diff --git a/gracedb/api/backends.py b/gracedb/api/backends.py
index 5b2d2fffecf18a0c420206908f32347ef95fc2b6..6a202e3cd336b384a7cd14cea333f7eede8550a1 100644
--- a/gracedb/api/backends.py
+++ b/gracedb/api/backends.py
@@ -222,6 +222,7 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication):
     Authentication based on a full X509 certificate. We verify the
     certificate here.
     """
+    allow_ajax = False
     api_only = True
     www_authenticate_realm = 'api'
     cert_header = getattr(settings, 'X509_CERT_HEADER',
@@ -233,6 +234,13 @@ class GraceDbX509FullCertAuthentication(GraceDbX509Authentication):
         if self.api_only and not is_api_request(request.path):
             return None
 
+        # Don't allow this auth type for AJAX requests - this is because
+        # users with certificates in their browser can still authenticate via
+        # this mechanism in the web view (since it makes API queries), even
+        # when they are not logged in.
+        if request.is_ajax() and not self.allow_ajax:
+            return None
+
         # Try to get certificate from request headers
         cert_data = self.get_certificate_data_from_request(request)