diff --git a/coderd/httpmw/apikey.go b/coderd/httpmw/apikey.go
index cc331983ce1ee..54a28a2d1c617 100644
--- a/coderd/httpmw/apikey.go
+++ b/coderd/httpmw/apikey.go
@@ -203,7 +203,7 @@ func ExtractAPIKey(cfg ExtractAPIKeyConfig) func(http.Handler) http.Handler {
 					return
 				}
 				// Check if the OAuth token is expired
-				if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() {
+				if link.OAuthExpiry.Before(now) && !link.OAuthExpiry.IsZero() && link.OAuthRefreshToken != "" {
 					var oauthConfig OAuth2Config
 					switch key.LoginType {
 					case database.LoginTypeGithub:
diff --git a/coderd/httpmw/apikey_test.go b/coderd/httpmw/apikey_test.go
index 7bfdf360b3353..8205515e8ccbb 100644
--- a/coderd/httpmw/apikey_test.go
+++ b/coderd/httpmw/apikey_test.go
@@ -468,9 +468,10 @@ func TestAPIKey(t *testing.T) {
 		})
 		require.NoError(t, err)
 		_, err = db.InsertUserLink(r.Context(), database.InsertUserLinkParams{
-			UserID:      user.ID,
-			LoginType:   database.LoginTypeGithub,
-			OAuthExpiry: database.Now().AddDate(0, 0, -1),
+			UserID:            user.ID,
+			LoginType:         database.LoginTypeGithub,
+			OAuthExpiry:       database.Now().AddDate(0, 0, -1),
+			OAuthRefreshToken: "hello",
 		})
 		require.NoError(t, err)