diff --git a/services/web/app/coffee/Features/TokenAccess/TokenAccessController.coffee b/services/web/app/coffee/Features/TokenAccess/TokenAccessController.coffee
index 7d8e49e91b..4b88e1914b 100644
--- a/services/web/app/coffee/Features/TokenAccess/TokenAccessController.coffee
+++ b/services/web/app/coffee/Features/TokenAccess/TokenAccessController.coffee
@@ -52,7 +52,7 @@ module.exports = TokenAccessController =
 					else
 						logger.log {token, projectId: project._id},
 							"[TokenAccess] deny anonymous read-and-write token access"
-						return next(new Errors.NotFoundError())
+						return res.redirect('/restricted')
 				if project.owner_ref.toString() == userId
 					logger.log {userId, projectId: project._id},
 						"[TokenAccess] user is already project owner"
diff --git a/services/web/test/UnitTests/coffee/TokenAccess/TokenAccessControllerTests.coffee b/services/web/test/UnitTests/coffee/TokenAccess/TokenAccessControllerTests.coffee
index 31a855da5b..9695f5f428 100644
--- a/services/web/test/UnitTests/coffee/TokenAccess/TokenAccessControllerTests.coffee
+++ b/services/web/test/UnitTests/coffee/TokenAccess/TokenAccessControllerTests.coffee
@@ -150,6 +150,7 @@ describe "TokenAccessController", ->
 					@TokenAccessHandler.ANONYMOUS_READ_AND_WRITE_ENABLED = false
 					@req = new MockRequest()
 					@res = new MockResponse()
+					@res.redirect = sinon.stub()
 					@next = sinon.stub()
 					@req.params['read_and_write_token'] = @readAndWriteToken
 					@TokenAccessHandler.findProjectWithReadAndWriteToken = sinon.stub()
@@ -175,9 +176,9 @@ describe "TokenAccessController", ->
 					expect(@ProjectController.loadEditor.calledWith(@req, @res, @next)).to.equal false
 					done()
 
-				it 'should call next with an error', (done) ->
-					expect(@next.callCount).to.equal 1
-					expect(@next.lastCall.args[0]).to.be.instanceof Error
+				it 'should redirect to restricted page', (done) ->
+					expect(@res.redirect.callCount).to.equal 1
+					expect(@res.redirect.calledWith('/restricted')).to.equal true
 					done()
 
 		describe 'when findProject produces an error', ->
diff --git a/services/web/test/acceptance/coffee/TokenAccessTests.coffee b/services/web/test/acceptance/coffee/TokenAccessTests.coffee
index d1a4f52882..0e2985f75a 100644
--- a/services/web/test/acceptance/coffee/TokenAccessTests.coffee
+++ b/services/web/test/acceptance/coffee/TokenAccessTests.coffee
@@ -283,7 +283,8 @@ describe 'TokenAccess', ->
 
 			it 'should not allow the user to access read-and-write token', (done) ->
 				try_read_and_write_token_access(@anon, @tokens.readAndWrite, (response, body) =>
-					expect(response.statusCode).to.equal 404
+					expect(response.statusCode).to.equal 302
+					expect(body).to.match /.*\/restricted.*/
 				, done)
 
 			it 'should not allow the user to join the project', (done) ->