diff --git a/app/models/mixins/inter_region_api_method_relay.rb b/app/models/mixins/inter_region_api_method_relay.rb
index 9920813acf7..3c7c65ee0d2 100644
--- a/app/models/mixins/inter_region_api_method_relay.rb
+++ b/app/models/mixins/inter_region_api_method_relay.rb
@@ -48,18 +48,25 @@ def api_relay_class_method(method, action = method)
     end
   end
 
-  def self.api_client_connection_for_region(region)
-    url = MiqRegion.find_by(:region => region).remote_ws_url
+  def self.api_client_connection_for_region(region_number)
+    region = MiqRegion.find_by(:region => region_number)
+
+    unless region.auth_key_configured?
+      _log.error("Region #{region_number} is not configured for central administration")
+      raise "Region #{region_number} is not configured for central administration"
+    end
+
+    url = region.remote_ws_url
     if url.nil?
-      _log.error("The remote region [#{region}] does not have a web service address.")
-      raise "Failed to establish API connection to region #{region}"
+      _log.error("The remote region [#{region_number}] does not have a web service address.")
+      raise "Failed to establish API connection to region #{region_number}"
     end
 
     require 'manageiq-api-client'
 
     ManageIQ::API::Client.new(
       :url      => url,
-      :miqtoken => MiqRegion.api_system_auth_token_for_region(region, User.current_userid),
+      :miqtoken => region.api_system_auth_token(User.current_userid),
       :ssl      => {:verify => false}
     )
   end
diff --git a/spec/models/mixins/inter_region_api_method_relay_spec.rb b/spec/models/mixins/inter_region_api_method_relay_spec.rb
index 3a52b003aa6..573c910c01a 100644
--- a/spec/models/mixins/inter_region_api_method_relay_spec.rb
+++ b/spec/models/mixins/inter_region_api_method_relay_spec.rb
@@ -165,38 +165,52 @@ def expect_api_call(expected_action, expected_args = nil)
 
     describe ".api_client_connection_for_region" do
       let!(:server)           { EvmSpecHelper.local_miq_server(:has_active_webservices => true) }
+      let!(:region)           { FactoryGirl.create(:miq_region, :region => region_number) }
+      let(:region_number)     { ApplicationRecord.my_region_number }
       let(:region_seq_start)  { ApplicationRecord.rails_sequence_start }
       let(:request_user)      { "test_user" }
       let(:api_connection)    { double("ManageIQ::API::Client connection") }
       let(:region_auth_token) { double("MiqRegion API auth token") }
 
       before do
-        FactoryGirl.create(:miq_region, :region => ApplicationRecord.my_region_number)
+        expect(MiqRegion).to receive(:find_by).with(:region => region_number).and_return(region)
       end
 
-      it "opens an api connection to that address when the server has an ip address" do
-        require "manageiq-api-client"
+      context "with authentication configured" do
+        before do
+          expect(region).to receive(:auth_key_configured?).and_return true
+        end
+
+        it "opens an api connection to that address when the server has an ip address" do
+          require "manageiq-api-client"
 
-        server.ipaddress = "192.0.2.1"
-        server.save!
+          server.ipaddress = "192.0.2.1"
+          server.save!
 
-        expect(User).to receive(:current_userid).and_return(request_user)
-        expect(MiqRegion).to receive(:api_system_auth_token_for_region)
-          .with(ApplicationRecord.my_region_number, request_user).and_return(region_auth_token)
+          expect(User).to receive(:current_userid).and_return(request_user)
+          expect(region).to receive(:api_system_auth_token).with(request_user).and_return(region_auth_token)
 
-        client_connection_hash = {
-          :url      => "https://#{server.ipaddress}",
-          :miqtoken => region_auth_token,
-          :ssl      => {:verify => false}
-        }
-        expect(ManageIQ::API::Client).to receive(:new).with(client_connection_hash).and_return(api_connection)
-        described_class.api_client_connection_for_region(ApplicationRecord.my_region_number)
+          client_connection_hash = {
+            :url      => "https://#{server.ipaddress}",
+            :miqtoken => region_auth_token,
+            :ssl      => {:verify => false}
+          }
+          expect(ManageIQ::API::Client).to receive(:new).with(client_connection_hash).and_return(api_connection)
+          described_class.api_client_connection_for_region(region_number)
+        end
+
+        it "raises if the server doesn't have an ip address" do
+          expect {
+            described_class.api_client_connection_for_region(region_number)
+          }.to raise_error("Failed to establish API connection to region #{region_number}")
+        end
       end
 
-      it "raises if the server doesn't have an ip address" do
+      it "raises without authentication configured" do
+        expect(region).to receive(:auth_key_configured?).and_return false
         expect {
-          described_class.api_client_connection_for_region(ApplicationRecord.my_region_number)
-        }.to raise_error(RuntimeError)
+          described_class.api_client_connection_for_region(region_number)
+        }.to raise_error("Region #{region_number} is not configured for central administration")
       end
     end