diff --git a/keyserver/src/services/blob.js b/keyserver/src/services/blob.js
--- a/keyserver/src/services/blob.js
+++ b/keyserver/src/services/blob.js
@@ -13,6 +13,7 @@
 } from 'lib/utils/blob-service.js';
 import { createHTTPAuthorizationHeader } from 'lib/utils/services-utils.js';
 
+import { clearIdentityInfo } from '../user/identity.js';
 import { verifyUserLoggedIn } from '../user/login.js';
 import { getContentSigningKey } from '../utils/olm-utils.js';
 
@@ -46,7 +47,11 @@
 ): Promise<BlobOperationResult> {
   const { hash: blobHash, holder } = params;
   const headers = await createRequestHeaders();
-  return assignBlobHolder({ blobHash, holder }, headers);
+  const assignResult = await assignBlobHolder({ blobHash, holder }, headers);
+  if (!assignResult.success && assignResult.reason === 'INVALID_CSAT') {
+    await clearIdentityInfo();
+  }
+  return assignResult;
 }
 
 async function uploadBlobKeyserverWrapper(
@@ -54,7 +59,11 @@
   hash: string,
 ): Promise<BlobOperationResult> {
   const authHeaders = await createRequestHeaders(false);
-  return uploadBlob(blob, hash, authHeaders);
+  const uploadResult = await uploadBlob(blob, hash, authHeaders);
+  if (!uploadResult.success && uploadResult.reason === 'INVALID_CSAT') {
+    await clearIdentityInfo();
+  }
+  return uploadResult;
 }
 
 async function upload(
@@ -108,7 +117,14 @@
 async function deleteBlob(params: BlobDescriptor, instant?: boolean) {
   const { hash: blobHash, holder } = params;
   const headers = await createRequestHeaders();
-  await removeBlobHolder({ blobHash, holder }, headers, instant);
+  const removeResult = await removeBlobHolder(
+    { blobHash, holder },
+    headers,
+    instant,
+  );
+  if (!removeResult.success && removeResult.reason === 'INVALID_CSAT') {
+    await clearIdentityInfo();
+  }
 }
 
 async function removeBlobHolders(holders: $ReadOnlyArray<BlobHashAndHolder>) {
diff --git a/lib/actions/upload-actions.js b/lib/actions/upload-actions.js
--- a/lib/actions/upload-actions.js
+++ b/lib/actions/upload-actions.js
@@ -129,6 +129,9 @@
         defaultHeaders,
       );
       if (!assignHolderResult.success) {
+        if (assignHolderResult.reason === 'INVALID_CSAT') {
+          throw new Error('invalid_csat');
+        }
         const { status, statusText } = assignHolderResult;
         throw new Error(`Server responded with HTTP ${status}: ${statusText}`);
       }
diff --git a/lib/utils/blob-service.js b/lib/utils/blob-service.js
--- a/lib/utils/blob-service.js
+++ b/lib/utils/blob-service.js
@@ -4,6 +4,7 @@
 import uuid from 'uuid';
 
 import { toBase64URL } from './base64.js';
+import { responseIsInvalidCSAT } from './services-utils.js';
 import { replacePathParams, type URLPathParams } from './url-utils.js';
 import { assertWithValidator } from './validation-utils.js';
 import type { BlobServiceHTTPEndpoint } from '../facts/blob-service.js';
@@ -79,7 +80,7 @@
     }
   | {
       +success: false,
-      +reason: 'HASH_IN_USE' | 'OTHER',
+      +reason: 'HASH_IN_USE' | 'INVALID_CSAT' | 'OTHER',
       +status: number,
       +statusText: string,
     };
@@ -131,7 +132,14 @@
 
   if (!uploadBlobResponse.ok) {
     const { status, statusText } = uploadBlobResponse;
-    const reason = status === 409 ? 'HASH_IN_USE' : 'OTHER';
+
+    let reason = 'OTHER';
+    if (status === 409) {
+      reason = 'HASH_IN_USE';
+    } else if (responseIsInvalidCSAT(uploadBlobResponse)) {
+      reason = 'INVALID_CSAT';
+    }
+
     return {
       success: false,
       reason,
@@ -165,7 +173,13 @@
 
   if (!response.ok) {
     const { status, statusText } = response;
-    return { success: false, reason: 'OTHER', status, statusText };
+    const reason = responseIsInvalidCSAT(response) ? 'INVALID_CSAT' : 'OTHER';
+    return {
+      success: false,
+      reason,
+      status,
+      statusText,
+    };
   }
 
   return { success: true, response };
@@ -193,7 +207,13 @@
 
   if (!response.ok) {
     const { status, statusText } = response;
-    return { success: false, reason: 'OTHER', status, statusText };
+    const reason = responseIsInvalidCSAT(response) ? 'INVALID_CSAT' : 'OTHER';
+    return {
+      success: false,
+      reason,
+      status,
+      statusText,
+    };
   }
 
   return { success: true, response };
diff --git a/lib/utils/services-utils.js b/lib/utils/services-utils.js
--- a/lib/utils/services-utils.js
+++ b/lib/utils/services-utils.js
@@ -35,10 +35,16 @@
   };
 }
 
+function responseIsInvalidCSAT(response: Response): boolean {
+  const { status } = response;
+  return status === 401 || status === 403;
+}
+
 export {
   usingCommServicesAccessToken,
   supportingMultipleKeyservers,
   relyingOnAuthoritativeKeyserver,
   createHTTPAuthorizationHeader,
   createDefaultHTTPRequestHeaders,
+  responseIsInvalidCSAT,
 };