diff --git a/jupyterhub/apihandlers/auth.py b/jupyterhub/apihandlers/auth.py
index e5b55665..d0ab4216 100644
--- a/jupyterhub/apihandlers/auth.py
+++ b/jupyterhub/apihandlers/auth.py
@@ -22,6 +22,11 @@ class TokenAPIHandler(APIHandler):
         orm_token = orm.APIToken.find(self.db, token)
         if orm_token is None:
             orm_token = orm.OAuthAccessToken.find(self.db, token)
+            if orm_token and not orm_token.client_id:
+                self.log.warning("Deleting stale oauth token for %s", orm_token.user)
+                self.db.delete(orm_token)
+                self.db.commit()
+                orm_token = None
         if orm_token is None:
             raise web.HTTPError(404)
 
diff --git a/jupyterhub/handlers/base.py b/jupyterhub/handlers/base.py
index 8ec720e4..9a278977 100644
--- a/jupyterhub/handlers/base.py
+++ b/jupyterhub/handlers/base.py
@@ -195,11 +195,15 @@ class BaseHandler(RequestHandler):
         orm_token = orm.OAuthAccessToken.find(self.db, token)
         if orm_token is None:
             return None
-        else:
-            orm_token.last_activity = \
-                orm_token.user.last_activity = datetime.utcnow()
+        if orm_token and not orm_token.client_id:
+            self.log.warning("Deleting stale oauth token for %s", orm_token.user)
+            self.db.delete(orm_token)
             self.db.commit()
-            return self._user_from_orm(orm_token.user)
+            return None
+        orm_token.last_activity = \
+            orm_token.user.last_activity = datetime.utcnow()
+        self.db.commit()
+        return self._user_from_orm(orm_token.user)
 
     def get_current_user_token(self):
         """get_current_user from Authorization header token"""