diff --git a/src/apps.js b/src/apps.js
index d138e604a..4098a36e7 100644
--- a/src/apps.js
+++ b/src/apps.js
@@ -903,7 +903,6 @@ async function del(id) {
         { query: 'DELETE FROM appPortBindings WHERE appId = ?', args: [ id ] },
         { query: 'DELETE FROM appEnvVars WHERE appId = ?', args: [ id ] },
         { query: 'DELETE FROM appPasswords WHERE identifier = ?', args: [ id ] },
-        { query: 'DELETE FROM mailPasswords WHERE appId = ?', args: [ id ] },
         { query: 'DELETE FROM appMounts WHERE appId = ?', args: [ id ] },
         { query: `UPDATE backupSites SET contentsJson = JSON_REMOVE(contentsJson, JSON_UNQUOTE(JSON_SEARCH(contentsJson, 'one', ?, NULL, '$.*[*]'))) WHERE contentsJson LIKE ${mysql.escape('%"' + id + '"%')}`, args: [ id ] },
         { query: 'DELETE FROM apps WHERE id = ?', args: [ id ] }
diff --git a/src/mailpasswords.js b/src/mailpasswords.js
index 87f2cfcbc..d1f2dc588 100644
--- a/src/mailpasswords.js
+++ b/src/mailpasswords.js
@@ -54,10 +54,17 @@ async function del(clientId, userId) {
     if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'mail password not found');
 }
 
+async function purgeByClientId(clientId) {
+    assert.strictEqual(typeof clientId, 'string');
+
+    await database.query('DELETE FROM mailPasswords WHERE clientId = ?', [ clientId ]);
+}
+
 export default {
     get,
     getByUserId,
     add,
     list,
-    del
+    del,
+    purgeByClientId,
 };
diff --git a/src/oidcclients.js b/src/oidcclients.js
index 8d99db11f..7edd0f0c0 100644
--- a/src/oidcclients.js
+++ b/src/oidcclients.js
@@ -2,6 +2,7 @@ import assert from 'node:assert';
 import BoxError from './boxerror.js';
 import dashboard from './dashboard.js';
 import database from './database.js';
+import mailPasswords from './mailpasswords.js';
 import hat from './hat.js';
 import safe from 'safetydance';
 
@@ -106,6 +107,9 @@ async function del(id) {
 
     const result = await database.query(`DELETE FROM ${OIDC_CLIENTS_TABLE_NAME} WHERE id = ?`, [ id ]);
     if (result.affectedRows !== 1) throw new BoxError(BoxError.NOT_FOUND, 'client not found');
+
+    // also cleanup potentially issued oidc mailclient passwords
+    await mailPasswords.purgeByClientId(id);
 }
 
 async function list() {