diff --git a/README.md b/README.md
index a1378e2e..27de48d7 100644
--- a/README.md
+++ b/README.md
@@ -163,6 +163,50 @@ Below is an example API request:
 
 	Get-Location
 
+Below are examples of using the cookie-based login API (JavaScript):
+
+	// Log in with one request, then launch remote control with another.
+	fetch("https://localhost:5001/api/Login/", {
+		method: "post",
+		credentials: "include",
+		mode: "cors",
+		body: '{"Email":"email@example.com", "Password":"P@ssword1"}',
+		headers: {
+			"Content-Type": "application/json",
+		}
+	}).then(response=>{
+		if (response.ok) {
+			fetch("https://localhost:44351/api/RemoteControl/b68c24b0-2c67-4524-ad28-dadea7a576a4", {
+				method: "get",
+				credentials: "include",
+				mode: "cors"
+			}).then(response=>{
+				if (response.ok) {
+					response.text().then(url=>{
+						window.open(url);
+					})
+				}
+			})
+		}
+	})
+
+	// Log in and launch remote control in the same request.
+	fetch("https://localhost:5001/api/RemoteControl/", {
+		method: "post",
+		credentials: "include",
+		mode: "cors",
+		body: '{"Email":"email@example.com", "Password":"P@ssword1", "DeviceID":"b68c24b0-2c67-4524-ad28-dadea7a576a4"}',
+		headers: {
+			"Content-Type": "application/json",
+		}
+	}).then(response=>{
+		if (response.ok) {
+			response.text().then(url=>{
+				window.open(url);
+			})
+		}
+	})
+
 ## Alerts
 The Alerts API gives you the ability to add monitoring and alerting functionality to your device endpoints.  This feature is intended to add basic RMM-type functionality without diverging too far from Remotely's primary purpose.
 
diff --git a/Server/API/DevicesController.cs b/Server/API/DevicesController.cs
index 417400f5..83e5bab3 100644
--- a/Server/API/DevicesController.cs
+++ b/Server/API/DevicesController.cs
@@ -46,7 +46,7 @@ namespace Remotely.Server.API
             var device = DataService.GetDevice(orgID, id);
 
             if (User.Identity.IsAuthenticated &&
-                !DataService.DoesUserHaveAccessToDevice(id, User.Identity.Name))
+                !DataService.DoesUserHaveAccessToDevice(id, DataService.GetUserByName(User.Identity.Name)))
             {
                 return null;
             }
diff --git a/Server/API/RemoteControlController.cs b/Server/API/RemoteControlController.cs
index 68e94cdd..3ee6cade 100644
--- a/Server/API/RemoteControlController.cs
+++ b/Server/API/RemoteControlController.cs
@@ -54,10 +54,11 @@ namespace Remotely.Server.API
             var orgId = DataService.GetUserByName(rcRequest.Email)?.OrganizationID;
 
             var result = await SignInManager.PasswordSignInAsync(rcRequest.Email, rcRequest.Password, false, true);
-            if (result.Succeeded)
+            if (result.Succeeded &&
+                DataService.DoesUserHaveAccessToDevice(rcRequest.DeviceID, DataService.GetUserByName(rcRequest.Email)))
             {
                 DataService.WriteEvent($"API login successful for {rcRequest.Email}.", orgId);
-                return await InitiateRemoteControl(rcRequest.DeviceID, rcRequest.Email);
+                return await InitiateRemoteControl(rcRequest.DeviceID, orgId);
             }
             else if (result.IsLockedOut)
             {
@@ -82,7 +83,7 @@ namespace Remotely.Server.API
             if (targetDevice.Value != null)
             {
                 if (User.Identity.IsAuthenticated &&
-                   !DataService.DoesUserHaveAccessToDevice(targetDevice.Value.ID, User.Identity.Name))
+                   !DataService.DoesUserHaveAccessToDevice(targetDevice.Value.ID, DataService.GetUserByName(User.Identity.Name)))
                 {
                     return Unauthorized();
                 }