diff --git a/services/web/app/coffee/Features/TokenAccess/TokenAccessHandler.coffee b/services/web/app/coffee/Features/TokenAccess/TokenAccessHandler.coffee
index e2c0feab50..9e94f80dbf 100644
--- a/services/web/app/coffee/Features/TokenAccess/TokenAccessHandler.coffee
+++ b/services/web/app/coffee/Features/TokenAccess/TokenAccessHandler.coffee
@@ -134,6 +134,7 @@ module.exports = TokenAccessHandler =
 				return
 			if privilegeLevel != PrivilegeLevels.READ_AND_WRITE
 				project.tokens.readAndWrite = ''
+				project.tokens.readAndWritePrefix = ''
 			if privilegeLevel != PrivilegeLevels.READ_ONLY
 				project.tokens.readOnly = ''
 
diff --git a/services/web/test/unit/coffee/TokenAccess/TokenAccessHandlerTests.coffee b/services/web/test/unit/coffee/TokenAccess/TokenAccessHandlerTests.coffee
index e2ebd00c2b..93fea87658 100644
--- a/services/web/test/unit/coffee/TokenAccess/TokenAccessHandlerTests.coffee
+++ b/services/web/test/unit/coffee/TokenAccess/TokenAccessHandlerTests.coffee
@@ -480,11 +480,12 @@ describe "TokenAccessHandler", ->
 
 	describe 'protectTokens', ->
 		beforeEach ->
-			@project = {tokens: {readAndWrite: 'rw', readOnly: 'ro'}}
+			@project = {tokens: {readAndWrite: 'rw', readOnly: 'ro', readAndWritePrefix: 'pre'}}
 
 		it 'should hide write token from read-only user', ->
 			@TokenAccessHandler.protectTokens(@project, 'readOnly')
 			expect(@project.tokens.readAndWrite).to.equal ''
+			expect(@project.tokens.readAndWritePrefix).to.equal ''
 			expect(@project.tokens.readOnly).to.equal 'ro'
 
 		it 'should hide read token from read-write user', ->