diff --git a/src/oidc.js b/src/oidc.js
index 7840c6bee..e98d21947 100644
--- a/src/oidc.js
+++ b/src/oidc.js
@@ -542,6 +542,9 @@ function interactionLogin(provider) {
             await eventlog.add(user.ghost ? eventlog.ACTION_USER_LOGIN_GHOST : eventlog.ACTION_USER_LOGIN, auditSource, { userId: user.id, user: users.removePrivateFields(user), appId: clientId });
             if (!user.ghost) safe(users.notifyLoginLocation(user, ip, userAgent, auditSource), { debug });
 
+            // clear token as it is one-time use
+            await tokens.delByAccessToken(req.body.autoLoginToken);
+
             return res.status(200).send({ redirectTo });
         }
 
diff --git a/src/oidc_templates/login.ejs b/src/oidc_templates/login.ejs
index 9c42fc43e..afcd923da 100644
--- a/src/oidc_templates/login.ejs
+++ b/src/oidc_templates/login.ejs
@@ -159,13 +159,14 @@ if (autoLoginToken) {
         method: 'POST',
         body: JSON.stringify({ autoLoginToken }),
         headers: { 'Content-type': 'application/json; charset=UTF-8' }
-    }).then(function (response) {
-        res = response;
+    }).then(function (res) {
+        localStorage.removeItem('cloudronFirstTimeToken');
         return res.json(); // we always return objects
     }).then(function (data) {
         if (data.redirectTo) window.location.href = data.redirectTo;
         else console.log('login success but missing redirectTo in data:', data);
     }).catch(function (error) {
+        localStorage.removeItem('cloudronFirstTimeToken');
         document.getElementById('internalError').classList.remove('hide');
         document.getElementById('busyIndicator').classList.add('hide');
         console.warn(error, res);