {