diff --git a/auth/api/grpc/utils.go b/auth/api/grpc/utils.go
index 5823d853d..8dd8ac5b4 100644
--- a/auth/api/grpc/utils.go
+++ b/auth/api/grpc/utils.go
@@ -31,6 +31,7 @@ func EncodeError(err error) error {
 		return status.Error(codes.InvalidArgument, err.Error())
 	case errors.Contains(err, svcerr.ErrAuthentication),
 		errors.Contains(err, auth.ErrKeyExpired),
+		errors.Contains(err, auth.ErrRevokedToken),
 		err == apiutil.ErrMissingEmail,
 		err == apiutil.ErrBearerToken:
 		return status.Error(codes.Unauthenticated, err.Error())
diff --git a/auth/service.go b/auth/service.go
index d02d24df5..fd33e3190 100644
--- a/auth/service.go
+++ b/auth/service.go
@@ -365,6 +365,12 @@ func (svc service) refreshKey(ctx context.Context, token string, key Key) (Token
 		return Token{}, errors.Wrap(errIssueTmp, err)
 	}
 
+	if key.Subject != "" && key.ExpiresAt.After(time.Now()) {
+		if err := svc.tokensCache.SaveActive(ctx, key.Subject, key.ID, key.Description, key.ExpiresAt); err != nil {
+			return Token{}, errors.Wrap(errSaveRefreshKey, err)
+		}
+	}
+
 	return Token{AccessToken: access, RefreshToken: refresh}, nil
 }
 
diff --git a/auth/service_test.go b/auth/service_test.go
index b832855f4..a2078033d 100644
--- a/auth/service_test.go
+++ b/auth/service_test.go
@@ -303,16 +303,17 @@ func TestIssue(t *testing.T) {
 	}
 
 	cases4 := []struct {
-		desc         string
-		key          auth.Key
-		token        string
-		parseRes     auth.Key
-		parseErr     error
-		roleCheckErr error
-		issueErr     error
-		cacheRes     bool
-		cacheErr     error
-		err          error
+		desc          string
+		key           auth.Key
+		token         string
+		parseRes      auth.Key
+		parseErr      error
+		roleCheckErr  error
+		issueErr      error
+		cacheRes      bool
+		cacheErr      error
+		saveActiveErr error
+		err           error
 	}{
 		{
 			desc: "issue refresh key",
@@ -365,6 +366,20 @@ func TestIssue(t *testing.T) {
 			roleCheckErr: errRoleAuth,
 			err:          errRoleAuth,
 		},
+		{
+			desc: "issue refresh key with failed to save active token",
+			key: auth.Key{
+				Type:     auth.RefreshKey,
+				IssuedAt: time.Now(),
+				Subject:  userID,
+				Role:     auth.UserRole,
+			},
+			token:         refreshToken,
+			parseRes:      refreshkey,
+			cacheRes:      true,
+			saveActiveErr: svcerr.ErrCreateEntity,
+			err:           svcerr.ErrCreateEntity,
+		},
 		{
 			desc: "issue refresh key with revoked refresh token",
 			key: auth.Key{
@@ -400,6 +415,7 @@ func TestIssue(t *testing.T) {
 			tokenizerCall1 := tokenizer.On("Parse", mock.Anything, tc.token).Return(tc.parseRes, tc.parseErr)
 			tokenizerCall2 := tokenizer.On("Revoke", mock.Anything, tc.token).Return(tc.parseErr)
 			cacheCall := tokensCache.On("IsActive", context.Background(), tc.parseRes.ID).Return(tc.cacheRes, tc.cacheErr)
+			saveActiveCall := tokensCache.On("SaveActive", mock.Anything, mock.Anything, mock.Anything, mock.Anything, mock.Anything).Return(tc.saveActiveErr)
 			policyCall := pEvaluator.On("CheckPolicy", mock.Anything, policies.Policy{
 				Subject:     tc.key.Subject,
 				SubjectType: policies.UserType,
@@ -414,6 +430,7 @@ func TestIssue(t *testing.T) {
 			tokenizerCall2.Unset()
 			policyCall.Unset()
 			cacheCall.Unset()
+			saveActiveCall.Unset()
 		})
 	}
 }