diff --git a/src/securejoin.rs b/src/securejoin.rs
index e4cad2e4e..57fff3d20 100644
--- a/src/securejoin.rs
+++ b/src/securejoin.rs
@@ -374,14 +374,6 @@ pub(crate) async fn handle_securejoin_handshake(
                 );
                 return Ok(HandshakeMessage::Ignore);
             }
-            if !verify_sender_by_fingerprint(context, &fingerprint, contact_id).await? {
-                warn!(
-                    context,
-                    "Ignoring {step} message because of fingerprint mismatch."
-                );
-                return Ok(HandshakeMessage::Ignore);
-            }
-            info!(context, "Fingerprint verified.",);
             // verify that the `Secure-Join-Auth:`-header matches the secret written to the QR code
             let Some(auth) = mime_message.get_header(HeaderDef::SecureJoinAuth) else {
                 warn!(
@@ -408,6 +400,14 @@ pub(crate) async fn handle_securejoin_handshake(
                 }
             };
 
+            if !verify_sender_by_fingerprint(context, &fingerprint, contact_id).await? {
+                warn!(
+                    context,
+                    "Ignoring {step} message because of fingerprint mismatch."
+                );
+                return Ok(HandshakeMessage::Ignore);
+            }
+
             let contact_addr = Contact::get_by_id(context, contact_id)
                 .await?
                 .get_addr()
@@ -427,6 +427,7 @@ pub(crate) async fn handle_securejoin_handshake(
                 );
                 return Ok(HandshakeMessage::Ignore);
             }
+            info!(context, "Fingerprint verified via Auth code.",);
             contact_id.regossip_keys(context).await?;
             ContactId::scaleup_origin(context, &[contact_id], Origin::SecurejoinInvited).await?;
             // for setup-contact, make Alice's one-to-one chat with Bob visible
@@ -434,7 +435,6 @@ pub(crate) async fn handle_securejoin_handshake(
             if !join_vg {
                 ChatId::create_for_contact(context, contact_id).await?;
             }
-            info!(context, "Auth verified.",);
             context.emit_event(EventType::ContactsChanged(Some(contact_id)));
             inviter_progress(context, contact_id, 600);
             if let Some(group_chat_id) = group_chat_id {
diff --git a/src/securejoin/securejoin_tests.rs b/src/securejoin/securejoin_tests.rs
index 663341fe1..75d0f007e 100644
--- a/src/securejoin/securejoin_tests.rs
+++ b/src/securejoin/securejoin_tests.rs
@@ -951,3 +951,34 @@ async fn test_parallel_setup_contact() -> Result<()> {
 
     Ok(())
 }
+
+#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
+async fn test_wrong_auth_token() -> Result<()> {
+    let mut tcm = TestContextManager::new();
+    let alice = &tcm.alice().await;
+    let bob = &tcm.bob().await;
+
+    // Bob should already have Alice's key
+    // so that he can directly send vc-request-with-auth
+    tcm.send_recv(alice, bob, "hi").await;
+
+    let alice_qr = get_securejoin_qr(alice, None).await?;
+    println!("{}", &alice_qr);
+    let invalid_alice_qr = alice_qr.replace("&s=", "&s=INVALIDAUTHTOKEN&someotherkey=");
+
+    join_securejoin(bob, &invalid_alice_qr).await?;
+    let sent = bob.pop_sent_msg().await;
+
+    let msg = alice.parse_msg(&sent).await;
+    assert_eq!(
+        msg.get_header(HeaderDef::SecureJoin).unwrap(),
+        "vc-request-with-auth"
+    );
+
+    alice.recv_msg_trash(&sent).await;
+
+    let alice_bob_contact = alice.add_or_lookup_contact(bob).await;
+    assert!(!alice_bob_contact.is_forward_verified(alice).await?);
+
+    Ok(())
+}