diff --git a/lib/keyserver-conn/recovery-utils.js b/lib/keyserver-conn/recovery-utils.js
--- a/lib/keyserver-conn/recovery-utils.js
+++ b/lib/keyserver-conn/recovery-utils.js
@@ -18,6 +18,7 @@
   sessionIDSelector,
   urlPrefixSelector,
 } from '../selectors/keyserver-selectors.js';
+import { IdentityClientContext } from '../shared/identity-client-context.js';
 import type { RecoveryActionSource } from '../types/account-types.js';
 import type { Endpoint } from '../types/endpoints.js';
 import type { Dispatch } from '../types/redux-types.js';
@@ -155,8 +156,10 @@
   const logOut = useLogOut();
   const dispatchActionPromise = useDispatchActionPromise();
 
+  const identityContext = React.useContext(IdentityClientContext);
+
   const invalidateKeyserverSession = React.useCallback(
-    (
+    async (
       source: RecoveryActionSource,
       sessionChange: ClientSessionChange,
       hasBeenCancelled: () => boolean,
@@ -164,6 +167,12 @@
       if (hasBeenCancelled()) {
         return;
       }
+      // we want to get auth metadata before calling setNewSession
+      // because after that call it is cleared and useLogOut
+      // is unable to fetch it
+      invariant(identityContext, 'Identity client context should be set');
+      const preRequestAuthMetadata = await identityContext.getAuthMetadata();
+
       setNewSession(
         dispatch,
         sessionChange,
@@ -176,10 +185,13 @@
         keyserverID === authoritativeKeyserverID() &&
         relyingOnAuthoritativeKeyserver
       ) {
-        void dispatchActionPromise(logOutActionTypes, logOut());
+        void dispatchActionPromise(
+          logOutActionTypes,
+          logOut(preRequestAuthMetadata),
+        );
       }
     },
-    [dispatch, keyserverID, dispatchActionPromise, logOut],
+    [dispatch, keyserverID, dispatchActionPromise, identityContext, logOut],
   );
 
   return React.useCallback(
@@ -214,7 +226,11 @@
           !sessionChange.cookie ||
           !sessionChange.cookie.startsWith('user=')
         ) {
-          invalidateKeyserverSession(source, sessionChange, hasBeenCancelled);
+          await invalidateKeyserverSession(
+            source,
+            sessionChange,
+            hasBeenCancelled,
+          );
         }
       } catch (e) {
         if (hasBeenCancelled()) {
@@ -224,7 +240,7 @@
           `Error during recovery login with keyserver ${keyserverID}`,
           e,
         );
-        invalidateKeyserverSession(
+        await invalidateKeyserverSession(
           source,
           genericCookieInvalidation,
           hasBeenCancelled,