diff --git a/lib/Service/SSOService.php b/lib/Service/SSOService.php
index 31263245c0878ac70ca7f6d204c5bd17228b371f..8436d8eb440d5da2a15d51e0256e625ae3c6dd17 100644
--- a/lib/Service/SSOService.php
+++ b/lib/Service/SSOService.php
@@ -18,7 +18,8 @@ class SSOService {
 	private CurlService $curl;
 	private ILogger $logger;
 	private array $ssoConfig = [];
-	private string $adminAccessToken;
+	private string $adminAccessToken = '';
+	private int $adminAccessTokenExpiresAt = 0;
 	private string $currentUserId;
 	private string $currentUserName;
 	private ICrypto $crypto;
@@ -200,9 +201,15 @@ class SSOService {
 	}
 
 	private function getAdminAccessToken() : void {
-		if (!empty($this->adminAccessToken)) {
+		// Check if admin access token exists and has not expired
+		// Use a grace period of 10 seconds to account for network latencies
+		if (!empty($this->adminAccessToken)
+			&& $this->adminAccessTokenExpiresAt !== 0
+			&& (time() < ($this->adminAccessTokenExpiresAt - 10))) {
 			return;
 		}
+		$this->adminAccessToken = '';
+		$this->adminAccessTokenExpiresAt = 0;
 		$adminAccessTokenRoute = $this->ssoConfig['root_url'] . self::ADMIN_TOKEN_ENDPOINT;
 		$requestBody = [
 			'username' => $this->ssoConfig['admin_username'],
@@ -228,6 +235,7 @@ class SSOService {
 			throw new SSOAdminAccessTokenException('Error: admin access token not set in response!');
 		}
 		$this->adminAccessToken = $response['access_token'];
+		$this->adminAccessTokenExpiresAt = time() + (int) $response['expires_in'];
 	}
 
 	private function callSSOAPI(string $url, string $method, array $data = [], int $expectedStatusCode = 200) :?array {