diff --git a/http/api/tokenpki.go b/http/api/tokenpki.go
index 37b689b..ca3aae2 100644
--- a/http/api/tokenpki.go
+++ b/http/api/tokenpki.go
@@ -137,11 +137,6 @@ func DecryptTokenPKIHandler(store TokenPKIRetriever, tokenStore AuthTokensStorer
 			jsonError(w, err)
 			return
 		}
-		if !tokens.Valid() {
-			logger.Info("msg", "checking auth token validity", "err", "invalid tokens")
-			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-			return
-		}
 		storeTokens(r.Context(), logger, r.URL.Path, tokens, tokenStore, w)
 	}
 }
diff --git a/http/api/tokens.go b/http/api/tokens.go
index c7068bb..dcc61a5 100644
--- a/http/api/tokens.go
+++ b/http/api/tokens.go
@@ -67,16 +67,16 @@ func StoreAuthTokensHandler(store AuthTokensStorer, logger log.Logger) http.Hand
 			return
 		}
 		defer r.Body.Close()
-		if !tokens.Valid() {
-			logger.Info("msg", "checking auth token validity", "err", "invalid tokens")
-			http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
-			return
-		}
 		storeTokens(r.Context(), logger, r.URL.Path, tokens, store, w)
 	}
 }
 
 func storeTokens(ctx context.Context, logger log.Logger, name string, tokens *client.OAuth1Tokens, store AuthTokensStorer, w http.ResponseWriter) {
+	if !tokens.Valid() {
+		logger.Info("msg", "checking auth token validity", "err", "invalid tokens")
+		http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+		return
+	}
 	logger = logger.With("consumer_key", tokens.ConsumerKey)
 	err := store.StoreAuthTokens(ctx, name, tokens)
 	if err != nil {