diff --git a/osu.Game/Online/API/OAuth.cs b/osu.Game/Online/API/OAuth.cs
index 0ee7e0e030..2f841b67b1 100644
--- a/osu.Game/Online/API/OAuth.cs
+++ b/osu.Game/Online/API/OAuth.cs
@@ -72,21 +72,28 @@ namespace osu.Game.Online.API
             }
         }
 
+        private static readonly object access_token_retrieval_lock = new object();
+
         /// <summary>
         /// Should be run before any API request to make sure we have a valid key.
         /// </summary>
         private bool ensureAccessToken()
         {
-            //todo: we need to mutex this to ensure only one authentication request is running at a time.
-
-            //If we already have a valid access token, let's use it.
+            // if we already have a valid access token, let's use it.
             if (accessTokenValid) return true;
 
-            //If not, let's try using our refresh token to request a new access token.
-            if (!string.IsNullOrEmpty(Token?.RefreshToken))
-                AuthenticateWithRefresh(Token.RefreshToken);
+            // we want to ensure only a single authentication update is happening at once.
+            lock (access_token_retrieval_lock)
+            {
+                // re-check if valid, in case another requrest completed and revalidated our access.
+                if (accessTokenValid) return true;
 
-            return accessTokenValid;
+                // if not, let's try using our refresh token to request a new access token.
+                if (!string.IsNullOrEmpty(Token?.RefreshToken))
+                    AuthenticateWithRefresh(Token.RefreshToken);
+
+                return accessTokenValid;
+            }
         }
 
         private bool accessTokenValid => Token?.IsValid ?? false;