diff --git a/api/components/OAuth2/Storage/RefreshTokenStorage.php b/api/components/OAuth2/Storage/RefreshTokenStorage.php
index 2321e76..c1acfe6 100644
--- a/api/components/OAuth2/Storage/RefreshTokenStorage.php
+++ b/api/components/OAuth2/Storage/RefreshTokenStorage.php
@@ -18,6 +18,9 @@ class RefreshTokenStorage extends AbstractStorage implements RefreshTokenInterfa
 
     public function get($token) {
         $result = Json::decode((new Key($this->dataTable, $token))->getValue());
+        if ($result === null) {
+            return null;
+        }
 
         $entity = new RefreshTokenEntity($this->server);
         $entity->setId($result['id']);
diff --git a/tests/codeception/api/functional/OauthRefreshTokenCest.php b/tests/codeception/api/functional/OauthRefreshTokenCest.php
index 47e5e47..7e13680 100644
--- a/tests/codeception/api/functional/OauthRefreshTokenCest.php
+++ b/tests/codeception/api/functional/OauthRefreshTokenCest.php
@@ -16,6 +16,18 @@ class OauthRefreshTokenCest {
         $this->route = new OauthRoute($I);
     }
 
+    public function testInvalidRefreshToken(OauthSteps $I) {
+        $this->route->issueToken($this->buildParams(
+            'some-invalid-refresh-token',
+            'ely',
+            'ZuM1vGchJz-9_UZ5HC3H3Z9Hg5PzdbkM'
+        ));
+        $I->canSeeResponseContainsJson([
+            'error' => 'invalid_request',
+            'message' => 'The refresh token is invalid.',
+        ]);
+    }
+
     public function testRefreshToken(OauthSteps $I) {
         $refreshToken = $I->getRefreshToken();
         $this->route->issueToken($this->buildParams(