diff --git a/services/tunnelbroker/src/constants.rs b/services/tunnelbroker/src/constants.rs
index 0cd2abb12..6f6bc27eb 100644
--- a/services/tunnelbroker/src/constants.rs
+++ b/services/tunnelbroker/src/constants.rs
@@ -1,56 +1,58 @@
 use tokio::time::Duration;
 
 pub const GRPC_TX_QUEUE_SIZE: usize = 32;
 pub const GRPC_SERVER_PORT: u16 = 50051;
 pub const GRPC_KEEP_ALIVE_PING_INTERVAL: Duration = Duration::from_secs(3);
 pub const GRPC_KEEP_ALIVE_PING_TIMEOUT: Duration = Duration::from_secs(10);
 
 pub const SOCKET_HEARTBEAT_TIMEOUT: Duration = Duration::from_secs(3);
 
 pub const MAX_RMQ_MSG_PRIORITY: u8 = 10;
 pub const DDB_RMQ_MSG_PRIORITY: u8 = 10;
 pub const CLIENT_RMQ_MSG_PRIORITY: u8 = 1;
 pub const RMQ_CONSUMER_TAG: &str = "tunnelbroker";
 pub const ENV_APNS_CONFIG: &str = "APNS_CONFIG";
 pub const ENV_FCM_CONFIG: &str = "FCM_CONFIG";
 pub const ENV_WEB_PUSH_CONFIG: &str = "WEB_PUSH_CONFIG";
 
 pub const LOG_LEVEL_ENV_VAR: &str =
   tracing_subscriber::filter::EnvFilter::DEFAULT_ENV;
 pub const FCM_ACCESS_TOKEN_GENERATION_THRESHOLD: u64 = 5 * 60;
 
 pub mod dynamodb {
   // This table holds messages which could not be immediately delivered to
   // a device.
   //
   // - (primary key) = (deviceID: Partition Key, createdAt: Sort Key)
   // - deviceID: The public key of a device's olm identity key
   // - payload: Message to be delivered. See shared/tunnelbroker_messages.
   // - messageID = [createdAt]#[clientMessageID]
   //    - createdAd:  UNIX timestamp of when the item was inserted.
   //      Timestamp is needed to order the messages correctly to the device.
   //      Timestamp format is ISO 8601 to handle lexicographical sorting.
   //    - clientMessageID: Message ID generated on client using UUID Version 4.
   pub mod undelivered_messages {
     pub const TABLE_NAME: &str = "tunnelbroker-undelivered-messages";
     pub const PARTITION_KEY: &str = "deviceID";
     pub const DEVICE_ID: &str = "deviceID";
     pub const PAYLOAD: &str = "payload";
     pub const MESSAGE_ID: &str = "messageID";
     pub const SORT_KEY: &str = "messageID";
   }
 
   // This table holds a device token associated with a device.
   //
   // - (primary key) = (deviceID: Partition Key)
-  // - deviceID: The public key of a device's olm identity key
+  // - deviceID: The public key of a device's olm identity key.
   // - deviceToken: Token to push services uploaded by device.
+  // - tokenInvalid: Information is token is invalid.
   pub mod device_tokens {
     pub const TABLE_NAME: &str = "tunnelbroker-device-tokens";
     pub const PARTITION_KEY: &str = "deviceID";
     pub const DEVICE_ID: &str = "deviceID";
     pub const DEVICE_TOKEN: &str = "deviceToken";
+    pub const TOKEN_INVALID: &str = "tokenInvalid";
 
     pub const DEVICE_TOKEN_INDEX_NAME: &str = "deviceToken-index";
   }
 }
diff --git a/services/tunnelbroker/src/database/mod.rs b/services/tunnelbroker/src/database/mod.rs
index 9261d8d42..0fbdc3ee4 100644
--- a/services/tunnelbroker/src/database/mod.rs
+++ b/services/tunnelbroker/src/database/mod.rs
@@ -1,249 +1,260 @@
 use comm_lib::aws::ddb::error::SdkError;
 use comm_lib::aws::ddb::operation::delete_item::{
   DeleteItemError, DeleteItemOutput,
 };
 use comm_lib::aws::ddb::operation::put_item::PutItemError;
 use comm_lib::aws::ddb::operation::query::QueryError;
 use comm_lib::aws::ddb::types::AttributeValue;
 use comm_lib::aws::{AwsConfig, DynamoDBClient};
 use comm_lib::database::{AttributeExtractor, AttributeMap, Error};
 use std::collections::HashMap;
 use std::sync::Arc;
 use tracing::{debug, error, warn};
 
 use crate::constants::dynamodb::{device_tokens, undelivered_messages};
 
 pub mod message;
 pub mod message_id;
 
 use crate::database::message_id::MessageID;
 pub use message::*;
 
