diff --git a/pillar/api/blender_id.py b/pillar/api/blender_id.py
index 9227c3b6..3a7c62f4 100644
--- a/pillar/api/blender_id.py
+++ b/pillar/api/blender_id.py
@@ -189,6 +189,8 @@ def fetch_blenderid_user() -> dict:
 
     credentials = current_app.config['OAUTH_CREDENTIALS']['blender-id']
     oauth_token = session['blender_id_oauth_token']
+    assert isinstance(oauth_token, str), f'oauth token must be str, not {type(oauth_token)}'
+
     oauth_session = OAuth2Session(
         credentials['id'], credentials['secret'],
         access_token=oauth_token)
diff --git a/pillar/auth/oauth.py b/pillar/auth/oauth.py
index a01c6a11..13be31a6 100644
--- a/pillar/auth/oauth.py
+++ b/pillar/auth/oauth.py
@@ -154,7 +154,10 @@ class BlenderIdSignIn(OAuthSignIn):
         oauth_session = self.make_oauth_session()
 
         # TODO handle exception for failed oauth or not authorized
-        session['blender_id_oauth_token'] = oauth_session.access_token
+        access_token = oauth_session.access_token
+        assert isinstance(access_token, str), f'oauth token must be str, not {type(access_token)}'
+
+        session['blender_id_oauth_token'] = access_token
         me = oauth_session.get('user').json()
         return OAuthUserResponse(str(me['id']), me['email'])