diff --git a/api/v1/jwt.go b/api/v1/jwt.go
index d45211fb..0a4bc18a 100644
--- a/api/v1/jwt.go
+++ b/api/v1/jwt.go
@@ -112,14 +112,6 @@ func JWTMiddleware(server *APIV1Service, next echo.HandlerFunc, secret string) e
 			return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
 		})
 
-		if !accessToken.Valid {
-			auth.RemoveTokensAndCookies(c)
-			return echo.NewHTTPError(http.StatusUnauthorized, "Invalid access token.")
-		}
-		if !audienceContains(claims.Audience, auth.AccessTokenAudienceName) {
-			return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("Invalid access token, audience mismatch, got %q, expected %q.", claims.Audience, auth.AccessTokenAudienceName))
-		}
-
 		generateToken := time.Until(claims.ExpiresAt.Time) < auth.RefreshThresholdDuration
 		if err != nil {
 			var ve *jwt.ValidationError
@@ -135,6 +127,10 @@ func JWTMiddleware(server *APIV1Service, next echo.HandlerFunc, secret string) e
 			}
 		}
 
+		if !audienceContains(claims.Audience, auth.AccessTokenAudienceName) {
+			return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("Invalid access token, audience mismatch, got %q, expected %q.", claims.Audience, auth.AccessTokenAudienceName))
+		}
+
 		// We either have a valid access token or we will attempt to generate new access token and refresh token
 		ctx := c.Request().Context()
 		userID, err := strconv.Atoi(claims.Subject)