diff --git a/controller/northbound/server/auth.go b/controller/northbound/server/auth.go
index 0528efb1949c77b5f59e7607183191e495b34609..cf6c370d20baa8282f72955d9854e3798b95bd43 100644
--- a/controller/northbound/server/auth.go
+++ b/controller/northbound/server/auth.go
@@ -93,13 +93,11 @@ func (s AuthServer) Login(ctx context.Context, request *apb.LoginRequest) (*apb.
 		return nil, err
 	}
 
-	userToUpdate.AddToken(token)
-	for len(userToUpdate.GetTokens()) > config.MaxTokensPerUser {
-		err = userToUpdate.RemoveToken(userToUpdate.GetTokens()[0])
-		if err != nil {
-			return nil, err
-		}
+	err = addTokenAndEnsureTokenLimit(userToUpdate, token)
+	if err != nil {
+		return nil, err
 	}
+
 	err = s.userService.Update(userToUpdate)
 	if err != nil {
 		return nil, err
@@ -218,3 +216,14 @@ func (s AuthServer) handleLogout(ctx context.Context, userName string) error {
 
 	return nil
 }
+
+func addTokenAndEnsureTokenLimit(userToUpdate rbacInterfaces.User, token string) error {
+	userToUpdate.AddToken(token)
+	for len(userToUpdate.GetTokens()) > config.MaxTokensPerUser {
+		err := userToUpdate.RemoveToken(userToUpdate.GetTokens()[0])
+		if err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/controller/northbound/server/auth_test.go b/controller/northbound/server/auth_test.go
index 7716ec35873d48c2bfefc51da63b5a1605c2079b..6399338095e383d3dd7a190f58506e9bdf980360 100644
--- a/controller/northbound/server/auth_test.go
+++ b/controller/northbound/server/auth_test.go
@@ -8,9 +8,13 @@ import (
 
 	"buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go/buf/validate"
 	apb "code.fbi.h-da.de/danet/gosdn/api/go/gosdn/rbac"
+	"code.fbi.h-da.de/danet/gosdn/controller/config"
+	"code.fbi.h-da.de/danet/gosdn/controller/conflict"
 	eventservice "code.fbi.h-da.de/danet/gosdn/controller/eventService"
 	"code.fbi.h-da.de/danet/gosdn/controller/rbac"
 	"github.com/bufbuild/protovalidate-go"
+	"github.com/google/uuid"
+	"github.com/stretchr/testify/assert"
 	"google.golang.org/grpc/metadata"
 )
 
@@ -291,3 +295,25 @@ func TestAuth_handleLogout(t *testing.T) {
 		})
 	}
 }
+
+func TestAuth_addTokenAndEnsureTokenLimit_addKey(t *testing.T) {
+	config.MaxTokensPerUser = 2
+	userID := uuid.New()
+	user := rbac.NewUser(userID, "testUser", map[string]string{}, "password", []string{"token1"}, "salt", conflict.Metadata{ResourceVersion: 0})
+	addTokenAndEnsureTokenLimit(user, "token2")
+
+	assert.Equal(t, 2, len(user.GetTokens()))
+	assert.Equal(t, "token1", user.GetTokens()[0])
+	assert.Equal(t, "token2", user.GetTokens()[1])
+}
+
+func TestAuth_addTokenAndEnsureTokenLimit_removeOldKey(t *testing.T) {
+	config.MaxTokensPerUser = 2
+	userID := uuid.New()
+	user := rbac.NewUser(userID, "testUser", map[string]string{}, "password", []string{"token1", "token2"}, "salt", conflict.Metadata{ResourceVersion: 0})
+	addTokenAndEnsureTokenLimit(user, "token3")
+
+	assert.Equal(t, 2, len(user.GetTokens()))
+	assert.Equal(t, "token2", user.GetTokens()[0])
+	assert.Equal(t, "token3", user.GetTokens()[1])
+}