diff --git a/go/pkg/repos/auth.go b/go/pkg/repos/auth.go
index 487d4e52..9f0e2c77 100644
--- a/go/pkg/repos/auth.go
+++ b/go/pkg/repos/auth.go
@@ -73,3 +73,7 @@ func (a *Auth) DeleteRefreshToken(ctx context.Context, refreshToken string) erro
 	_, err := orm.Auths(orm.AuthWhere.RefreshToken.EQ(null.StringFrom(refreshToken))).UpdateAll(ctx, a.db, orm.M{orm.AuthColumns.RefreshToken: nil})
 	return err
 }
+
+func (a *Auth) RefreshTokenExists(ctx context.Context, refreshToken string) (bool, error) {
+	return orm.Auths(orm.AuthWhere.RefreshToken.EQ(null.StringFrom(refreshToken))).Exists(ctx, a.db)
+}
diff --git a/go/rpc/auth/auth.go b/go/rpc/auth/auth.go
index e66c53b1..e1fa9480 100644
--- a/go/rpc/auth/auth.go
+++ b/go/rpc/auth/auth.go
@@ -111,10 +111,20 @@ func (h *handler) RefreshToken(ctx context.Context, _ *connect.Request[v1.Refres
 
 	refreshToken, ok := ctx.Value(jwt.ContextKeyRefreshToken).(string)
 	if !ok {
-		log.Warn("refresh token not found")
+		log.Warn("refresh token not provided")
 		return nil, connect.NewError(connect.CodeUnauthenticated, http.ErrNoCookie)
 	}
 
+	exists, err := h.repo.RefreshTokenExists(ctx, refreshToken)
+	if err != nil {
+		log.Error("refresh token check failed", zap.Error(err))
+		return nil, connect.NewError(connect.CodeInternal, errors.New(""))
+	}
+	if !exists {
+		log.Warn("refresh token not found")
+		return nil, connect.NewError(connect.CodeUnauthenticated, errors.New("refresh token not found"))
+	}
+
 	claims, err := h.jwt.ClaimsFromToken(refreshToken, jwt.TokenTypeRefresh)
 	if err != nil {
 		log.Error("token parsing failed", zap.Error(err))