 #[derive(Clone)]
 pub struct DatabaseClient {
   client: Arc<DynamoDBClient>,
 }
 
 pub fn handle_ddb_error<E>(db_error: SdkError<E>) -> tonic::Status {
   match db_error {
     SdkError::TimeoutError(_) | SdkError::ServiceError(_) => {
       tonic::Status::unavailable("please retry")
     }
     e => {
       error!("Encountered an unexpected error: {}", e);
       tonic::Status::failed_precondition("unexpected error")
     }
   }
 }
 
+pub struct DeviceTokenEntry {
+  pub device_token: String,
+  pub token_invalid: bool,
+}
+
 impl DatabaseClient {
   pub fn new(aws_config: &AwsConfig) -> Self {
     let client = DynamoDBClient::new(aws_config);
 
     DatabaseClient {
       client: Arc::new(client),
     }
   }
 
   pub async fn persist_message(
     &self,
     device_id: &str,
     payload: &str,
     client_message_id: &str,
   ) -> Result<String, SdkError<PutItemError>> {
     let message_id: String =
       MessageID::new(client_message_id.to_string()).into();
 
     let device_av = AttributeValue::S(device_id.to_string());
     let payload_av = AttributeValue::S(payload.to_string());
     let message_id_av = AttributeValue::S(message_id.clone());
 
     let request = self
       .client
       .put_item()
       .table_name(undelivered_messages::TABLE_NAME)
       .item(undelivered_messages::PARTITION_KEY, device_av)
       .item(undelivered_messages::SORT_KEY, message_id_av)
       .item(undelivered_messages::PAYLOAD, payload_av);
 
     debug!("Persisting message to device: {}", &device_id);
 
     request.send().await?;
     Ok(message_id)
   }
 
   pub async fn retrieve_messages(
     &self,
     device_id: &str,
   ) -> Result<Vec<AttributeMap>, SdkError<QueryError>> {
     debug!("Retrieving messages for device: {}", device_id);
 
     let response = self
       .client
       .query()
       .table_name(undelivered_messages::TABLE_NAME)
       .key_condition_expression(format!(
         "{} = :u",
         undelivered_messages::PARTITION_KEY
       ))
       .expression_attribute_values(
         ":u",
         AttributeValue::S(device_id.to_string()),
       )
       .consistent_read(true)
       .send()
       .await?;
 
     debug!("Retrieved {} messages for {}", response.count, device_id);
     match response.items {
       None => Ok(Vec::new()),
       Some(items) => Ok(items.to_vec()),
     }
   }
 
   pub async fn delete_message(
     &self,
     device_id: &str,
     message_id: &str,
   ) -> Result<DeleteItemOutput, SdkError<DeleteItemError>> {
     debug!("Deleting message for device: {}", device_id);
 
     let key = HashMap::from([
       (
         undelivered_messages::PARTITION_KEY.to_string(),
         AttributeValue::S(device_id.to_string()),
       ),
       (
         undelivered_messages::SORT_KEY.to_string(),
         AttributeValue::S(message_id.to_string()),
       ),
     ]);
 
     self
       .client
       .delete_item()
       .table_name(undelivered_messages::TABLE_NAME)
       .set_key(Some(key))
       .send()
       .await
   }
 
   pub async fn remove_device_token(
     &self,
     device_id: &str,
   ) -> Result<(), Error> {
     debug!("Removing device token for device: {}", &device_id);
 
     let device_av = AttributeValue::S(device_id.to_string());
     self
       .client
       .delete_item()
       .table_name(device_tokens::TABLE_NAME)
       .key(device_tokens::PARTITION_KEY, device_av)
       .send()
       .await
       .map_err(|e| {
         error!("DynamoDB client failed to remove device token: {:?}", e);
         Error::AwsSdk(e.into())
       })?;
 
