diff --git a/services/web/app/src/Features/TokenAccess/TokenAccessHandler.js b/services/web/app/src/Features/TokenAccess/TokenAccessHandler.js
index 9855ae02c2..23477c3614 100644
--- a/services/web/app/src/Features/TokenAccess/TokenAccessHandler.js
+++ b/services/web/app/src/Features/TokenAccess/TokenAccessHandler.js
@@ -287,12 +287,20 @@ const TokenAccessHandler = {
     return hash.digest('hex').slice(0, 6)
   },
 
+  normalizeTokenHashPrefix(tokenHashPrefix) {
+    if (typeof tokenHashPrefix !== 'string') return ''
+    // remove (encoded) hash
+    tokenHashPrefix = tokenHashPrefix.replace('#', '').replace('%23', '')
+    // remove trailing special characters that were copied by accident
+    tokenHashPrefix = tokenHashPrefix.replace(/[^a-z0-9]+$/i, '')
+    return tokenHashPrefix
+  },
+
   checkTokenHashPrefix(token, tokenHashPrefix, type, userId, logData = {}) {
     let hashPrefixStatus
 
-    if (tokenHashPrefix) {
-      tokenHashPrefix = tokenHashPrefix.replace('#', '').replace('%23', '')
-    }
+    tokenHashPrefix =
+      TokenAccessHandler.normalizeTokenHashPrefix(tokenHashPrefix)
 
     const v1Format = /%2F[0-9]{7,8}%2F/
     const isSuspectedV1Format = v1Format.test(tokenHashPrefix)
diff --git a/services/web/test/unit/src/TokenAccess/TokenAccessHandlerTests.js b/services/web/test/unit/src/TokenAccess/TokenAccessHandlerTests.js
index fa25351d0c..e3e15b9792 100644
--- a/services/web/test/unit/src/TokenAccess/TokenAccessHandlerTests.js
+++ b/services/web/test/unit/src/TokenAccess/TokenAccessHandlerTests.js
@@ -649,6 +649,30 @@ describe('TokenAccessHandler', function () {
     })
   })
 
+  describe('normalizeTokenHashPrefix', function () {
+    const cases = {
+      // hex string
+      ab2345: 'ab2345',
+      '01234f': '01234f',
+      '012345': '012345',
+      // remove (encoded) hash
+      '#012345': '012345',
+      '%23012345': '012345',
+      // remove trailing special characters
+      '012345.': '012345',
+      '012345/': '012345',
+      // v1 doc
+      '%2F1234567%2F': '%2F1234567%2F',
+    }
+    for (const [input, output] of Object.entries(cases)) {
+      it(`should handle ${JSON.stringify(input)}`, function () {
+        expect(
+          this.TokenAccessHandler.normalizeTokenHashPrefix(input)
+        ).to.equal(output)
+      })
+    }
+  })
+
   describe('checkTokenHashPrefix', function () {
     const userId = 'abc123'
     const projectId = 'def456'