diff --git a/BTCPayServer.Tests/GreenfieldAPITests.cs b/BTCPayServer.Tests/GreenfieldAPITests.cs
index d010ce765..c77be5fb1 100644
--- a/BTCPayServer.Tests/GreenfieldAPITests.cs
+++ b/BTCPayServer.Tests/GreenfieldAPITests.cs
@@ -656,6 +656,8 @@ namespace BTCPayServer.Tests
                     await user.CreateClient(Permission.Create(Policies.CanViewStoreSettings, user.StoreId).ToString());
                 Assert.Single(await scopedClient.GetStores());
 
+                var noauth = await user.CreateClient(Array.Empty<string>());
+                await AssertAPIError("missing-permission", () => noauth.GetStores());
 
                 // We strip the user's Owner right, so the key should not work
                 using var ctx = tester.PayTester.GetService<Data.ApplicationDbContextFactory>().CreateContext();
diff --git a/BTCPayServer/Security/GreenField/GreenFieldAuthorizationHandler.cs b/BTCPayServer/Security/GreenField/GreenFieldAuthorizationHandler.cs
index 80b2bf74f..efd724a71 100644
--- a/BTCPayServer/Security/GreenField/GreenFieldAuthorizationHandler.cs
+++ b/BTCPayServer/Security/GreenField/GreenFieldAuthorizationHandler.cs
@@ -94,6 +94,8 @@ namespace BTCPayServer.Security.GreenField
                             if (context.HasPermission(Permission.Create(policy, store.Id), requiredUnscoped))
                                 permissionedStores.Add(store);
                         }
+                        if (!requiredUnscoped && permissionedStores.Count is 0)
+                            break;
                         _HttpContext.SetStoresData(permissionedStores.ToArray());
                         success = true;
                     }