diff --git a/auth.py b/auth.py
index 22b3d52..ab4c594 100755
--- a/auth.py
+++ b/auth.py
@@ -38,6 +38,9 @@ except KeyError:
 class NoUserException(Exception): 
     pass
 
+class RefreshTokenExpiredException(Exception): 
+    pass
+
 class NoTokenException(Exception): 
     pass
 
@@ -323,7 +326,8 @@ def refreshTokens(**args):
         refreshTokenObj = jwt.decode(refreshToken, JWT_PUB_KEY)
         logger.info(str(refreshTokenObj))
 
-        # FIXME: token expiry check
+        if refreshTokenObj["exp"] < int(time.time()):
+            throw RefreshTokenExpiredException()
 
         checkAndInvalidateRefreshToken(refreshTokenObj["sub"], refreshTokenObj["xid"], refreshTokenObj["xal"])
 
@@ -336,6 +340,9 @@ def refreshTokens(**args):
     except JWTError as e:
         logger.error("jwt.decode failed: {}".format(e))
         raise werkzeug.exceptions.Unauthorized()
+    except RefreshTokenExpiredException:
+        logger.error("refresh token expired")
+        raise werkzeug.exceptions.Unauthorized()
     except NoTokenException:
         logger.error("no token created/found")
         raise werkzeug.exceptions.Unauthorized()