diff --git a/app/controllers/api/v2/base_controller.rb b/app/controllers/api/v2/base_controller.rb
index 90fe0d610..3c7d44e09 100644
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@@ -3,6 +3,7 @@ class API::V2::BaseController < ApplicationController
   skip_before_action :setup_tracking
   before_action :authenticate_from_token
   before_action :ensure_authorized_network, if: -> { @api_token.present? }
+  before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
 
   before_action do
     Current.browser = 'api'
@@ -54,4 +55,10 @@ class API::V2::BaseController < ApplicationController
       render json: { errors: ["request issued from a forbidden network. Add #{address.to_string}/#{address.prefix} to your allowed adresses in your /profil"] }, status: :forbidden
     end
   end
+
+  def ensure_token_is_not_expired
+    if @api_token.expired?
+      render json: { errors: ['token expired'] }, status: :unauthorized
+    end
+  end
 end
diff --git a/app/controllers/api_controller.rb b/app/controllers/api_controller.rb
index 50d2088e3..c4e47c8e6 100644
--- a/app/controllers/api_controller.rb
+++ b/app/controllers/api_controller.rb
@@ -2,6 +2,7 @@ class APIController < ApplicationController
   before_action :default_format_json
   before_action :authenticate_from_token
   before_action :ensure_authorized_network, if: -> { @api_token.present? }
+  before_action :ensure_token_is_not_expired, if: -> { @api_token.present? }
 
   before_action do
     Current.browser = 'api'
@@ -41,4 +42,10 @@ class APIController < ApplicationController
       render json: { errors: ["request issued from a forbidden network. Add #{address.to_string}/#{address.prefix} to your allowed adresses in your /profil"] }, status: :forbidden
     end
   end
+
+  def ensure_token_is_not_expired
+    if @api_token.expired?
+      render json: { errors: ['token expired'] }, status: :unauthorized
+    end
+  end
 end
diff --git a/app/models/api_token.rb b/app/models/api_token.rb
index da02cba23..591168e46 100644
--- a/app/models/api_token.rb
+++ b/app/models/api_token.rb
@@ -71,6 +71,10 @@ class APIToken < ApplicationRecord
     authorized_networks.none? { |range| range.include?(ip) }
   end
 
+  def expired?
+    expires_at&.past?
+  end
+
   class << self
     def generate(administrateur)
       plain_token = generate_unique_secure_token
diff --git a/spec/controllers/api/v2/base_controller_spec.rb b/spec/controllers/api/v2/base_controller_spec.rb
index d211f5979..defee8a46 100644
--- a/spec/controllers/api/v2/base_controller_spec.rb
+++ b/spec/controllers/api/v2/base_controller_spec.rb
@@ -1,5 +1,5 @@
 describe API::V2::BaseController, type: :controller do
-  describe 'ensure_authorized_network' do
+  describe 'ensure_authorized_network and token_is_not_expired' do
     let(:admin) { create(:administrateur) }
     let(:token_bearer_couple) { APIToken.generate(admin) }
     let(:token) { token_bearer_couple[0] }
@@ -18,7 +18,23 @@ describe API::V2::BaseController, type: :controller do
     describe 'GET #index' do
       subject { get :fake_action }
 
-      context 'when no authorized networks are defined' do
+      context 'when no authorized networks are defined and the token is not expired' do
+        it { is_expected.to have_http_status(:ok) }
+      end
+
+      context 'when the token is expired' do
+        before do
+          token.update!(expires_at: 1.day.ago)
+        end
+
+        it { is_expected.to have_http_status(:unauthorized) }
+      end
+
+      context 'when this is precisely the day the token expires' do
+        before do
+          token.update!(expires_at: Time.zone.today)
+        end
+
         it { is_expected.to have_http_status(:ok) }
       end
 
diff --git a/spec/controllers/api_controller_spec.rb b/spec/controllers/api_controller_spec.rb
index ee5532b3a..85762b95b 100644
--- a/spec/controllers/api_controller_spec.rb
+++ b/spec/controllers/api_controller_spec.rb
@@ -40,7 +40,7 @@ describe APIController, type: :controller do
     end
   end
 
-  describe 'ensure_authorized_network' do
+  describe 'ensure_authorized_network and token is not expired' do
     let(:admin) { create(:administrateur) }
     let(:token_bearer_couple) { APIToken.generate(admin) }
     let(:token) { token_bearer_couple[0] }
@@ -59,10 +59,18 @@ describe APIController, type: :controller do
     describe 'GET #index' do
       subject { get :fake_action }
 
-      context 'when no authorized networks are defined' do
+      context 'when no authorized networks are defined and the token is not expired' do
         it { is_expected.to have_http_status(:ok) }
       end
 
+      context 'when the token is expired' do
+        before do
+          token.update!(expires_at: 1.day.ago)
+        end
+
+        it { is_expected.to have_http_status(:unauthorized) }
+      end
+
       context 'when a single authorized network is defined' do
         before do
           token.update!(authorized_networks: [IPAddr.new('192.168.1.0/24')])