diff --git a/deploy/auth/util.js b/deploy/auth/util.js
index 2f225bc836621bb840f79e1c396da6f39fc69f24..554d5f4970f6639e3f436eaabb5cddcc7949fb40 100644
--- a/deploy/auth/util.js
+++ b/deploy/auth/util.js
@@ -10,17 +10,19 @@ const redirectUri = `${HOSTNAME}/hbp-oidc/cb`
 let REFRESH_TOKEN = process.env.REFRESH_TOKEN || null
 const CLIENT_NOT_INIT = `Client is not initialised.`
 const REFRESH_TOKEN_MISSING = `refresh token is missing`
+const REFRESH_ACCESS_TOKEN_MISSING = `access token not defined upon refresh`
+const REFRESH_REFRESH_TOKEN_MISSING = `refresh token not defined upon refresh`
 
 let __client
 let __publicAccessToken
 
 const refreshToken = async () => {
-  if (!__client)
-    throw new Error(CLIENT_NOT_INIT)
-  if (!REFRESH_TOKEN)
-    throw new Error(REFRESH_TOKEN_MISSING)
+  if (!__client) throw new Error(CLIENT_NOT_INIT)
+  if (!REFRESH_TOKEN) throw new Error(REFRESH_TOKEN_MISSING)
   const tokenset = await __client.refresh(REFRESH_TOKEN)
   const {access_token: accessToken, refresh_token: refreshToken, id_token: idToken} = tokenset
+  if (!accessToken) throw new Error(REFRESH_ACCESS_TOKEN_MISSING)
+  if (!refreshToken) throw new Error(REFRESH_REFRESH_TOKEN_MISSING)
   if (refreshToken !== REFRESH_TOKEN) {
     REFRESH_TOKEN = refreshToken
   }
diff --git a/deploy/datasets/util.js b/deploy/datasets/util.js
index f8378038f74495fe3e0f4f01d69191a85932cbcf..8b1469a8cd4c4cdb0cbef2c4d3a9225211e63bff 100644
--- a/deploy/datasets/util.js
+++ b/deploy/datasets/util.js
@@ -1,14 +1,15 @@
 const kgQueryUtil = require('./../auth/util')
 
-let getPublicAccessToken, publicAccessToken
+let getPublicAccessToken
 
 const getUserKGRequestParam = async ({ user }) => {
+  let publicAccessToken
   /**
    * n.b. ACCESS_TOKEN env var is usually only set during dev
    */
   const accessToken = (user && user.tokenset && user.tokenset.access_token) || process.env.ACCESS_TOKEN
   const releasedOnly = !accessToken
-  if (!accessToken && !publicAccessToken && getPublicAccessToken) {
+  if (!accessToken && getPublicAccessToken) {
     publicAccessToken = await getPublicAccessToken()
   }
   const option = accessToken || publicAccessToken