diff --git a/ietf/ietfauth/tests.py b/ietf/ietfauth/tests.py
index 647384fa0..ec23b69a6 100644
--- a/ietf/ietfauth/tests.py
+++ b/ietf/ietfauth/tests.py
@@ -656,7 +656,7 @@ class IetfAuthTests(TestCase):
             unauthorized_url = urlreverse('ietf.api.views.author_tools')
             invalidated_apikey = PersonalApiKey.objects.create(
                         endpoint=unauthorized_url, person=person, valid=False)
-            r = self.client.post(unauthorized_url, {'apikey': invalidated_apikey})
+            r = self.client.post(unauthorized_url, {'apikey': invalidated_apikey.hash()})
             self.assertContains(r, 'Invalid apikey', status_code=403)
 
             # too long since regular login
diff --git a/ietf/person/models.py b/ietf/person/models.py
index 81ac423fc..47eaeb659 100644
--- a/ietf/person/models.py
+++ b/ietf/person/models.py
@@ -394,6 +394,8 @@ class PersonalApiKey(models.Model):
         if not k.exists():
             return None
         k = k.first()
+        if not k.valid:
+            return None
         check = hashlib.sha256()
         for v in (str(id), str(k.person.id), k.created.isoformat(), k.endpoint, str(k.valid), salt, settings.SECRET_KEY):
             v = smart_bytes(v)