     Ok(())
   }
 
   pub async fn get_device_token(
     &self,
     device_id: &str,
-  ) -> Result<Option<String>, Error> {
+  ) -> Result<Option<DeviceTokenEntry>, Error> {
     let get_response = self
       .client
       .get_item()
       .table_name(device_tokens::TABLE_NAME)
       .key(
         device_tokens::PARTITION_KEY,
         AttributeValue::S(device_id.into()),
       )
       .send()
       .await
       .map_err(|e| {
         error!("DynamoDB client failed to get device token");
         Error::AwsSdk(e.into())
       })?;
 
     let Some(mut item) = get_response.item else {
       return Ok(None);
     };
 
     let device_token: String = item.take_attr(device_tokens::DEVICE_TOKEN)?;
-    Ok(Some(device_token))
+    let token_invalid: Option<bool> =
+      item.take_attr(device_tokens::TOKEN_INVALID)?;
+
+    Ok(Some(DeviceTokenEntry {
+      device_token,
+      token_invalid: token_invalid.unwrap_or(false),
+    }))
   }
 
   pub async fn set_device_token(
     &self,
     device_id: &str,
     device_token: &str,
   ) -> Result<(), Error> {
     debug!("Setting device token for device: {}", &device_id);
 
     let query_response = self
       .client
       .query()
       .table_name(device_tokens::TABLE_NAME)
       .index_name(device_tokens::DEVICE_TOKEN_INDEX_NAME)
       .key_condition_expression("#device_token = :token")
       .expression_attribute_names("#device_token", device_tokens::DEVICE_TOKEN)
       .expression_attribute_values(
         ":token",
         AttributeValue::S(device_token.to_string()),
       )
       .send()
       .await
       .map_err(|e| {
         error!(
           "DynamoDB client failed to find existing device token {:?}",
           e
         );
         Error::AwsSdk(e.into())
       })?;
 
     if let Some(existing_tokens) = query_response.items {
       if existing_tokens.len() > 1 {
         warn!("Found the same token for multiple devices!");
         debug!("Duplicated token is: {device_token}. Removing...");
       } else if !existing_tokens.is_empty() {
         debug!(
           "Device token {device_token} already exists. It will be replaced..."
         );
       }
 
       for mut item in existing_tokens {
         let found_device_id =
           item.take_attr::<String>(device_tokens::DEVICE_ID)?;
         // PutItem will replace token with `device_id` key anyway.
         if found_device_id != device_id {
           self.remove_device_token(&found_device_id).await?;
         }
       }
     }
 
     self
       .client
       .put_item()
       .table_name(device_tokens::TABLE_NAME)
       .item(
         device_tokens::PARTITION_KEY,
         AttributeValue::S(device_id.to_string()),
       )
       .item(
         device_tokens::DEVICE_TOKEN,
         AttributeValue::S(device_token.to_string()),
       )
       .send()
       .await
       .map_err(|e| {
         error!("DynamoDB client failed to set device token {:?}", e);
         Error::AwsSdk(e.into())
       })?;
 
     Ok(())
   }
 }
diff --git a/services/tunnelbroker/src/websockets/session.rs b/services/tunnelbroker/src/websockets/session.rs
index 5205d1d7e..d759ae879 100644
--- a/services/tunnelbroker/src/websockets/session.rs
+++ b/services/tunnelbroker/src/websockets/session.rs
@@ -1,575 +1,586 @@
 use crate::constants::{
   CLIENT_RMQ_MSG_PRIORITY, DDB_RMQ_MSG_PRIORITY, MAX_RMQ_MSG_PRIORITY,
   RMQ_CONSUMER_TAG,
 };
 use comm_lib::aws::ddb::error::SdkError;
 use comm_lib::aws::ddb::operation::put_item::PutItemError;
 use derive_more;
 use futures_util::stream::SplitSink;
 use futures_util::SinkExt;
 use futures_util::StreamExt;
 use hyper_tungstenite::{tungstenite::Message, WebSocketStream};
 use lapin::message::Delivery;
 use lapin::options::{
   BasicCancelOptions, BasicConsumeOptions, BasicPublishOptions,
   QueueDeclareOptions, QueueDeleteOptions,
 };
 use lapin::types::FieldTable;
 use lapin::BasicProperties;
 use tokio::io::AsyncRead;
 use tokio::io::AsyncWrite;
 use tracing::{debug, error, info, trace};
 use tunnelbroker_messages::{
   message_to_device_request_status::Failure,
   message_to_device_request_status::MessageSentStatus, session::DeviceTypes,
   DeviceToTunnelbrokerMessage, Heartbeat, MessageToDevice,
   MessageToDeviceRequest, MessageToTunnelbroker,
 };
 
