diff --git a/keyserver/src/socket/tunnelbroker.js b/keyserver/src/socket/tunnelbroker.js
--- a/keyserver/src/socket/tunnelbroker.js
+++ b/keyserver/src/socket/tunnelbroker.js
@@ -3,6 +3,7 @@
 import WebSocket from 'ws';
 
 import {
+  refreshKeysTBMessageValidator,
   type TBKeyserverConnectionInitializationMessage,
   type MessageFromTunnelbroker,
   tunnelbrokerMessageTypes,
@@ -27,7 +28,11 @@
 }
 
 function handleTBMessageEvent(event: ArrayBuffer): Promise<void> {
-  const message: MessageFromTunnelbroker = JSON.parse(event.toString());
+  const rawMessage = JSON.parse(event.toString());
+  if (!refreshKeysTBMessageValidator.is(rawMessage)) {
+    throw new ServerError('unsupported_tunnelbroker_message');
+  }
+  const message: MessageFromTunnelbroker = rawMessage;
 
   if (message.type === tunnelbrokerMessageTypes.REFRESH_KEYS_REQUEST) {
     return uploadNewOneTimeKeys(message.numberOfKeys);
diff --git a/lib/types/tunnelbroker-messages.js b/lib/types/tunnelbroker-messages.js
--- a/lib/types/tunnelbroker-messages.js
+++ b/lib/types/tunnelbroker-messages.js
@@ -1,5 +1,9 @@
 // @flow
 
+import t, { type TInterface } from 'tcomb';
+
+import { tShape, tString } from '../utils/validation-utils.js';
+
 type TBSharedConnectionInitializationMessage = {
   +type: 'sessionRequest',
   +deviceId: string,
@@ -39,6 +43,13 @@
   +numberOfKeys: number,
 };
 
+export const refreshKeysTBMessageValidator: TInterface<TBRefreshKeysRequest> =
+  tShape<TBRefreshKeysRequest>({
+    type: tString('RefreshKeyRequest'),
+    deviceId: t.String,
+    numberOfKeys: t.Number,
+  });
+
 // Disjoint enumeration of all messages received from Tunnelbroker
 // Currently, only a single message
 export type MessageFromTunnelbroker = TBRefreshKeysRequest;