diff --git a/src/Api/Controllers/AuthRequestsController.cs b/src/Api/Controllers/AuthRequestsController.cs
index 3b3e17f868..3468b1ad72 100644
--- a/src/Api/Controllers/AuthRequestsController.cs
+++ b/src/Api/Controllers/AuthRequestsController.cs
@@ -137,11 +137,16 @@ public class AuthRequestsController : Controller
             throw new BadRequestException("Invalid device.");
         }
 
-        authRequest.Key = model.Key;
-        authRequest.MasterPasswordHash = model.MasterPasswordHash;
         authRequest.ResponseDeviceId = device.Id;
         authRequest.ResponseDate = DateTime.UtcNow;
         authRequest.Approved = model.RequestApproved;
+
+        if (model.RequestApproved)
+        {
+            authRequest.Key = model.Key;
+            authRequest.MasterPasswordHash = model.MasterPasswordHash;
+        }
+
         await _authRequestRepository.ReplaceAsync(authRequest);
 
         // We only want to send an approval notification if the request is approved (or null),