diff --git a/plugins/auth_jupyterhub/fps_auth_jupyterhub/launch.py b/plugins/auth_jupyterhub/fps_auth_jupyterhub/launch.py
index a66ba59c..cdb91717 100644
--- a/plugins/auth_jupyterhub/fps_auth_jupyterhub/launch.py
+++ b/plugins/auth_jupyterhub/fps_auth_jupyterhub/launch.py
@@ -1,11 +1,11 @@
 import os
-from urllib.parse import urlparse
+from urllib.parse import unquote, urlparse
 
 from jupyverse_api.cli import main
 
 
 def launch():
-    service_url = os.environ.get("JUPYTERHUB_SERVICE_URL")
+    service_url = unquote(os.environ.get("JUPYTERHUB_SERVICE_URL"))
     url = urlparse(service_url)
     try:
         return main.callback(
diff --git a/plugins/auth_jupyterhub/fps_auth_jupyterhub/routes.py b/plugins/auth_jupyterhub/fps_auth_jupyterhub/routes.py
index a1fb4e23..9e835384 100644
--- a/plugins/auth_jupyterhub/fps_auth_jupyterhub/routes.py
+++ b/plugins/auth_jupyterhub/fps_auth_jupyterhub/routes.py
@@ -52,7 +52,7 @@ async def get_oauth_callback(
                     raise HTTPException(status_code=status.HTTP_403_FORBIDDEN)
 
                 token = self.hub_auth.token_for_code(code)
-                hub_user = self.hub_auth.user_for_token(token)
+                hub_user = await self.hub_auth.user_for_token(token, use_cache=False, sync=False)
                 async with self.db_lock:
                     db_session.add(
                         UserDB(
@@ -101,6 +101,16 @@ async def _(
                 jupyverse_jupyterhub_token: Annotated[Union[str, None], Cookie()] = None,
             ):
                 if jupyverse_jupyterhub_token is not None:
+                    hub_user = await self.hub_auth.user_for_token(
+                        jupyverse_jupyterhub_token, use_cache=False, sync=False
+                    )
+                    scopes = self.hub_auth.check_scopes(self.hub_auth.access_scopes, hub_user)
+                    if not scopes:
+                        raise HTTPException(
+                            status_code=status.HTTP_403_FORBIDDEN,
+                            detail=f"User {hub_user['name']} cannot access this server",
+                        )
+
                     async with self.db_lock:
                         user_db = await db_session.scalar(
                             select(UserDB).filter_by(token=jupyverse_jupyterhub_token)
@@ -125,6 +135,11 @@ async def _(
                         task.add_done_callback(self.background_tasks.discard)
                     return user
 
+                if permissions:
+                    raise HTTPException(
+                        status_code=status.HTTP_403_FORBIDDEN,
+                    )
+
                 state = self.hub_auth.generate_state(next_url=str(request.url))
                 raise HTTPException(
                     status_code=status.HTTP_307_TEMPORARY_REDIRECT,