diff --git a/internal/endpoints/token/mytoken/mytokenEndpoint.go b/internal/endpoints/token/mytoken/mytokenEndpoint.go
index a1684a97d84a0bc01428aaa3c37df4e9a46c832a..578dd847a9207918ca4eea983a3a8a57ff88b8e2 100644
--- a/internal/endpoints/token/mytoken/mytokenEndpoint.go
+++ b/internal/endpoints/token/mytoken/mytokenEndpoint.go
@@ -65,6 +65,12 @@ func handleOIDCFlow(ctx *fiber.Ctx) error {
 			Response: api.ErrorUnknownIssuer,
 		}.Send(ctx)
 	}
+	if req.Capabilities != nil && len(req.Capabilities) == 0 {
+		return serverModel.Response{
+			Status:   fiber.StatusBadRequest,
+			Response: api.Error{Error: api.ErrorStrInvalidRequest, ErrorDescription: "capabilities cannot be empty"},
+		}.Send(ctx)
+	}
 	switch req.OIDCFlow {
 	case model.OIDCFlowAuthorizationCode:
 		return authcode.StartAuthCodeFlow(ctx, *req).Send(ctx)
diff --git a/shared/mytoken/mytokenHandler.go b/shared/mytoken/mytokenHandler.go
index 1431e60e36b17fbf8afd3534f8d3ba52389bcaa3..0f32f19722a46027eec978ff2f415746849ca161 100644
--- a/shared/mytoken/mytokenHandler.go
+++ b/shared/mytoken/mytokenHandler.go
@@ -104,6 +104,12 @@ func HandleMytokenFromMytoken(ctx *fiber.Ctx) *model.Response {
 	if err := json.Unmarshal(ctx.Body(), &req); err != nil {
 		return model.ErrorToBadRequestErrorResponse(err)
 	}
+	if req.Capabilities != nil && len(req.Capabilities) == 0 {
+		return &model.Response{
+			Status:   fiber.StatusBadRequest,
+			Response: api.Error{Error: api.ErrorStrInvalidRequest, ErrorDescription: "capabilities cannot be empty"},
+		}
+	}
 	req.Restrictions.ReplaceThisIp(ctx.IP())
 	req.Restrictions.ClearUnsupportedKeys()
 	log.Trace("Parsed mytoken request")