diff --git a/app/models/api/openid_connect/authorization.rb b/app/models/api/openid_connect/authorization.rb
index 90ee38660..87cc05661 100644
--- a/app/models/api/openid_connect/authorization.rb
+++ b/app/models/api/openid_connect/authorization.rb
@@ -63,10 +63,15 @@ module Api
 
       def self.use_code(code)
         return unless code
-        find_by(code: code).tap do |auth|
-          next unless auth
-          auth.code = nil
+        auth = find_by(code: code)
+        return unless auth
+        if auth.code_used
+          auth.destroy
+          nil
+        else
+          auth.code_used = true
           auth.save
+          auth
         end
       end
     end
diff --git a/db/migrate/20150708153926_create_authorizations.rb b/db/migrate/20150708153926_create_authorizations.rb
index f964237d7..ee88ab017 100644
--- a/db/migrate/20150708153926_create_authorizations.rb
+++ b/db/migrate/20150708153926_create_authorizations.rb
@@ -8,6 +8,7 @@ class CreateAuthorizations < ActiveRecord::Migration
       t.string :redirect_uri
       t.string :nonce
       t.string :scopes
+      t.boolean :code_used, default: false
 
       t.timestamps null: false
     end
diff --git a/db/schema.rb b/db/schema.rb
index 8fce36389..17f436674 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -63,8 +63,9 @@ ActiveRecord::Schema.define(version: 20150828132451) do
     t.string   "redirect_uri",          limit: 255
     t.string   "nonce",                 limit: 255
     t.string   "scopes",                limit: 255
-    t.datetime "created_at",                        null: false
-    t.datetime "updated_at",                        null: false
+    t.boolean  "code_used",                         default: false
+    t.datetime "created_at",                                        null: false
+    t.datetime "updated_at",                                        null: false
   end
 
   add_index "authorizations", ["o_auth_application_id"], name: "index_authorizations_on_o_auth_application_id", using: :btree
diff --git a/spec/lib/api/openid_connect/token_endpoint_spec.rb b/spec/lib/api/openid_connect/token_endpoint_spec.rb
index c03aa4102..98887932f 100644
--- a/spec/lib/api/openid_connect/token_endpoint_spec.rb
+++ b/spec/lib/api/openid_connect/token_endpoint_spec.rb
@@ -48,7 +48,6 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
 
       it "should not allow code to be reused" do
         auth.reload
-        expect(auth.code).to eq(nil)
         post api_openid_connect_access_tokens_path, grant_type: "authorization_code",
              client_id: client.client_id, client_secret: client.client_secret,
              redirect_uri: "http://localhost:3000/", code: code
@@ -93,7 +92,6 @@ describe Api::OpenidConnect::TokenEndpoint, type: :request do
 
       it "should not allow code to be reused" do
         auth_with_specific_id.reload
-        expect(auth_with_specific_id.code).to eq(nil)
         post api_openid_connect_access_tokens_path, grant_type: "authorization_code",
              client_id: client.client_id, client_secret: client.client_secret,
              redirect_uri: "http://localhost:3000/", code: code_with_specific_id