diff --git a/src/cargo/util/auth/mod.rs b/src/cargo/util/auth/mod.rs
index 2dc66f56241..2fcb88f5035 100644
--- a/src/cargo/util/auth/mod.rs
+++ b/src/cargo/util/auth/mod.rs
@@ -9,6 +9,7 @@ use cargo_credential::{
     Action, CacheControl, Credential, CredentialResponse, LoginOptions, Operation, RegistryInfo,
     Secret,
 };
+use crates_io::check_token;
 
 use core::fmt;
 use serde::Deserialize;
@@ -236,6 +237,11 @@ pub fn registry_credential_config_raw(
         return Ok(cfg.clone());
     }
     let cfg = registry_credential_config_raw_uncached(gctx, sid)?;
+    if let Some(RegistryConfig { token: Some(token), .. }) = &cfg {
+        check_token(&token.val.as_deref().expose()).with_context(|| {
+            format!("Token for {sid} is invalid (defined in {})", token.definition)
+        })?;
+    }
     cache.insert(*sid, cfg.clone());
     return Ok(cfg);
 }
diff --git a/tests/testsuite/publish.rs b/tests/testsuite/publish.rs
index 6fd99767f27..de9c039d0c3 100644
--- a/tests/testsuite/publish.rs
+++ b/tests/testsuite/publish.rs
@@ -3609,10 +3609,7 @@ fn invalid_token() {
         .env("CARGO_REGISTRY_TOKEN", "\x16")
         .with_stderr_data(str![[r#"
 [UPDATING] crates.io index
-[PACKAGING] foo v0.0.1 ([ROOT]/foo)
-[PACKAGED] 4 files, [FILE_SIZE]B ([FILE_SIZE]B compressed)
-[UPLOADING] foo v0.0.1 ([ROOT]/foo)
-[ERROR] failed to publish to registry at http://127.0.0.1:[..]/
+[ERROR] Token for registry `crates-io` is invalid (defined in environment variable `CARGO_REGISTRY_TOKEN`)
 
 Caused by:
   token contains invalid characters.