diff --git a/authentik/core/api/users.py b/authentik/core/api/users.py
index e6a907bca..51d0bf56b 100644
--- a/authentik/core/api/users.py
+++ b/authentik/core/api/users.py
@@ -499,9 +499,9 @@ class UserViewSet(UsedByMixin, ModelViewSet):
         pagination_class=None,
         filter_backends=[],
         authentication_classes=[
+            MobileDeviceTokenAuthentication,
             TokenAuthentication,
             SessionAuthentication,
-            MobileDeviceTokenAuthentication,
         ],
     )
     def user_me(self, request: Request) -> Response:
diff --git a/authentik/stages/authenticator_mobile/api/auth.py b/authentik/stages/authenticator_mobile/api/auth.py
index f38b6ede3..16f9435ea 100644
--- a/authentik/stages/authenticator_mobile/api/auth.py
+++ b/authentik/stages/authenticator_mobile/api/auth.py
@@ -3,6 +3,7 @@ from typing import Any
 
 from drf_spectacular.extensions import OpenApiAuthenticationExtension
 from rest_framework.authentication import BaseAuthentication, get_authorization_header
+from rest_framework.exceptions import AuthenticationFailed
 from rest_framework.request import Request
 
 from authentik.api.authentication import validate_auth
@@ -17,7 +18,10 @@ class MobileDeviceTokenAuthentication(BaseAuthentication):
     def authenticate(self, request: Request) -> tuple[User, Any] | None:
         """Token-based authentication using HTTP Bearer authentication"""
         auth = get_authorization_header(request)
-        raw_token = validate_auth(auth)
+        try:
+            raw_token = validate_auth(auth)
+        except AuthenticationFailed:
+            return None
         device_token: MobileDeviceToken = MobileDeviceToken.filter_not_expired(
             token=raw_token
         ).first()