diff --git a/designate/api/middleware.py b/designate/api/middleware.py
index 0bd232a6c..b6aecd1b7 100644
--- a/designate/api/middleware.py
+++ b/designate/api/middleware.py
@@ -126,6 +126,10 @@ class KeystoneContextMiddleware(ContextMiddleware):
             # If the key is valid, Keystone does not include this header at all
             pass
 
+        tenant_id = headers.get('X-Tenant-ID')
+        if tenant_id is None:
+            return flask.Response(status=401)
+
         if headers.get('X-Service-Catalog'):
             catalog = json.loads(headers.get('X-Service-Catalog'))
         else:
@@ -137,7 +141,7 @@ class KeystoneContextMiddleware(ContextMiddleware):
             request,
             auth_token=headers.get('X-Auth-Token'),
             user=headers.get('X-User-ID'),
-            tenant=headers.get('X-Tenant-ID'),
+            tenant=tenant_id,
             roles=roles,
             service_catalog=catalog)
 
diff --git a/designate/tests/test_api/test_middleware.py b/designate/tests/test_api/test_middleware.py
index 990e8519c..baec29cb5 100644
--- a/designate/tests/test_api/test_middleware.py
+++ b/designate/tests/test_api/test_middleware.py
@@ -79,6 +79,23 @@ class KeystoneContextMiddlewareTest(ApiTestCase):
 
         self.assertEqual(response.status_code, 401)
 
+    def test_process_unscoped_token(self):
+        app = middleware.KeystoneContextMiddleware({})
+
+        request = FakeRequest()
+
+        request.headers = {
+            'X-Auth-Token': 'AuthToken',
+            'X-User-ID': 'UserID',
+            'X-Tenant-ID': None,
+            'X-Roles': 'admin,Member',
+        }
+
+        # Process the request
+        response = app(request)
+
+        self.assertEqual(response.status_code, 401)
+
 
 class NoAuthContextMiddlewareTest(ApiTestCase):
     def test_process_request(self):