diff --git a/aurweb/routers/pkgbase.py b/aurweb/routers/pkgbase.py
index 6cd4199d..1bca5ea3 100644
--- a/aurweb/routers/pkgbase.py
+++ b/aurweb/routers/pkgbase.py
@@ -96,6 +96,12 @@ async def pkgbase_keywords(request: Request, name: str,
                            keywords: str = Form(default=str())):
     pkgbase = get_pkg_or_base(name, PackageBase)
 
+    approved = [pkgbase.Maintainer] + [c.User for c in pkgbase.comaintainers]
+    has_cred = creds.has_credential(request.user, creds.PKGBASE_SET_KEYWORDS,
+                                    approved=approved)
+    if not has_cred:
+        return Response(status_code=HTTPStatus.UNAUTHORIZED)
+
     # Lowercase all keywords. Our database table is case insensitive,
     # and providing CI duplicates of keywords is erroneous.
     keywords = set(k.lower() for k in keywords.split())
diff --git a/templates/partials/packages/details.html b/templates/partials/packages/details.html
index 771b311d..ca7159be 100644
--- a/templates/partials/packages/details.html
+++ b/templates/partials/packages/details.html
@@ -33,10 +33,10 @@
             </td>
         </tr>
     {% endif %}
-    {% if pkgbase.keywords.count() or request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer]) %}
+    {% if pkgbase.keywords.count() or request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer] + comaintainers) %}
         <tr>
             <th>{{ "Keywords" | tr }}:</th>
-            {% if request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer]) %}
+            {% if request.user.has_credential(creds.PKGBASE_SET_KEYWORDS, approved=[pkgbase.Maintainer] + comaintainers) %}
             <td>
                 <form method="post"
                       action="/pkgbase/{{ pkgbase.Name }}/keywords"
diff --git a/test/test_pkgbase_routes.py b/test/test_pkgbase_routes.py
index dae43e37..5c44ea47 100644
--- a/test/test_pkgbase_routes.py
+++ b/test/test_pkgbase_routes.py
@@ -1378,7 +1378,8 @@ def test_pkgbase_keywords(client: TestClient, user: User, package: Package):
     keywords = root.xpath('//a[@class="keyword"]')
     assert len(keywords) == 0
 
-    cookies = {"AURSID": user.login(Request(), "testPassword")}
+    maint = package.PackageBase.Maintainer
+    cookies = {"AURSID": maint.login(Request(), "testPassword")}
     post_endpoint = f"{endpoint}/keywords"
     with client as request:
         resp = request.post(post_endpoint, data={
@@ -1408,7 +1409,8 @@ def test_pkgbase_empty_keywords(client: TestClient, user: User, package: Package
     keywords = root.xpath('//a[@class="keyword"]')
     assert len(keywords) == 0
 
-    cookies = {"AURSID": user.login(Request(), "testPassword")}
+    maint = package.PackageBase.Maintainer
+    cookies = {"AURSID": maint.login(Request(), "testPassword")}
     post_endpoint = f"{endpoint}/keywords"
     with client as request:
         resp = request.post(post_endpoint, data={
@@ -1426,3 +1428,16 @@ def test_pkgbase_empty_keywords(client: TestClient, user: User, package: Package
     expected = ["abc", "bar", "foo", "test"]
     for i, keyword in enumerate(keywords):
         assert keyword.text.strip() == expected[i]
+
+
+def test_unauthorized_pkgbase_keywords(client: TestClient, package: Package):
+    with db.begin():
+        user = db.create(User, Username="random_user", Email="random_user",
+                         Passwd="testPassword")
+
+    cookies = {"AURSID": user.login(Request(), "testPassword")}
+    with client as request:
+        pkgbase = package.PackageBase
+        endp = f"/pkgbase/{pkgbase.Name}/keywords"
+        response = request.post(endp, cookies=cookies)
+    assert response.status_code == HTTPStatus.UNAUTHORIZED
diff --git a/test/test_templates.py b/test/test_templates.py
index e4888127..4b138567 100644
--- a/test/test_templates.py
+++ b/test/test_templates.py
@@ -282,7 +282,8 @@ def test_package_details(user: User, package: Package):
         "git_clone_uri_anon": GIT_CLONE_URI_ANON,
         "git_clone_uri_priv": GIT_CLONE_URI_PRIV,
         "pkgbase": package.PackageBase,
-        "pkg": package
+        "pkg": package,
+        "comaintainers": [],
     })
 
     base = base_template("partials/packages/details.html")
@@ -316,6 +317,7 @@ def test_package_details_filled(user: User, package: Package):
         "git_clone_uri_priv": GIT_CLONE_URI_PRIV,
         "pkgbase": package.PackageBase,
         "pkg": package,
+        "comaintainers": [],
         "licenses": package.package_licenses,
         "provides": package.package_relations.filter(
             PackageRelation.RelTypeID == PROVIDES_ID),