diff --git a/internal/api/external.go b/internal/api/external.go
index facb8ce91..4337fc289 100644
--- a/internal/api/external.go
+++ b/internal/api/external.go
@@ -223,6 +223,9 @@ func (a *API) internalExternalProviderCallback(w http.ResponseWriter, r *http.Re
 			flowState.ProviderAccessToken = providerAccessToken
 			flowState.ProviderRefreshToken = providerRefreshToken
 			flowState.UserID = &(user.ID)
+			issueTime := time.Now()
+			flowState.IssuedAt = &issueTime
+
 			terr = tx.Update(flowState)
 		} else {
 			token, terr = a.issueRefreshToken(ctx, tx, user, models.OAuth, grantParams)
diff --git a/internal/api/pkce.go b/internal/api/pkce.go
index ff9cdde67..59f677677 100644
--- a/internal/api/pkce.go
+++ b/internal/api/pkce.go
@@ -45,8 +45,7 @@ func issueAuthCode(tx *storage.Connection, user *models.User, authenticationMeth
 	} else if err != nil {
 		return "", err
 	}
-	// No op action to mark that auth code has been issued
-	if err := tx.Update(flowState); err != nil {
+	if err := flowState.RecordIssuedTime(tx); err != nil {
 		return "", err
 	}
 
diff --git a/internal/models/flow_state.go b/internal/models/flow_state.go
index 533394944..486613488 100644
--- a/internal/models/flow_state.go
+++ b/internal/models/flow_state.go
@@ -28,6 +28,7 @@ type FlowState struct {
 	ProviderType         string     `json:"provider_type" db:"provider_type"`
 	ProviderAccessToken  string     `json:"provider_access_token" db:"provider_access_token"`
 	ProviderRefreshToken string     `json:"provider_refresh_token" db:"provider_refresh_token"`
+	IssuedAt             *time.Time `json:"issued_at" db:"issued_at"`
 	CreatedAt            time.Time  `json:"created_at" db:"created_at"`
 	UpdatedAt            time.Time  `json:"updated_at" db:"updated_at"`
 }
@@ -153,7 +154,16 @@ func (f *FlowState) VerifyPKCE(codeVerifier string) error {
 
 func (f *FlowState) IsExpired(expiryDuration time.Duration) bool {
 	if f.AuthenticationMethod == MagicLink.String() {
-		return time.Now().After(f.UpdatedAt.Add(expiryDuration))
+		return time.Now().After(f.IssuedAt.Add(expiryDuration))
 	}
 	return time.Now().After(f.CreatedAt.Add(expiryDuration))
 }
+
+func (f *FlowState) RecordIssuedTime(tx *storage.Connection) error {
+	issueTime := time.Now()
+	f.IssuedAt = &issueTime
+	if err := tx.Update(f); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/migrations/20240221100230_add_issued_at_to_flow_state.sql b/migrations/20240221100230_add_issued_at_to_flow_state.sql
new file mode 100644
index 000000000..be0325032
--- /dev/null
+++ b/migrations/20240221100230_add_issued_at_to_flow_state.sql
@@ -0,0 +1 @@
+alter table {{ index .Options "Namespace" }}.flow_state add column if not exists issued_at timestamptz null;