diff --git a/daikoku/app/utils/ApiService.scala b/daikoku/app/utils/ApiService.scala
index 62618a95b..2d88f3803 100644
--- a/daikoku/app/utils/ApiService.scala
+++ b/daikoku/app/utils/ApiService.scala
@@ -2329,7 +2329,10 @@ class ApiService(
               AppError.PlanNotFound
             )
             _ <- EitherT.cond[Future][AppError, Unit](
-              tenant.display != TenantDisplay.Environment || tenant.environmentAggregationApiKeysSecurity.forall(s => s && plan.customName == parentPlan.customName),
+              tenant.display != TenantDisplay.Environment || (tenant.environmentAggregationApiKeysSecurity match {
+                case Some(true)  => plan.customName == parentPlan.customName
+                case _           => true
+              }),
               (),
               AppError.SecurityError(s"Environment Subscription Aggregation security is enabled, a subscription cannot be extended by another environment")
             )
diff --git a/daikoku/javascript/tests/connectedUser.spec.ts b/daikoku/javascript/tests/connectedUser.spec.ts
index 89f458ae8..cea902ce1 100644
--- a/daikoku/javascript/tests/connectedUser.spec.ts
+++ b/daikoku/javascript/tests/connectedUser.spec.ts
@@ -380,7 +380,7 @@ test('aggregation mode', async ({ page, request }) => {
   await page.getByText('Plans').click();
   await page.locator('.usage-plan__card').filter({ hasText: 'not test plan' }).getByRole('button').click();
   await page.locator('div').filter({ hasText: /^Consumers$/ }).click();
-  await page.getByRole('button', { name: 'Subscribe with a new api key' }).click();
+  // await page.getByRole('button', { name: 'Subscribe with a new api key' }).click();
   await page.getByRole('link', { name: 'Go home' }).click();
 
   //subscribe second api with aggregation
diff --git a/daikoku/test/daikoku/ApiControllerSpec.scala b/daikoku/test/daikoku/ApiControllerSpec.scala
index f30487b71..fcb3250df 100644
--- a/daikoku/test/daikoku/ApiControllerSpec.scala
+++ b/daikoku/test/daikoku/ApiControllerSpec.scala
@@ -1701,7 +1701,7 @@ class ApiControllerSpec()
         body = Json.obj().some
       )(tenant, session)
 
-      respPersonal.status mustBe 401
+      respPersonal.status mustBe 403
 
       val respOrg = httpJsonCallBlocking(
         path =
@@ -4533,7 +4533,7 @@ class ApiControllerSpec()
         body = Json.obj().some
       )(tenant, loginWithBlocking(user, tenant))
 
-      resp.status mustBe Status.UNAUTHORIZED
+      resp.status mustBe Status.FORBIDDEN
     }
     "not be extended subscription that we have already a parent" in {
       val parentSub = ApiSubscription(
@@ -7180,7 +7180,6 @@ class ApiControllerSpec()
       respProd.status mustBe 200
 
       //disabled security
-
       setupEnvBlocking(
         tenants = Seq(tenantEnvMode.copy(
           otoroshiSettings = Set(
@@ -7193,7 +7192,7 @@ class ApiControllerSpec()
               clientId = otoroshiAdminApiKey.clientId
             )
           ),
-          environmentAggregationApiKeysSecurity = Some(true),
+          environmentAggregationApiKeysSecurity = Some(false),
           aggregationApiKeysSecurity = Some(true)
         )),
         users = Seq(user, userAdmin),