diff --git a/jupyterlab_gallery/handlers.py b/jupyterlab_gallery/handlers.py
index ab11de8..97943b9 100644
--- a/jupyterlab_gallery/handlers.py
+++ b/jupyterlab_gallery/handlers.py
@@ -63,7 +63,12 @@ class PullHandler(BaseHandler, SyncHandlerBase):
     async def post(self):
         data = self.get_json_body()
         exhibit_id = data["exhibit_id"]
-        exhibit = self.gallery_manager.exhibits[exhibit_id]
+        try:
+            exhibit = self.gallery_manager.exhibits[exhibit_id]
+        except IndexError:
+            self.set_status(406)
+            self.finish(json.dumps({"message": f"exhibit_id {exhibit_id} not found"}))
+            return
         return await super()._pull(
             repo=exhibit["git"],
             exhibit_id=exhibit_id,
diff --git a/jupyterlab_gallery/tests/test_handlers.py b/jupyterlab_gallery/tests/test_handlers.py
index 6403dae..fe63342 100644
--- a/jupyterlab_gallery/tests/test_handlers.py
+++ b/jupyterlab_gallery/tests/test_handlers.py
@@ -1,5 +1,7 @@
 import json
 
+from jupyter_server.utils import url_path_join
+
 
 async def test_exhibits(jp_fetch):
     response = await jp_fetch("jupyterlab-gallery", "exhibits")
@@ -13,3 +15,20 @@ async def test_gallery(jp_fetch):
     assert response.code == 200
     payload = json.loads(response.body)
     assert payload["apiVersion"] == "1.0"
+
+
+async def test_pull_token_can_be_used_instead_of_xsrf(jp_serverapp, jp_base_url, http_server_client):
+    token = jp_serverapp.identity_provider.token
+    response = await http_server_client.fetch(
+        url_path_join(jp_base_url, "jupyterlab-gallery", "pull"),
+        body=b'{"exhibit_id": 100}',
+        method="POST",
+        headers={
+            "Authorization": f"token {token}",
+            "Cookie": ""
+        },
+        raise_error=False,
+    )
+    assert response.code == 406
+    payload = json.loads(response.body)
+    assert payload["message"] == "exhibit_id 100 not found"