diff --git a/go.mod b/go.mod
index bf8c5b9f..f9fb6bc5 100644
--- a/go.mod
+++ b/go.mod
@@ -40,7 +40,7 @@ require (
 	github.com/stretchr/testify v1.8.0
 	github.com/urfave/cli/v2 v2.20.3
 	github.com/vmihailenco/msgpack/v5 v5.3.5
-	gitlab.protontech.ch/go/liteapi v0.43.0
+	gitlab.protontech.ch/go/liteapi v0.43.1
 	go.uber.org/goleak v1.2.0
 	golang.org/x/exp v0.0.0-20221023144134-a1e5550cf13e
 	golang.org/x/net v0.1.0
diff --git a/go.sum b/go.sum
index 435ee859..d199e485 100644
--- a/go.sum
+++ b/go.sum
@@ -403,8 +403,8 @@ github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsr
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/zclconf/go-cty v1.11.0 h1:726SxLdi2SDnjY+BStqB9J1hNp4+2WlzyXLuimibIe0=
 github.com/zclconf/go-cty v1.11.0/go.mod h1:s9IfD1LK5ccNMSWCVFCE2rJfHiZgi7JijgeWIMfhLvA=
-gitlab.protontech.ch/go/liteapi v0.43.0 h1:kHfy/ENivDoeha9lqkh3GpzknsnRZ3czBzsbBz5PoB4=
-gitlab.protontech.ch/go/liteapi v0.43.0/go.mod h1:IM7ADWjgIL2hXopzx0WNamizEuMgM2QZl7QH12FNflk=
+gitlab.protontech.ch/go/liteapi v0.43.1 h1:T+IsGwSKQKRFdexRS0siManrYVOA8mrohGT7mg8L58Y=
+gitlab.protontech.ch/go/liteapi v0.43.1/go.mod h1:IM7ADWjgIL2hXopzx0WNamizEuMgM2QZl7QH12FNflk=
 go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
 go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU=
 go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8=
diff --git a/internal/bridge/user.go b/internal/bridge/user.go
index 47879a3d..7253abe3 100644
--- a/internal/bridge/user.go
+++ b/internal/bridge/user.go
@@ -19,6 +19,7 @@ package bridge
 
 import (
 	"context"
+	"errors"
 	"fmt"
 	"runtime"
 
@@ -358,6 +359,12 @@ func (bridge *Bridge) loadUsers(ctx context.Context) error {
 func (bridge *Bridge) loadUser(ctx context.Context, user *vault.User) error {
 	client, auth, err := bridge.api.NewClientWithRefresh(ctx, user.AuthUID(), user.AuthRef())
 	if err != nil {
+		if apiErr := new(liteapi.Error); errors.As(err, &apiErr) && (apiErr.Code == liteapi.AuthRefreshTokenInvalid) {
+			// The session cannot be refreshed, we sign out the user by clearing his auth secrets.
+			if err := user.Clear(); err != nil {
+				logrus.WithError(err).Warn("Failed to clear user secrets")
+			}
+		}
 		return fmt.Errorf("failed to create API client: %w", err)
 	}