diff --git a/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenController.mjs b/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenController.mjs
index 06428925cc..be94826c1f 100644
--- a/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenController.mjs
+++ b/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenController.mjs
@@ -61,7 +61,10 @@ const PersonalAccessTokenController = {
             return res.status(400).json({ message: 'Token id is required' })
         }
 
-        await OAuthPersonalAccessTokenManager.removeToken(tokenId)
+        const result = await OAuthPersonalAccessTokenManager.removeToken(tokenId, user._id)
+        if (!result || result.deletedCount !== 1) {
+            return res.status(404).json({ message: 'Token not found' })
+        }
 
         return res.json({ 
             message: 'Token deleted',
diff --git a/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenManager.mjs b/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenManager.mjs
index d63d17866a..c48104d3d1 100644
--- a/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenManager.mjs
+++ b/services/web/modules/oauth2-server/app/src/OAuthPersonalAccessTokenManager.mjs
@@ -87,10 +87,15 @@ const PersonalAccessTokenManager = {
         return accessToken
     },
 
-    // Delete a personal access token
-    async removeToken(tokenId) {
+    // Delete a personal access token owned by a specific user
+    async removeToken(tokenId, userId) {
+        if (!ObjectId.isValid(tokenId)) {
+            return { deletedCount: 0 }
+        }
         const query = {
             _id: new ObjectId(tokenId),
+            user_id: userId,
+            type: 'personal_access_token',
         }
 
         // Delete token from database