 use crate::database::{self, DatabaseClient, MessageToDeviceExt};
 use crate::identity;
 use crate::notifs::apns::headers::NotificationHeaders;
 use crate::notifs::apns::APNsNotif;
 use crate::notifs::fcm::firebase_message::{
   AndroidConfig, AndroidMessagePriority, FCMMessage,
 };
 use crate::notifs::web_push::WebPushNotif;
 use crate::notifs::NotifClient;
 
 pub struct DeviceInfo {
   pub device_id: String,
   pub notify_token: Option<String>,
   pub device_type: DeviceTypes,
   pub device_app_version: Option<String>,
   pub device_os: Option<String>,
   pub is_authenticated: bool,
 }
 
 pub struct WebsocketSession<S> {
   tx: SplitSink<WebSocketStream<S>, Message>,
   db_client: DatabaseClient,
   pub device_info: DeviceInfo,
   amqp_channel: lapin::Channel,
   // Stream of messages from AMQP endpoint
   amqp_consumer: lapin::Consumer,
   notif_client: NotifClient,
 }
 
 #[derive(
   Debug, derive_more::Display, derive_more::From, derive_more::Error,
 )]
 pub enum SessionError {
   InvalidMessage,
   SerializationError(serde_json::Error),
   MessageError(database::MessageErrors),
   AmqpError(lapin::Error),
   InternalError,
   UnauthorizedDevice,
   PersistenceError(SdkError<PutItemError>),
   DatabaseError(comm_lib::database::Error),
   MissingAPNsClient,
   MissingFCMClient,
   MissingWebPushClient,
   MissingDeviceToken,
+  InvalidDeviceToken,
 }
 
 // Parse a session request and retrieve the device information
 pub async fn handle_first_message_from_device(
   message: &str,
 ) -> Result<DeviceInfo, SessionError> {
   let serialized_message =
     serde_json::from_str::<DeviceToTunnelbrokerMessage>(message)?;
 
   match serialized_message {
     DeviceToTunnelbrokerMessage::ConnectionInitializationMessage(
       mut session_info,
     ) => {
       let device_info = DeviceInfo {
         device_id: session_info.device_id.clone(),
         notify_token: session_info.notify_token.take(),
         device_type: session_info.device_type,
         device_app_version: session_info.device_app_version.take(),
         device_os: session_info.device_os.take(),
         is_authenticated: true,
       };
 
       // Authenticate device
       debug!("Authenticating device: {}", &session_info.device_id);
       let auth_request = identity::verify_user_access_token(
         &session_info.user_id,
         &device_info.device_id,
         &session_info.access_token,
       )
       .await;
 
       match auth_request {
         Err(e) => {
           error!("Failed to complete request to identity service: {:?}", e);
           return Err(SessionError::InternalError);
         }
         Ok(false) => {
           info!("Device failed authentication: {}", &session_info.device_id);
           return Err(SessionError::UnauthorizedDevice);
         }
         Ok(true) => {
           debug!(
             "Successfully authenticated device: {}",
             &session_info.device_id
           );
         }
       }
 
