diff --git a/src/users.js b/src/users.js
index 04b63888e..76be96d8e 100644
--- a/src/users.js
+++ b/src/users.js
@@ -226,15 +226,15 @@ async function add(email, data, auditSource) {
         password: Buffer.from(derivedKey, 'binary').toString('hex'),
         salt: salt.toString('hex'),
         resetToken: '',
-        inviteToken: '',
+        inviteToken: hat(256),  // new users start out with invite tokens
         displayName: displayName,
         source: source,
         role: role,
         avatar: constants.AVATAR_NONE
     };
 
-    const query = 'INSERT INTO users (id, username, password, email, fallbackEmail, salt, resetToken, displayName, source, role, avatar) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)';
-    const args = [ user.id, user.username, user.password, user.email, user.fallbackEmail, user.salt, user.resetToken, user.displayName, user.source, user.role, user.avatar ];
+    const query = 'INSERT INTO users (id, username, password, email, fallbackEmail, salt, resetToken, inviteToken, displayName, source, role, avatar) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)';
+    const args = [ user.id, user.username, user.password, user.email, user.fallbackEmail, user.salt, user.resetToken, user.inviteToken, user.displayName, user.source, user.role, user.avatar ];
 
     [error] = await safe(database.query(query, args));
     if (error && error.code === 'ER_DUP_ENTRY' && error.sqlMessage.indexOf('users_email') !== -1) throw new BoxError(BoxError.ALREADY_EXISTS, 'email already exists');
@@ -710,10 +710,12 @@ async function sendInvite(user, options, auditSource) {
 
     if (user.source) throw new BoxError(BoxError.CONFLICT, 'User is from an external directory');
 
-    const inviteToken = hat(256);
-
-    user.inviteToken = inviteToken;
-    await update(user, { inviteToken }, auditSource);
+    // not sure if this can ever be the case
+    if (!user.inviteToken) {
+        const inviteToken = hat(256);
+        user.inviteToken = inviteToken;
+        await update(user, { inviteToken }, auditSource);
+    }
 
     const directoryConfig = await settings.getDirectoryConfig();
     let inviteLink = `${settings.dashboardOrigin()}/setupaccount.html?inviteToken=${user.inviteToken}&email=${encodeURIComponent(user.email)}`;