diff --git a/Gemfile b/Gemfile
index 0c5b588..525c734 100644
--- a/Gemfile
+++ b/Gemfile
@@ -178,4 +178,4 @@ gem "phlex-pdf", "~> 0.1.2"
 
 gem "ttfunk", github: "24c02/ttfunk"
 
-gem "hcbv4", "~> 0.1"
+gem "hcbv4", "~> 0.2"
diff --git a/Gemfile.lock b/Gemfile.lock
index 2c0c504..a6493a1 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -238,7 +238,7 @@ GEM
       hashids (~> 1.0)
     hashids (1.0.6)
     hashie (5.0.0)
-    hcbv4 (0.1.1)
+    hcbv4 (0.2.0)
     http (5.2.0)
       addressable (~> 2.8)
       base64 (~> 0.1)
@@ -723,7 +723,7 @@ DEPENDENCIES
   foreman (~> 0.88.1)
   good_job (~> 4.11)
   hashid-rails (~> 1.4)
-  hcbv4 (~> 0.1)
+  hcbv4 (~> 0.2)
   http (~> 5.2)
   ivymeter (~> 0.1.0)
   jb (~> 0.8.2)
diff --git a/app/controllers/hcb/payment_accounts_controller.rb b/app/controllers/hcb/payment_accounts_controller.rb
index 57583b2..c392919 100644
--- a/app/controllers/hcb/payment_accounts_controller.rb
+++ b/app/controllers/hcb/payment_accounts_controller.rb
@@ -9,6 +9,12 @@ class HCB::PaymentAccountsController < ApplicationController
     redirect_to hcb_payment_accounts_path, alert: "Failed to load HCB organizations: #{e.message} (#{event_id})"
   end
 
+  rescue_from OAuth2::Error do |e|
+    Sentry.capture_exception(e, extra: { user_id: current_user.id, response_body: e.response&.body })
+    current_user.hcb_oauth_connection&.destroy
+    redirect_to new_hcb_oauth_connection_path, alert: "Your HCB connection expired. Please reconnect."
+  end
+
   def index
     @payment_accounts = current_user.hcb_payment_accounts
   end
diff --git a/app/models/hcb/oauth_connection.rb b/app/models/hcb/oauth_connection.rb
index 016c983..effb4b4 100644
--- a/app/models/hcb/oauth_connection.rb
+++ b/app/models/hcb/oauth_connection.rb
@@ -34,26 +34,18 @@ class HCB::OauthConnection < ApplicationRecord
       refresh_token: refresh_token,
       expires_at: expires_at&.to_i,
       base_url: hcb_api_base,
+      on_token_refresh: ->(token) {
+        update!(
+          access_token: token.token,
+          refresh_token: token.refresh_token,
+          expires_at: token.expires_at ? Time.at(token.expires_at) : nil,
+        )
+      }
     )
   end
 
   def organizations
-    result = client.organizations
-    persist_refreshed_token!
-    result
-  end
-
-  def persist_refreshed_token!
-    token = client.oauth_token
-    return unless token.respond_to?(:token)
-
-    if token.token != access_token || token.refresh_token != refresh_token
-      update!(
-        access_token: token.token,
-        refresh_token: token.refresh_token,
-        expires_at: token.expires_at ? Time.at(token.expires_at) : nil,
-      )
-    end
+    client.organizations
   end
 
   private