       Ok(device_info)
     }
     DeviceToTunnelbrokerMessage::AnonymousInitializationMessage(
       session_info,
     ) => {
       debug!(
         "Starting unauthenticated session with device: {}",
         &session_info.device_id
       );
       let device_info = DeviceInfo {
         device_id: session_info.device_id,
         device_type: session_info.device_type,
         device_app_version: session_info.device_app_version,
         device_os: session_info.device_os,
         is_authenticated: false,
         notify_token: None,
       };
       Ok(device_info)
     }
     _ => {
       debug!("Received invalid request");
       Err(SessionError::InvalidMessage)
     }
   }
 }
 
 async fn publish_persisted_messages(
   db_client: &DatabaseClient,
   amqp_channel: &lapin::Channel,
   device_info: &DeviceInfo,
 ) -> Result<(), SessionError> {
   let messages = db_client
     .retrieve_messages(&device_info.device_id)
     .await
     .unwrap_or_else(|e| {
       error!("Error while retrieving messages: {}", e);
       Vec::new()
     });
 
   for message in messages {
     let message_to_device = MessageToDevice::from_hashmap(message)?;
 
     let serialized_message = serde_json::to_string(&message_to_device)?;
 
     amqp_channel
       .basic_publish(
         "",
         &message_to_device.device_id,
         BasicPublishOptions::default(),
         serialized_message.as_bytes(),
         BasicProperties::default().with_priority(DDB_RMQ_MSG_PRIORITY),
       )
       .await?;
   }
 
   debug!("Flushed messages for device: {}", &device_info.device_id);
   Ok(())
 }
 
 pub async fn initialize_amqp(
   db_client: DatabaseClient,
   frame: Message,
   amqp_channel: &lapin::Channel,
 ) -> Result<(DeviceInfo, lapin::Consumer), SessionError> {
   let device_info = match frame {
     Message::Text(payload) => {
       handle_first_message_from_device(&payload).await?
     }
     _ => {
       error!("Client sent wrong frame type for establishing connection");
       return Err(SessionError::InvalidMessage);
     }
   };
 
   let mut args = FieldTable::default();
   args.insert("x-max-priority".into(), MAX_RMQ_MSG_PRIORITY.into());
   amqp_channel
     .queue_declare(&device_info.device_id, QueueDeclareOptions::default(), args)
     .await?;
 
   publish_persisted_messages(&db_client, amqp_channel, &device_info).await?;
 
   let amqp_consumer = amqp_channel
     .basic_consume(
       &device_info.device_id,
       RMQ_CONSUMER_TAG,
       BasicConsumeOptions::default(),
       FieldTable::default(),
     )
     .await?;
   Ok((device_info, amqp_consumer))
 }
 impl<S: AsyncRead + AsyncWrite + Unpin> WebsocketSession<S> {
   pub fn new(
     tx: SplitSink<WebSocketStream<S>, Message>,
     db_client: DatabaseClient,
     device_info: DeviceInfo,
     amqp_channel: lapin::Channel,
     amqp_consumer: lapin::Consumer,
     notif_client: NotifClient,
   ) -> Self {
     Self {
       tx,
       db_client,
       device_info,
       amqp_channel,
       amqp_consumer,
       notif_client,
     }
   }
 
   pub async fn handle_message_to_device(
     &self,
     message_request: &MessageToDeviceRequest,
   ) -> Result<(), SessionError> {
     let message_id = self
       .db_client
       .persist_message(
         &message_request.device_id,
         &message_request.payload,
         &message_request.client_message_id,
       )
       .await?;
 
     let message_to_device = MessageToDevice {
       device_id: message_request.device_id.clone(),
       payload: message_request.payload.clone(),
       message_id: message_id.clone(),
     };
 
     let serialized_message = serde_json::to_string(&message_to_device)?;
 
     let publish_result = self
       .amqp_channel
       .basic_publish(
         "",
         &message_request.device_id,
         BasicPublishOptions::default(),
         serialized_message.as_bytes(),
         BasicProperties::default().with_priority(CLIENT_RMQ_MSG_PRIORITY),
       )
       .await;
 
     if let Err(publish_error) = publish_result {
       self
         .db_client
         .delete_message(&self.device_info.device_id, &message_id)
         .await
         .expect("Error deleting message");
       return Err(SessionError::AmqpError(publish_error));
     }
     Ok(())
   }
 
   pub async fn handle_message_to_tunnelbroker(
     &self,
     message_to_tunnelbroker: &MessageToTunnelbroker,
   ) -> Result<(), SessionError> {
     match message_to_tunnelbroker {
       MessageToTunnelbroker::SetDeviceToken(token) => {
         self
           .db_client
           .set_device_token(&self.device_info.device_id, &token.device_token)
           .await?;
       }
     }
 
