diff --git a/actions/api.php b/actions/api.php
index 97da359fea..1cfae91143 100644
--- a/actions/api.php
+++ b/actions/api.php
@@ -105,9 +105,18 @@ class ApiAction extends Action {
 								'statuses/show',
 								'help/test', 
 								'help/downtime_schedule');
-		if (in_array("$this->api_action/$this->api_method", $noauth)) {
+		static $bareauth = array('statuses/user_timeline');
+
+		# noauth: never needs auth
+		# bareauth: only needs auth if without an argument
+		
+		$fullname = "$this->api_action/$this->api_method";
+		
+		if (in_array($fullname, $bareauth) && !$this->api_arg) {
+			return true;
+		} if (in_array($fullname, $noauth)) {
 			return false;
-		}		
+		}
 		return true;
 	}
 		
diff --git a/actions/twitapistatuses.php b/actions/twitapistatuses.php
index 5a4345ab65..96931fec63 100644
--- a/actions/twitapistatuses.php
+++ b/actions/twitapistatuses.php
@@ -309,14 +309,6 @@ class TwitapistatusesAction extends TwitterapiAction {
 			// Set the user to be the auth user if asked-for can't be found
 			// honestly! This is what Twitter does, I swear --Zach
 			$user = $apidata['user'];
-			
-			if (!$user) {
-				# This header makes basic auth go
-				header('WWW-Authenticate: Basic realm="Laconica API"');
-				# if the user hits cancel -- bam!
-				common_show_basic_auth_error();
-				exit();
-			}
 		}
 
 		$profile = $user->getProfile();