diff --git a/src/extensionClient.js b/src/extensionClient.js
index 4429661..d623e48 100644
--- a/src/extensionClient.js
+++ b/src/extensionClient.js
@@ -37,7 +37,7 @@ class ExtensionClient {
    * @return {Promise<Record<string, unknown>>} The user data object.
    */
   async getUserIdentity() {
-    const userData = await this.accessToken && jwtManager.decode(this.accessToken);
+    const userData = this.accessToken && await jwtManager.decode(this.accessToken);
     if (!userData) {
       return null;
     }
diff --git a/src/index.js b/src/index.js
index 313505c..6fc238c 100644
--- a/src/index.js
+++ b/src/index.js
@@ -112,6 +112,14 @@ class LoginClient {
     if (!userData) {
       return null;
     }
+
+    // We use startsWith because the issuer will be limited to only the authress custom domain FQDN subdomain, the hostUrl could be a specific subdomain subdomain for the tenant.
+    if (!this.hostUrl.startsWith(userData.iss)) {
+      this.logger && this.logger.log && this.logger.log({ title: 'Token saved in browser is for a different issuer, discarding', currentHostUrl: this.hostUrl, savedUserData: userData });
+      userIdentityTokenStorageManager.clear();
+      return null;
+    }
+
     userData.userId = userData.sub;
     return userData;
   }