diff --git a/src/org/labkey/test/tests/ApiKeyTest.java b/src/org/labkey/test/tests/ApiKeyTest.java
index 60db2d7e39..837a8eabc0 100644
--- a/src/org/labkey/test/tests/ApiKeyTest.java
+++ b/src/org/labkey/test/tests/ApiKeyTest.java
@@ -17,6 +17,7 @@
 
 import org.apache.hc.core5.http.HttpStatus;
 import org.jetbrains.annotations.Nullable;
+import org.junit.Assert;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.junit.experimental.categories.Category;
@@ -396,7 +397,7 @@ private void verifySessionKeyCsrf(Connection connection) throws IOException
             assertTrue("CSRF success", resp.getProperty("success"));
 
             WhoAmIResponse whoAmI = new WhoAmICommand().execute(connection, null);
-            whoAmI.getCSRF(); // Should this match the browser?
+            Assert.assertNotEquals("API CSRF", WebTestHelper.getCookies(PasswordUtil.getUsername()).get(Connection.X_LABKEY_CSRF).getValue(), whoAmI.getCSRF());
         }
         catch (CommandException e)
         {