diff --git a/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java b/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
index 03ed414a63..ca5a17b6f7 100644
--- a/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
+++ b/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
@@ -118,6 +118,9 @@ public ExpiringBearerAuthToken issueOnBehalfOfToken(final Subject subject, final
         }
 
         final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
+        if (user == null) {
+            throw new OpenSearchSecurityException("Unsupported user to generate OnBehalfOfToken");
+        }
 
         final TransportAddress callerAddress = null; /* OBO tokens must not roles based on location from network address */
         final Set<String> mappedRoles = configModel.mapSecurityRoles(user, callerAddress);
@@ -145,9 +148,6 @@ public ExpiringBearerAuthToken issueApiToken(
         final List<ApiToken.IndexPermission> indexPermissions
     ) {
         final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
-        if (user == null) {
-            throw new OpenSearchSecurityException("Unsupported user to generate Api Token");
-        }
 
         try {
             return apiTokenJwtVendor.createJwt(cs.getClusterName().value(), name, name, expiration, clusterPermissions, indexPermissions);