diff --git a/jupyterhub/apihandlers/users.py b/jupyterhub/apihandlers/users.py
index f97385b3..9247835e 100644
--- a/jupyterhub/apihandlers/users.py
+++ b/jupyterhub/apihandlers/users.py
@@ -112,7 +112,8 @@ class UserAPIHandler(APIHandler):
         # this means users can't see their own auth state unless they
         # are admins, Hub admins often are also marked as admins so they
         # will see their auth state but normal users won't
-        if user.admin:
+        requestor = self.get_current_user()
+        if requestor.admin:
             user_['auth_state'] = await user.get_auth_state()
         self.write(json.dumps(user_))
 
diff --git a/jupyterhub/tests/test_api.py b/jupyterhub/tests/test_api.py
index 56e9945e..735f8a39 100644
--- a/jupyterhub/tests/test_api.py
+++ b/jupyterhub/tests/test_api.py
@@ -284,6 +284,8 @@ def test_get_user(app):
         'admin': False,
         'server': None,
         'pending': None,
+        # auth state is present because requestor is an admin
+        'auth_state': None
     }
 
 
@@ -495,7 +497,8 @@ def test_user_get_auth_state(app, auth_state_enabled):
     assert user.name == name
     yield user.save_auth_state(auth_state)
 
-    r = yield api_request(app, 'users', name)
+    r = yield api_request(app, 'users', name,
+                          headers=auth_header(app.db, name))
 
     assert r.status_code == 200
     assert 'auth_state' not in r.json()