diff --git a/src/lib/db/user-store.ts b/src/lib/db/user-store.ts
index bfe60c4662..517e0db1fb 100644
--- a/src/lib/db/user-store.ts
+++ b/src/lib/db/user-store.ts
@@ -215,6 +215,7 @@ class UserStore implements IUserStore {
                 `${TABLE}.id`,
             )
             .where('secret', secret)
+            .andWhere('expires_at', '>', 'now()')
             .first();
         return rowToUser(row);
     }
diff --git a/src/test/e2e/api/admin/user/pat.e2e.test.ts b/src/test/e2e/api/admin/user/pat.e2e.test.ts
index d6a4feb7b8..364c96b104 100644
--- a/src/test/e2e/api/admin/user/pat.e2e.test.ts
+++ b/src/test/e2e/api/admin/user/pat.e2e.test.ts
@@ -2,9 +2,11 @@ import { IUnleashTest, setupAppWithAuth } from '../../../helpers/test-helper';
 import dbInit, { ITestDb } from '../../../helpers/database-init';
 import getLogger from '../../../../fixtures/no-logger';
 import { IPat } from '../../../../../lib/types/models/pat';
+import { IPatStore } from '../../../../../lib/types/stores/pat-store';
 
 let app: IUnleashTest;
 let db: ITestDb;
+let patStore: IPatStore;
 
 let tomorrow = new Date();
 let firstSecret;
@@ -13,6 +15,7 @@ tomorrow.setDate(tomorrow.getDate() + 1);
 
 beforeAll(async () => {
     db = await dbInit('user_pat', getLogger);
+    patStore = db.stores.patStore;
     app = await setupAppWithAuth(db.stores, {
         experimental: { flags: { personalAccessTokens: true } },
     });
@@ -188,3 +191,18 @@ test('should not get user with invalid token', async () => {
         .set('Authorization', 'randomtoken')
         .expect(401);
 });
+
+test('should not get user with expired token', async () => {
+    const token = await patStore.create({
+        id: 1,
+        secret: 'user:expired-token',
+        description: 'expired-token',
+        userId: 1,
+        expiresAt: new Date('2020-01-01'),
+    });
+
+    await app.request
+        .get('/api/admin/user')
+        .set('Authorization', token.secret)
+        .expect(401);
+});