diff --git a/src/smapi.ts b/src/smapi.ts
index 41bf21a..14f384c 100644
--- a/src/smapi.ts
+++ b/src/smapi.ts
@@ -415,8 +415,13 @@ function bindSmapiSoapServiceToExpress(
     const credentialsFrom = E.fromNullable(new MissingLoginTokenError());
     return pipe(
       credentialsFrom(credentials),
-      E.chain((credentials) =>
-        pipe(
+      E.chain((credentials) => {
+        // Check if token/key is associated with a user
+        const smapiToken = sonosSoap.getCredentialsForToken(credentials.loginToken.token);
+        if (!smapiToken || smapiToken.key !== credentials.loginToken.key) {
+          return E.left(new InvalidTokenError("Token not associated with any user"));
+        }
+        return pipe(
           smapiAuthTokens.verify({
             token: credentials.loginToken.token,
             key: credentials.loginToken.key,
@@ -425,8 +430,8 @@ function bindSmapiSoapServiceToExpress(
             serviceToken,
             credentials,
           }))
-        )
-      ),
+        );
+      }),
       E.map(({ serviceToken, credentials }) => ({
         serviceToken,
         credentials,
diff --git a/src/smapi_auth.ts b/src/smapi_auth.ts
index 585bb65..ae284a1 100644
--- a/src/smapi_auth.ts
+++ b/src/smapi_auth.ts
@@ -4,6 +4,8 @@ import { v4 as uuid } from "uuid";
 import { b64Decode, b64Encode } from "./b64";
 import { Clock } from "./clock";
 
+import logger from "./logger";
+
 export type SmapiFault = { Fault: { faultcode: string; faultstring: string } };
 export type SmapiRefreshTokenResultFault = SmapiFault & {
   Fault: {
@@ -14,6 +16,7 @@ export type SmapiRefreshTokenResultFault = SmapiFault & {
 };
 
 function isError(thing: any): thing is Error {
+  logger.debug("isError check", { thing });
   return thing.name && thing.message;
 }