     Ok(())
   }
 
   pub async fn handle_websocket_frame_from_device(
     &mut self,
     msg: String,
   ) -> Option<MessageSentStatus> {
     let Ok(serialized_message) =
       serde_json::from_str::<DeviceToTunnelbrokerMessage>(&msg)
     else {
       return Some(MessageSentStatus::SerializationError(msg));
     };
 
     match serialized_message {
       DeviceToTunnelbrokerMessage::Heartbeat(Heartbeat {}) => {
         trace!("Received heartbeat from: {}", self.device_info.device_id);
         None
       }
       DeviceToTunnelbrokerMessage::MessageReceiveConfirmation(confirmation) => {
         for message_id in confirmation.message_ids {
           if let Err(e) = self
             .db_client
             .delete_message(&self.device_info.device_id, &message_id)
             .await
           {
             error!("Failed to delete message: {}:", e);
           }
         }
 
         None
       }
       DeviceToTunnelbrokerMessage::MessageToDeviceRequest(message_request) => {
         // unauthenticated clients cannot send messages
         if !self.device_info.is_authenticated {
           debug!(
             "Unauthenticated device {} tried to send text message. Aborting.",
             self.device_info.device_id
           );
           return Some(MessageSentStatus::Unauthenticated);
         }
         debug!("Received message for {}", message_request.device_id);
 
         let result = self.handle_message_to_device(&message_request).await;
         Some(self.get_message_to_device_status(
           &message_request.client_message_id,
           result,
         ))
       }
       DeviceToTunnelbrokerMessage::MessageToTunnelbrokerRequest(
         message_request,
       ) => {
         // unauthenticated clients cannot send messages
         if !self.device_info.is_authenticated {
           debug!(
             "Unauthenticated device {} tried to send text message. Aborting.",
             self.device_info.device_id
           );
           return Some(MessageSentStatus::Unauthenticated);
         }
         debug!("Received message for Tunnelbroker");
 
         let Ok(message_to_tunnelbroker) =
           serde_json::from_str(&message_request.payload)
         else {
           return Some(MessageSentStatus::SerializationError(
             message_request.payload,
           ));
         };
 
         let result = self
           .handle_message_to_tunnelbroker(&message_to_tunnelbroker)
           .await;
         Some(self.get_message_to_device_status(
           &message_request.client_message_id,
           result,
         ))
       }
       DeviceToTunnelbrokerMessage::APNsNotif(notif) => {
         // unauthenticated clients cannot send notifs
         if !self.device_info.is_authenticated {
           debug!(
             "Unauthenticated device {} tried to send text notif. Aborting.",
             self.device_info.device_id
           );
           return Some(MessageSentStatus::Unauthenticated);
         }
         debug!("Received APNs notif for {}", notif.device_id);
 
         let Ok(headers) =
           serde_json::from_str::<NotificationHeaders>(&notif.headers)
         else {
           return Some(MessageSentStatus::SerializationError(notif.headers));
         };
 
         let device_token = match self.get_device_token(notif.device_id).await {
           Ok(token) => token,
           Err(e) => {
             return Some(
               self
                 .get_message_to_device_status(&notif.client_message_id, Err(e)),
             )
           }
         };
 
         let apns_notif = APNsNotif {
           device_token,
           headers,
           payload: notif.payload,
         };
 
         if let Some(apns) = self.notif_client.apns.clone() {
           let response = apns.send(apns_notif).await;
           return Some(
             self
               .get_message_to_device_status(&notif.client_message_id, response),
           );
         }
 
         Some(self.get_message_to_device_status(
           &notif.client_message_id,
           Err(SessionError::MissingAPNsClient),
         ))
       }
       DeviceToTunnelbrokerMessage::FCMNotif(notif) => {
         // unauthenticated clients cannot send notifs
         if !self.device_info.is_authenticated {
           debug!(
             "Unauthenticated device {} tried to send text notif. Aborting.",
             self.device_info.device_id
           );
           return Some(MessageSentStatus::Unauthenticated);
         }
         debug!("Received FCM notif for {}", notif.device_id);
 
         let Some(priority) = AndroidMessagePriority::from_str(&notif.priority)
         else {
           return Some(MessageSentStatus::SerializationError(notif.priority));
         };
 
