diff --git a/app/authentication/auth.py b/app/authentication/auth.py
index cee297681..586b3e6c6 100644
--- a/app/authentication/auth.py
+++ b/app/authentication/auth.py
@@ -1,7 +1,7 @@
 from flask import request, _request_ctx_stack, current_app, g
 from notifications_python_client.authentication import decode_jwt_token, get_token_issuer
 from notifications_python_client.errors import (
-    TokenDecodeError, TokenExpiredError, TokenIssuerError, TokenAlgorithmError
+    TokenDecodeError, TokenExpiredError, TokenIssuerError, TokenAlgorithmError, TokenError
 )
 from notifications_utils import request_helper
 from sqlalchemy.exc import DataError
@@ -100,6 +100,10 @@ def requires_auth():
             # API key matches for this service but there was an error with the expiry of the token
             err_msg = "Error: Your system clock must be accurate to within 30 seconds"
             raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id)
+        except TokenError:
+            err_msg = "Invalid token: API token is not valid. " + TOKEN_ERROR_GUIDANCE
+            raise AuthError(err_msg, 403, service_id=service.id, api_key_id=api_key.id)
+
 
         if api_key.expiry_date:
             raise AuthError("Invalid token: API key revoked", 403, service_id=service.id, api_key_id=api_key.id)
diff --git a/tests/app/authentication/test_authentication.py b/tests/app/authentication/test_authentication.py
index a6562694d..343790d18 100644
--- a/tests/app/authentication/test_authentication.py
+++ b/tests/app/authentication/test_authentication.py
@@ -129,6 +129,7 @@ def test_auth_should_not_allow_request_with_non_hs256_algorithm(client, sample_a
 
 def test_auth_should_not_allow_request_with_extra_claims(client, sample_api_key):
     iss = str(sample_api_key.service_id)
+    key = get_unsigned_secrets(sample_api_key.service_id)[0]
     # code copied from notifications_python_client.authentication.py::create_jwt_token
     headers = {
         "typ": 'JWT',
@@ -141,7 +142,7 @@ def test_auth_should_not_allow_request_with_extra_claims(client, sample_api_key)
         'aud': 'notifications.service.gov.uk'  # extra claim that we don't support
     }
 
-    token = jwt.encode(payload=claims, key=str(uuid.uuid4()), headers=headers).decode()
+    token = jwt.encode(payload=claims, key=key, headers=headers).decode()
 
     request.headers = {'Authorization': 'Bearer {}'.format(token)}
     with pytest.raises(AuthError) as exc: