diff --git a/TODO.md b/TODO.md
index cda19a7..ec8bc9b 100644
--- a/TODO.md
+++ b/TODO.md
@@ -28,8 +28,13 @@
 
 - [ ] Support error responses by https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2.1
 
-- [ ] Redirect to login when JWT expire
+- [ ] UserWebGUI: Redirect to login when JWT expire
+- [ ] UserWebGUI: Show user authorizations.
+- [ ] UserWebGUI: Show available apps
+- [ ] UserWebGUI: Direct user grant flow, User can login to the target app/client, event if it did
+not started here.
 - [ ] Add admin panel via API
+- [ ] AdminWebGUI: Ability to create invitation links
 - [ ] Add admin CLI
 
 - [ ] add TOTP
diff --git a/src/middlewares/user_auth.rs b/src/middlewares/user_auth.rs
index 6004013..c178694 100644
--- a/src/middlewares/user_auth.rs
+++ b/src/middlewares/user_auth.rs
@@ -1,5 +1,10 @@
-
-use axum::{extract::{OriginalUri, Request, State}, http::StatusCode, middleware::Next, response::{Html, IntoResponse, Redirect, Response}, Extension};
+use axum::{
+    extract::{OriginalUri, Request, State},
+    http::{HeaderMap, HeaderValue, StatusCode},
+    middleware::Next,
+    response::{Html, IntoResponse, Redirect, Response},
+    Extension
+};
 use axum_extra::extract::CookieJar;
 
 use crate::{
@@ -12,6 +17,7 @@ use crate::{
 /// add optional auth to the extension data
 pub async fn auth_middleware(
     State(app_state): State<AppState>,
+    OriginalUri(original_uri): OriginalUri,
     cookies: CookieJar,
     mut req: Request,
     next: Next,
@@ -26,8 +32,13 @@ pub async fn auth_middleware(
     let token_claims: UserTokenClaims = match verify_token(&app_state.secrets, jwt) {
         Ok(val) => val,
         Err(_e) => {
+            // UserWebGUI: delete invalid JWT cookie
+            let mut headers = HeaderMap::new();
+            let jwt_cookie = "minauth_jwt=deleted; SameSite=Lax; Max-Age=0".to_string();
+            headers.insert("Set-Cookie", HeaderValue::from_str(&jwt_cookie).unwrap());
+            headers.insert("Location", HeaderValue::from_str(&original_uri.to_string()).unwrap());
             return Err(
-                (StatusCode::UNAUTHORIZED, Html("Unauthorized: The provided JWT is invalid."))
+                (StatusCode::SEE_OTHER, headers, Html("Unauthorized: Invalid JWT cookie."))
             );
         }
     };