diff --git a/apps/api/src/account/account.service.ts b/apps/api/src/account/account.service.ts
index 5c4da78..c0f6e03 100644
--- a/apps/api/src/account/account.service.ts
+++ b/apps/api/src/account/account.service.ts
@@ -94,6 +94,7 @@ export class AccountService {
 
   public async refreshToken(token: string) {
     try {
+      this.jwtService.verify(token);
       const { username } = this.jwtService.decode(token) as DecodedToken;
 
       const account = await this.accountModel.findOne({ username });
diff --git a/apps/api/src/app.controller.ts b/apps/api/src/app.controller.ts
index ac6e6ee..75fa32f 100644
--- a/apps/api/src/app.controller.ts
+++ b/apps/api/src/app.controller.ts
@@ -26,12 +26,10 @@ export class AppController {
     @AuthToken() token: string,
     @AuthParams() authParams: Params
   ) {
-    const { refreshToken } = authParams;
-
     try {
       return this.handleDefaultCheck(req, reply, token);
     } catch (error) {
-      if (isTokenExpired(error) && refreshToken) {
+      if (isTokenExpired(error)) {
         try {
           return this.handleExpiredToken(authParams, token, req, reply);
         } catch {
@@ -44,16 +42,31 @@ export class AppController {
   }
 
   private async handleExpiredToken(
-    { authMode }: Params,
+    { authMode, refreshToken }: Params,
     token: string,
     req: FastifyRequest,
     reply: FastifyReply
   ) {
+    if (!refreshToken) return this.handleError(req, reply);
+
     try {
-      const newToken =
-        authMode === 'account'
-          ? await this.accountService.refreshToken(token)
-          : await this.ldapService.refreshToken(token);
+      let newToken = '';
+
+      if (authMode === 'ldap-tfa') {
+        const { aud } = this.appService.checkToken(token);
+        if (aud === 'auth') return this.handleError(req, reply);
+
+        newToken = await this.ldapService.refreshToken(token);
+      }
+
+      if (authMode === 'ldap') {
+        newToken = await this.ldapService.refreshToken(token);
+      }
+
+      if (authMode === 'account') {
+        newToken = await this.accountService.refreshToken(token);
+      }
+
       reply.header('Authorization', `Bearer ${newToken}`);
 
       return reply.setCookie(env.COOKIE_TOKEN_NAME, newToken, cookieOptions).send();
@@ -62,8 +75,12 @@ export class AppController {
     }
   }
 
-  private handleDefaultCheck(_req: FastifyRequest, reply: FastifyReply, token: string) {
+  private handleDefaultCheck(req: FastifyRequest, reply: FastifyReply, token: string) {
     this.appService.checkToken(token);
+
+    const { aud } = this.appService.checkToken(token);
+    if (aud === 'auth') return this.handleError(req, reply);
+
     reply.header('Authorization', `Bearer ${token}`);
 
     return reply.send();
diff --git a/apps/api/src/app.service.ts b/apps/api/src/app.service.ts
index cc4d9bb..2f9b0a8 100644
--- a/apps/api/src/app.service.ts
+++ b/apps/api/src/app.service.ts
@@ -8,11 +8,11 @@ export class AppService {
   constructor(private readonly jwtService: JwtService) {}
 
   public checkToken(token: string) {
-    this.jwtService.verify(token);
+    return this.jwtService.decode<DecodedToken>(token);
   }
 
   public refreshToken(token: string) {
-    const payload = this.jwtService.decode(token) as DecodedToken;
+    const payload = this.jwtService.decode<DecodedToken>(token);
 
     return this.jwtService.sign(omit(payload, ['iat', 'exp']));
   }
diff --git a/apps/api/src/ldap-tfa/ldap-tfa.controller.ts b/apps/api/src/ldap-tfa/ldap-tfa.controller.ts
index 22b2c4a..c991846 100644
--- a/apps/api/src/ldap-tfa/ldap-tfa.controller.ts
+++ b/apps/api/src/ldap-tfa/ldap-tfa.controller.ts
@@ -2,6 +2,8 @@
 import { Body, Controller, HttpException, HttpStatus, Post, Req, Res } from '@nestjs/common';
 import { ApiResponse, ApiTags } from '@nestjs/swagger';
 import { FastifyReply, FastifyRequest } from 'fastify';
+import { cookieOptions } from 'src/config/cookie';
+import { env } from 'src/config/env';
 import { Credentials } from 'src/dto/credentials';
 import { LdapController } from 'src/ldap/ldap.controller';
 
@@ -18,9 +20,11 @@ export class LdapTfaController extends LdapController {
     @Res() reply: FastifyReply
   ) {
     try {
-      const user = await this.ldapService.getUser(credentials.login);
+      const token = await this.ldapService.login(credentials, {
+        audience: 'auth',
+      });
 
-      return reply.status(200).send(user);
+      return reply.setCookie(env.COOKIE_TOKEN_NAME, token, cookieOptions).status(200).send();
     } catch {
       throw new HttpException('Unauthorized', HttpStatus.UNAUTHORIZED);
     }
diff --git a/apps/api/src/ldap/ldap.service.ts b/apps/api/src/ldap/ldap.service.ts
index a24415b..102d0ad 100644
--- a/apps/api/src/ldap/ldap.service.ts
+++ b/apps/api/src/ldap/ldap.service.ts
@@ -43,6 +43,7 @@ export class LdapService {
 
   public async refreshToken(token: string) {
     try {
+      this.jwtService.verify(token);
       const { username } = this.jwtService.decode(token) as DecodedToken;
       const user = await ldap.authenticate(username);
 
diff --git a/apps/api/src/ldap/types/jwt.ts b/apps/api/src/ldap/types/jwt.ts
index 1e58a0f..7dcdb6e 100644
--- a/apps/api/src/ldap/types/jwt.ts
+++ b/apps/api/src/ldap/types/jwt.ts
@@ -4,6 +4,7 @@ export type TokenPayload = {
 };
 
 export type DecodedToken = {
+  aud?: string;
   exp: number;
   iat: number;
 } & TokenPayload;