diff --git a/pass/routes/api.js b/pass/routes/api.js
index 1d3d20f23fa2871e136b9de9142fd1e76162bd91..96c781e01a257fc402694fc49614c4c87bb96797 100644
--- a/pass/routes/api.js
+++ b/pass/routes/api.js
@@ -227,7 +227,7 @@ router.post(
       res.status(422).json(errors);
       return;
     }
-    let key = await Key.GET_KEY(req.body.key, false);
+
     let date = dayjs(
       req.body.date,
       config.get("crypto.private_key.date_format")
@@ -235,10 +235,14 @@ router.post(
     let blinded_tokens = req.body.blinded_tokens;
     let signed_tokens = {};
 
+    let key = await Key.GET_KEY(req.body.key, true);
     if (key.get_charge() < blinded_tokens.length) {
       res.status(422).json({
         message: "Invalid Key",
       });
+    } else {
+      key.discharge_key(blinded_tokens.length);
+      await key.save();
     }
 
     // Make signing requests always the same duration to prevent timing attacks on the private key