diff --git a/internal/authtoken/repository.go b/internal/authtoken/repository.go
index 587fe8ab93..fccb0c34dc 100644
--- a/internal/authtoken/repository.go
+++ b/internal/authtoken/repository.go
@@ -210,7 +210,7 @@ func (r *Repository) ValidateToken(ctx context.Context, id, token string, opt ..
 	}
 
 	if retAT.GetToken() != token {
-		return nil, fmt.Errorf("validate token: auth token mismatch: %w", db.ErrInvalidParameter)
+		return nil, nil
 	}
 	// retAT.Token set to empty string so the value is not returned as described in the methods' doc.
 	retAT.Token = ""
diff --git a/internal/servers/controller/handlers/authtoken_intercept.go b/internal/servers/controller/handlers/authtoken_intercept.go
index 833f6d2cb0..da4784dc10 100644
--- a/internal/servers/controller/handlers/authtoken_intercept.go
+++ b/internal/servers/controller/handlers/authtoken_intercept.go
@@ -43,6 +43,10 @@ func TokenAuthenticator(l hclog.Logger, tokenRepo common.AuthTokenRepoFactory) f
 			}
 		}
 
+		if tMD.recievedTokenType == authTokenTypeUnknown || tMD.token() == "" || tMD.publicId() == "" {
+			return tMD.toMetadata()
+		}
+
 		repo, err := tokenRepo()
 		if err != nil {
 			l.Error("failed to get authtoken repo", "error", err)