diff --git a/apps/api/src/account/account.service.ts b/apps/api/src/account/account.service.ts
index 3f02f85..39356e6 100644
--- a/apps/api/src/account/account.service.ts
+++ b/apps/api/src/account/account.service.ts
@@ -94,8 +94,7 @@ export class AccountService {
 
   public async refreshToken(token: string) {
     try {
-      this.jwtService.verify(token);
-      const { username } = this.jwtService.decode(token) as DecodedToken;
+      const { username } = this.jwtService.verify<DecodedToken>(token, { ignoreExpiration: true });
 
       const account = await this.accountModel.findOne({ username });
       if (!account) {
diff --git a/apps/api/src/app.controller.ts b/apps/api/src/app.controller.ts
index c3fab23..1051424 100644
--- a/apps/api/src/app.controller.ts
+++ b/apps/api/src/app.controller.ts
@@ -27,14 +27,10 @@ export class AppController {
     @AuthParams() authParams: Params
   ) {
     try {
-      return this.handleDefaultCheck(req, reply, token);
+      return this.handleDefaultCheck(authParams, req, reply, token);
     } catch (error) {
       if (isTokenExpired(error)) {
-        try {
-          return this.handleExpiredToken(authParams, token, req, reply);
-        } catch {
-          return this.handleError(req, reply);
-        }
+        return this.handleExpiredToken(authParams, token, req, reply);
       }
 
       return this.handleError(req, reply);
@@ -53,9 +49,6 @@ export class AppController {
       let newToken = '';
 
       if (authMode === 'ldap-tfa') {
-        const { aud } = this.appService.checkToken(token);
-        if (aud === 'auth') return this.handleError(req, reply);
-
         newToken = await this.ldapService.refreshToken(token);
       }
 
@@ -75,11 +68,20 @@ export class AppController {
     }
   }
 
-  private handleDefaultCheck(req: FastifyRequest, reply: FastifyReply, token: string) {
+  private handleDefaultCheck(
+    { authMode }: Params,
+    req: FastifyRequest,
+    reply: FastifyReply,
+    token: string
+  ) {
     const { aud } = this.appService.checkToken(token);
     const originalUri = req.headers['x-original-uri'];
 
-    if (aud === 'auth' && !['/auth', '/login', '/socket.io'].some((x) => originalUri.includes(x))) {
+    if (
+      authMode === 'ldap-tfa' &&
+      aud === 'auth' &&
+      !['/auth', '/login', '/socket.io'].some((x) => originalUri.includes(x))
+    ) {
       return this.handleError(req, reply);
     }
 
diff --git a/apps/api/src/ldap/ldap.service.ts b/apps/api/src/ldap/ldap.service.ts
index 9fdde97..395dce0 100644
--- a/apps/api/src/ldap/ldap.service.ts
+++ b/apps/api/src/ldap/ldap.service.ts
@@ -43,8 +43,12 @@ export class LdapService {
 
   public async refreshToken(token: string) {
     try {
-      this.jwtService.verify(token);
-      const { username } = this.jwtService.decode(token) as DecodedToken;
+      const { username, aud = '' } = this.jwtService.verify<DecodedToken>(token, {
+        ignoreExpiration: true,
+      });
+
+      if (aud === 'auth') throw new UnauthorizedException();
+
       const user = await ldap.authenticate(username);
 
       await this.cacheManager.set(username, user);