diff --git a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java
index f202cb3..9dd98e1 100644
--- a/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java
+++ b/backend/src/main/java/ru/micord/ervu/security/esia/token/TokensStore.java
@@ -20,14 +20,18 @@ public class TokensStore {
   }
 
   public static String getAccessToken(String prnOid) {
+    return accessTokensMap.get(prnOid).getAccessToken();
+  }
+
+  public static boolean validateAccessToken(String prnOid) {
     ExpiringToken token = accessTokensMap.get(prnOid);
     if (token == null) {
-      throw new CredentialsExpiredException("No access token for prnOid: " + prnOid);
+      throw new CredentialsExpiredException("No ESIA access token for prnOid: " + prnOid);
     }
     else if (token.isExpired()) {
-      throw new CredentialsExpiredException("Access token expired for prnOid: " + prnOid);
+      throw new CredentialsExpiredException("ESIA access token expired for prnOid: " + prnOid);
     }
-    return token.getAccessToken();
+    return token.getAccessToken() != null;
   }
 
   public static void removeExpiredAccessToken() {
diff --git a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
index eedbebe..c9e91b8 100644
--- a/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
+++ b/backend/src/main/java/ru/micord/ervu/security/webbpm/jwt/filter/JwtAuthenticationFilter.java
@@ -65,7 +65,10 @@ public class JwtAuthenticationFilter extends AbstractAuthenticationProcessingFil
         if (ids.length != 2) {
           throw new CredentialsExpiredException("Invalid token. User has no ervuId");
         }
-        TokensStore.getAccessToken(token.getUserAccountId());
+        boolean hasEsiaAccessToken = TokensStore.validateAccessToken(token.getUserAccountId());
+        if (!hasEsiaAccessToken) {
+          throw new CredentialsExpiredException("ESIA access token is null");
+        }
       }
     }
     catch (CredentialsExpiredException e) {