diff --git a/cookbook/tests/api/test_api_share_link.py b/cookbook/tests/api/test_api_share_link.py
new file mode 100644
index 000000000..3fd2982f2
--- /dev/null
+++ b/cookbook/tests/api/test_api_share_link.py
@@ -0,0 +1,14 @@
+from django.urls import reverse
+from django_scopes import scopes_disabled
+
+
+def test_get_share_link(recipe_1_s1, u1_s1, u1_s2, g1_s1, a_u, space_1):
+    assert u1_s1.get(reverse('api_share_link', args=[recipe_1_s1.pk])).status_code == 200
+    assert u1_s2.get(reverse('api_share_link', args=[recipe_1_s1.pk])).status_code == 404
+    assert g1_s1.get(reverse('api_share_link', args=[recipe_1_s1.pk])).status_code == 403
+    assert a_u.get(reverse('api_share_link', args=[recipe_1_s1.pk])).status_code == 403
+
+    with scopes_disabled():
+        space_1.allow_sharing = False
+        space_1.save()
+        assert u1_s1.get(reverse('api_share_link', args=[recipe_1_s1.pk])).status_code == 403
diff --git a/cookbook/views/api.py b/cookbook/views/api.py
index 10fb85590..1be0f0d95 100644
--- a/cookbook/views/api.py
+++ b/cookbook/views/api.py
@@ -1382,13 +1382,16 @@ def sync_all(request):
 
 
 def share_link(request, pk):
-    if request.space.allow_sharing and has_group_permission(request.user, ('user',)):
-        recipe = get_object_or_404(Recipe, pk=pk, space=request.space)
-        link = ShareLink.objects.create(recipe=recipe, created_by=request.user, space=request.space)
-        return JsonResponse({'pk': pk, 'share': link.uuid,
-                             'link': request.build_absolute_uri(reverse('view_recipe', args=[pk, link.uuid]))})
-    else:
-        return JsonResponse({'error': 'sharing_disabled'}, status=403)
+    if request.user.is_authenticated:
+        if request.space.allow_sharing and has_group_permission(request.user, ('user',)):
+            recipe = get_object_or_404(Recipe, pk=pk, space=request.space)
+            link = ShareLink.objects.create(recipe=recipe, created_by=request.user, space=request.space)
+            return JsonResponse({'pk': pk, 'share': link.uuid,
+                                 'link': request.build_absolute_uri(reverse('view_recipe', args=[pk, link.uuid]))})
+        else:
+            return JsonResponse({'error': 'sharing_disabled'}, status=403)
+
+    return JsonResponse({'error': 'not_authenticated'}, status=403)
 
 
 @group_required('user')