diff --git a/src/c3nav/api/newauth.py b/src/c3nav/api/newauth.py
index 2a06f83d..0fb9baf7 100644
--- a/src/c3nav/api/newauth.py
+++ b/src/c3nav/api/newauth.py
@@ -79,7 +79,7 @@ class APITokenAuth(HttpBearer):
             try:
                 secret = Secret.objects.filter(
                     Q(api_secret=token.removeprefix("secret:")),
-                    Q(valid_until__isnull=True) | Q(valid_until__lt=timezone.now()),
+                    Q(valid_until__isnull=True) | Q(valid_until__gte=timezone.now()),
                 ).select_related("user", "user__permissions").get()
             except Secret.DoesNotExist:
                 raise APITokenInvalid