diff --git a/keyserver/src/socket/tunnelbroker.js b/keyserver/src/socket/tunnelbroker.js
--- a/keyserver/src/socket/tunnelbroker.js
+++ b/keyserver/src/socket/tunnelbroker.js
@@ -47,8 +47,13 @@
 import sleep from 'lib/utils/sleep.js';
 
 import { fetchOlmAccount } from '../updaters/olm-account-updater.js';
-import { fetchIdentityInfo, saveIdentityInfo } from '../user/identity.js';
+import {
+  clearIdentityInfo,
+  fetchIdentityInfo,
+  saveIdentityInfo,
+} from '../user/identity.js';
 import type { IdentityInfo } from '../user/identity.js';
+import { verifyUserLoggedIn } from '../user/login.js';
 import { encrypt, decrypt } from '../utils/aes-crypto-utils.js';
 import {
   getContentSigningKey,
@@ -86,7 +91,13 @@
     shouldNotifyPrimaryAfterReopening: boolean,
     primaryDeviceID: ?string,
   ) => {
-    const identityInfo = await fetchIdentityInfo();
+    let identityInfo;
+    if (encryptionKey) {
+      identityInfo = await fetchIdentityInfo();
+    } else {
+      // for non-QR flow we can retry login
+      identityInfo = await verifyUserLoggedIn();
+    }
     new TunnelbrokerSocket({
       socketURL: tbConnectionInfo.url,
       onClose: async (successfullyAuthed: boolean, primaryID: ?string) => {
@@ -261,6 +272,11 @@
           'received ConnectionInitializationResponse with status: Success for already connected socket',
         );
       } else {
+        if (message.status.data?.includes('UnauthorizedDevice')) {
+          await clearIdentityInfo();
+          this.closeConnection();
+          return;
+        }
         this.connected = false;
         console.error(
           'creating session with Tunnelbroker error:',