diff --git a/Code/Identity/OAuth2Server.php b/Code/Identity/OAuth2Server.php
index 86e59450c..d759689cb 100644
--- a/Code/Identity/OAuth2Server.php
+++ b/Code/Identity/OAuth2Server.php
@@ -33,8 +33,10 @@ class OAuth2Server extends Server
         // Need to use OpenID\GrantType to return id_token
         // (see:https://github.com/bshaffer/oauth2-server-php/issues/443)
         $this->addGrantType(new AuthorizationCode($storage));
+
         // Add the "Refresh Token" grant type
         $this->addGrantType(new RefreshToken($storage));
+
         $keyStorage = new Memory([
             'keys' => [
                 'public_key'  => get_config('system', 'pubkey'),
diff --git a/Code/Module/Authorize.php b/Code/Module/Authorize.php
index e0c1c5dbd..c5c99437e 100644
--- a/Code/Module/Authorize.php
+++ b/Code/Module/Authorize.php
@@ -58,12 +58,6 @@ class Authorize extends Controller
 
         $storage = new OAuth2Storage(DBA::$dba->db);
         $server = new OAuth2Server($storage);
-        // Add the "Client Credentials" grant type (it is the simplest of the grant types)
-        $server->addGrantType(new GrantType\ClientCredentials($storage));
-        // Add the "Authorization Code" grant type (this is where the oauth magic happens)
-        $server->addGrantType(new GrantType\AuthorizationCode($storage));
-        // Add the "Refresh Token" grant type
-        $server->addGrantType(new GrantType\RefreshToken($storage));
 
         // TODO: The automatic client registration protocol below should adhere more
         // closely to "OAuth 2.0 Dynamic Client Registration Protocol" defined
diff --git a/Code/Module/Token.php b/Code/Module/Token.php
index ea760267c..c625d035c 100644
--- a/Code/Module/Token.php
+++ b/Code/Module/Token.php
@@ -40,13 +40,6 @@ class Token extends Controller
 
         $storage = new OAuth2Storage(DBA::$dba->db);
         $server = new OAuth2Server($storage);
-        // Add the "Client Credentials" grant type (it is the simplest of the grant types)
-        $server->addGrantType(new GrantType\ClientCredentials($storage));
-        // Add the "Authorization Code" grant type (this is where the oauth magic happens)
-        $server->addGrantType(new GrantType\AuthorizationCode($storage));
-        // Add the "Refresh Token" grant type
-        $server->addGrantType(new GrantType\RefreshToken($storage));
-
         $request = Request::createFromGlobals();
         $response = $server->handleTokenRequest($request);
         $response->send();
diff --git a/include/api_auth.php b/include/api_auth.php
index 0fc09a9ad..e92f35a14 100644
--- a/include/api_auth.php
+++ b/include/api_auth.php
@@ -16,14 +16,14 @@ require_once('include/security.php');
 
 /**
  * API Login via basic-auth, OpenWebAuth, or OAuth2
+ * This function returns true or exits with a 401 and WWW-Authenticate header.
+ * @noinspection PhpInconsistentReturnPointsInspection
  */
 
 function api_login()
 {
 
     $record = null;
-    $remote_auth = false;
-    $sigblock = null;
 
     if (array_key_exists('REDIRECT_REMOTE_USER', $_SERVER) && (! array_key_exists('HTTP_AUTHORIZATION', $_SERVER))) {
         $_SERVER['HTTP_AUTHORIZATION'] = $_SERVER['REDIRECT_REMOTE_USER'];
@@ -35,12 +35,6 @@ function api_login()
         // OAuth 2.0
         $storage = new OAuth2Storage(DBA::$dba->db);
         $server = new OAuth2Server($storage);
-        // Add the "Client Credentials" grant type (it is the simplest of the grant types)
-        $server->addGrantType(new GrantType\ClientCredentials($storage));
-        // Add the "Authorization Code" grant type (this is where the oauth magic happens)
-        $server->addGrantType(new GrantType\AuthorizationCode($storage));
-        // Add the "Refresh Token" grant type
-        $server->addGrantType(new GrantType\RefreshToken($storage));
 
         $request = Request::createFromGlobals();
         if ($server->verifyResourceRequest($request)) {
@@ -69,11 +63,13 @@ function api_login()
                 authenticate_success($x[0], false, true, false, true, true);
                 $_SESSION['allow_api'] = true;
                 Hook::call('logged_in', App::$user);
-                return;
+                return true;
             }
         }
 
     } catch (Exception $e) {
+        // Just log the exception. Most of the time it will be because
+        // a different identity mechanism is being used and no oauth2 parameters were found.
         logger($e->getMessage());
     }
 
@@ -132,7 +128,6 @@ function api_login()
         }
     }
 
-
     // process normal login request
 
     if (isset($_SERVER['PHP_AUTH_USER']) && (! $record)) {
@@ -158,6 +153,7 @@ function api_login()
         log_failed_login('API login failure');
         retry_basic_auth();
     }
+
 }