diff --git a/libs/common/oapi/services/auth.js b/libs/common/oapi/services/auth.js
index aa44f2d..5a5e337 100644
--- a/libs/common/oapi/services/auth.js
+++ b/libs/common/oapi/services/auth.js
@@ -3,7 +3,7 @@ const getHasuraClaimsFromJWT = require("@modjo/hasura/utils/jwt/get-hasura-claim
 const { ctx } = require("@modjo/core")
 const { reqCtx } = require("@modjo/express/ctx")
 
-module.exports = function () {
+module.exports = function (services) {
   const castIntVars = ["deviceId", "userId"]
   function sessionVarsFromClaims(claims) {
     const session = { ...claims }
@@ -48,12 +48,14 @@ module.exports = function () {
           "Allowing expired JWT for meta.auth-token scope"
         )
         const req = reqCtx.get("req")
-        const authTokenHeader = req?.headers?.["x-auth-token"]
-        if (!authTokenHeader) {
+        const authTokenJWT = req?.headers?.["x-auth-token"]
+        if (!authTokenJWT) {
           return false
         }
+        const authToken =
+          services.authTokenHandler.decodeAuthToken(authTokenJWT)
         // Create a session that indicates auth token processing is needed
-        const session = { isAuthTokenRequest: true, authToken: authTokenHeader }
+        const session = { isAuthTokenRequest: true, authToken }
         reqCtx.set("session", session)
         return true
       }
diff --git a/services/api/src/api/v1/operations/auth/login/token.patch.js b/services/api/src/api/v1/operations/auth/login/token.patch.js
index e2e19df..a0d1cef 100644
--- a/services/api/src/api/v1/operations/auth/login/token.patch.js
+++ b/services/api/src/api/v1/operations/auth/login/token.patch.js
@@ -3,7 +3,7 @@ module.exports = async function ({ services: { authTokenHandler } }) {
     const { authTokenJwt, phoneModel = null, deviceUuid = null } = req.body
 
     // Validate the auth token JWT and extract the auth token
-    const authToken = authTokenHandler.validateAuthToken(authTokenJwt)
+    const authToken = authTokenHandler.decodeAuthToken(authTokenJwt)
 
     // Get or create user session (userId, deviceId, roles)
     const { userId, deviceId, roles } =
diff --git a/services/api/src/api/v1/operations/geoloc/sync.post.js b/services/api/src/api/v1/operations/geoloc/sync.post.js
index ebd993a..eeb1128 100644
--- a/services/api/src/api/v1/operations/geoloc/sync.post.js
+++ b/services/api/src/api/v1/operations/geoloc/sync.post.js
@@ -64,6 +64,9 @@ module.exports = function ({ services: { authTokenHandler } }) {
         })
       } catch (error) {
         logger.error({ error: error.message }, "Failed to process auth token")
+        if (httpError.isHttpError(error)) {
+          throw error
+        }
         throw httpError(401, "Invalid auth token")
       }
     } else if (session && session.userId && session.deviceId) {
diff --git a/services/api/src/api/v1/services/auth-token-handler.js b/services/api/src/api/v1/services/auth-token-handler.js
index fa7ab73..533cf19 100644
--- a/services/api/src/api/v1/services/auth-token-handler.js
+++ b/services/api/src/api/v1/services/auth-token-handler.js
@@ -10,7 +10,7 @@ module.exports = ({ services }) => {
 
   const { claimsNamespace, jwtExpirationInHours } = config
 
-  function validateAuthToken(authTokenJwt) {
+  function decodeAuthToken(authTokenJwt) {
     try {
       const { authToken } = jwtDecode(authTokenJwt)
       return authToken
@@ -162,7 +162,7 @@ module.exports = ({ services }) => {
   }
 
   return {
-    validateAuthToken,
+    decodeAuthToken,
     getOrCreateUserSession,
     generateUserJwt,
   }