         let Ok(data) = serde_json::from_str(&notif.data) else {
           return Some(MessageSentStatus::SerializationError(notif.data));
         };
 
         let device_token = match self.get_device_token(notif.device_id).await {
           Ok(token) => token,
           Err(e) => {
             return Some(
               self
                 .get_message_to_device_status(&notif.client_message_id, Err(e)),
             )
           }
         };
 
         let fcm_message = FCMMessage {
           data,
           token: device_token.to_string(),
           android: AndroidConfig { priority },
         };
 
         if let Some(fcm) = self.notif_client.fcm.clone() {
           let response = fcm.send(fcm_message).await;
           return Some(
             self
               .get_message_to_device_status(&notif.client_message_id, response),
           );
         }
 
         Some(self.get_message_to_device_status(
           &notif.client_message_id,
           Err(SessionError::MissingFCMClient),
         ))
       }
       DeviceToTunnelbrokerMessage::WebPushNotif(notif) => {
         // unauthenticated clients cannot send notifs
         if !self.device_info.is_authenticated {
           debug!(
             "Unauthenticated device {} tried to send web push notif. Aborting.",
             self.device_info.device_id
           );
           return Some(MessageSentStatus::Unauthenticated);
         }
         debug!("Received WebPush notif for {}", notif.device_id);
 
         let Some(web_push_client) = self.notif_client.web_push.clone() else {
           return Some(self.get_message_to_device_status(
             &notif.client_message_id,
             Err(SessionError::MissingWebPushClient),
           ));
         };
 
         let device_token = match self.get_device_token(notif.device_id).await {
           Ok(token) => token,
           Err(e) => {
             return Some(
               self
                 .get_message_to_device_status(&notif.client_message_id, Err(e)),
             )
           }
         };
 
         let web_push_notif = WebPushNotif {
           device_token,
           payload: notif.payload,
         };
 
         let result = web_push_client.send(web_push_notif).await;
         Some(
           self.get_message_to_device_status(&notif.client_message_id, result),
         )
       }
       _ => {
         error!("Client sent invalid message type");
         Some(MessageSentStatus::InvalidRequest)
       }
     }
   }
 
   pub async fn next_amqp_message(
     &mut self,
   ) -> Option<Result<Delivery, lapin::Error>> {
     self.amqp_consumer.next().await
   }
 
   pub async fn send_message_to_device(&mut self, message: Message) {
     if let Err(e) = self.tx.send(message).await {
       error!("Failed to send message to device: {}", e);
     }
   }
 
   // Release WebSocket and remove from active connections
   pub async fn close(&mut self) {
     if let Err(e) = self.tx.close().await {
       debug!("Failed to close WebSocket session: {}", e);
     }
 
     if let Err(e) = self
       .amqp_channel
       .basic_cancel(
         self.amqp_consumer.tag().as_str(),
         BasicCancelOptions::default(),
       )
       .await
     {
       error!("Failed to cancel consumer: {}", e);
     }
 
     if let Err(e) = self
       .amqp_channel
       .queue_delete(
         self.device_info.device_id.as_str(),
         QueueDeleteOptions::default(),
       )
       .await
     {
       error!("Failed to delete queue: {}", e);
     }
   }
 
   pub fn get_message_to_device_status<E>(
     &mut self,
     client_message_id: &str,
     result: Result<(), E>,
   ) -> MessageSentStatus
   where
     E: std::error::Error,
   {
     match result {
       Ok(()) => MessageSentStatus::Success(client_message_id.to_string()),
       Err(err) => MessageSentStatus::Error(Failure {
         id: client_message_id.to_string(),
         error: err.to_string(),
       }),
     }
   }
 
   async fn get_device_token(
     &self,
     device_id: String,
   ) -> Result<String, SessionError> {
     let db_token = self
       .db_client
       .get_device_token(&device_id)
       .await
       .map_err(SessionError::DatabaseError)?;
-    db_token.ok_or_else(|| SessionError::MissingDeviceToken)
+
+    match db_token {
+      Some(token) => {
+        if token.token_invalid {
+          Err(SessionError::InvalidDeviceToken)
+        } else {
+          Ok(token.device_token)
+        }
+      }
+      None => Err(SessionError::MissingDeviceToken),
+    }
   }
 }