diff --git a/awx/api/permissions.py b/awx/api/permissions.py
index 34ee7f76fb..ecaabc4b91 100644
--- a/awx/api/permissions.py
+++ b/awx/api/permissions.py
@@ -249,3 +249,8 @@ class InstanceGroupTowerPermission(ModelAccessPermission):
         if request.method == 'DELETE' and obj.name == "tower":
             return False
         return super(InstanceGroupTowerPermission, self).has_object_permission(request, view, obj)
+
+
+class WebhookKeyPermission(permissions.BasePermission):
+    def has_object_permission(self, request, view, obj):
+        return request.user.can_access(view.model, 'admin', obj, request.data)
diff --git a/awx/api/views/webhooks.py b/awx/api/views/webhooks.py
index 7ba1831738..eeec1edc05 100644
--- a/awx/api/views/webhooks.py
+++ b/awx/api/views/webhooks.py
@@ -10,11 +10,13 @@ from rest_framework.response import Response
 
 from awx.api import serializers
 from awx.api.generics import APIView, GenericAPIView
+from awx.api.permissions import WebhookKeyPermission
 from awx.main.models import JobTemplate, WorkflowJobTemplate
 
 
 class WebhookKeyView(GenericAPIView):
     serializer_class = serializers.EmptySerializer
+    permission_classes = (WebhookKeyPermission,)
 
     @property
     def model(self):
@@ -32,10 +34,6 @@ class WebhookKeyView(GenericAPIView):
         # Provide a fallback do-nothing queryset so that get_object() has something to work with.
         return JobTemplate.objects.none()
 
-    def check_object_permissions(self, request, obj):
-        if not request.user.can_access(self.model, 'admin', obj, request.data):
-            raise PermissionDenied
-
     def get(self, request, *args, **kwargs):
         obj = self.get_object()