diff --git a/framework/core/src/Api/Actions/SerializeAction.php b/framework/core/src/Api/Actions/SerializeAction.php
index 0521e7337..732486636 100644
--- a/framework/core/src/Api/Actions/SerializeAction.php
+++ b/framework/core/src/Api/Actions/SerializeAction.php
@@ -3,8 +3,12 @@
 use Flarum\Api\Request;
 use Flarum\Api\JsonApiRequest;
 use Flarum\Api\JsonApiResponse;
+use Flarum\Core\Exceptions\ValidationFailureException;
+use Flarum\Core\Exceptions\PermissionDeniedException;
 use Tobscure\JsonApi\SerializerInterface;
 use Tobscure\JsonApi\Criteria;
+use Illuminate\Http\Response;
+use Illuminate\Http\JsonResponse;
 
 abstract class SerializeAction implements ActionInterface
 {
@@ -68,7 +72,20 @@ abstract class SerializeAction implements ActionInterface
     {
         $request = static::buildJsonApiRequest($request);
 
-        $data = $this->data($request, $response = new JsonApiResponse);
+        try {
+            $data = $this->data($request, $response = new JsonApiResponse);
+        } catch (ValidationFailureException $e) {
+            $errors = [];
+            foreach ($e->getErrors()->getMessages() as $field => $messages) {
+                $errors[] = [
+                    'detail' => implode("\n", $messages),
+                    'path' => $field
+                ];
+            }
+            return new JsonResponse(['errors' => $errors], 422);
+        } catch (PermissionDeniedException $e) {
+            return new JsonResponse(null, 401);
+        }
 
         $serializer = new static::$serializer($request->actor, $request->include, $request->link);
 
diff --git a/framework/core/src/Api/Actions/TokenAction.php b/framework/core/src/Api/Actions/TokenAction.php
index bc2ad3f2d..ca5ae01d3 100644
--- a/framework/core/src/Api/Actions/TokenAction.php
+++ b/framework/core/src/Api/Actions/TokenAction.php
@@ -3,6 +3,7 @@
 use Flarum\Api\Request;
 use Flarum\Core\Commands\GenerateAccessTokenCommand;
 use Flarum\Core\Repositories\UserRepositoryInterface;
+use Flarum\Core\Exceptions\PermissionDeniedException;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Contracts\Bus\Dispatcher;
 
@@ -32,9 +33,8 @@ class TokenAction implements ActionInterface
         $user = $this->users->findByIdentification($identification);
 
         if (! $user || ! $user->checkPassword($password)) {
-            return;
-            // throw an exception
-            // return $this->respondWithError('invalidCredentials', 401);
+            // throw new PermissionDeniedException;
+            return new JsonResponse(null, 401);
         }
 
         $token = $this->bus->dispatch(
diff --git a/framework/core/src/Api/ExceptionHandler.php b/framework/core/src/Api/ExceptionHandler.php
index 75003d3ad..57a400329 100644
--- a/framework/core/src/Api/ExceptionHandler.php
+++ b/framework/core/src/Api/ExceptionHandler.php
@@ -5,8 +5,6 @@ use Illuminate\Foundation\Exceptions\Handler;
 use Illuminate\Http\Response;
 use Illuminate\Http\JsonResponse;
 use Illuminate\Database\Eloquent\ModelNotFoundException;
-use Flarum\Core\Exceptions\ValidationFailureException;
-use Flarum\Core\Exceptions\PermissionDeniedException;
 use Symfony\Component\HttpKernel\Exception\HttpException;
 use Config;
 
@@ -31,13 +29,6 @@ class ExceptionHandler extends Handler
     public function render($request, Exception $e)
     {
         if ($request->is('api/*')) {
-            if ($e instanceof ValidationFailureException) {
-                return $this->renderValidationException($e);
-            }
-            if ($e instanceof PermissionDeniedException) {
-                return new Response(null, 401);
-            }
-
             $error = [];
             if (Config::get('app.debug')) {
                 $error['code'] = (new \ReflectionClass($e))->getShortName();
@@ -60,16 +51,4 @@ class ExceptionHandler extends Handler
     {
         return new JsonResponse(['errors' => $errors], $httpCode);
     }
-
-    protected function renderValidationException(ValidationFailureException $e)
-    {
-        $errors = [];
-        foreach ($e->getErrors()->getMessages() as $field => $messages) {
-            $errors[] = [
-                'detail' => implode("\n", $messages),
-                'path' => $field
-            ];
-        }
-        return $this->renderErrors($errors, 422);
-    }
 }
diff --git a/framework/core/src/Forum/Actions/LoginAction.php b/framework/core/src/Forum/Actions/LoginAction.php
index b245bdd60..a34a1880b 100644
--- a/framework/core/src/Forum/Actions/LoginAction.php
+++ b/framework/core/src/Forum/Actions/LoginAction.php
@@ -21,8 +21,7 @@ class LoginAction extends BaseAction
         $response = app('Flarum\Api\Actions\TokenAction')
             ->handle(new ApiRequest($request->only('identification', 'password')));
 
-        $data = $response->getData();
-        if (! empty($data->token)) {
+        if (($data = $response->getData()) && ! empty($data->token)) {
             $response->withCookie($this->makeRememberCookie($data->token));
 
             event(new UserLoggedIn($this->users->findOrFail($data->userId), $data->token));