diff --git a/features/developer_portal/cms_toolbar.feature b/features/developer_portal/cms_toolbar.feature
index e016178b20..aaf634b387 100644
--- a/features/developer_portal/cms_toolbar.feature
+++ b/features/developer_portal/cms_toolbar.feature
@@ -14,7 +14,7 @@ Feature: CMS Toolbar
     And go to the homepage
     Then there should not be a CMS toolbar
 
-  Scenario: Hide the toolbar
+  Scenario: Hide the toolbar when seeing drafts
     When they visit the developer portal in CMS mode
     And follow "Draft"
     And press "Toggle toolbar"
@@ -27,17 +27,22 @@ Feature: CMS Toolbar
     But they press "Toggle toolbar"
     And the cms toolbar should be visible
 
-  Scenario:
+  Scenario: Hide the toolbar when seeing published pages
     When they visit the developer portal in CMS mode
     And follow "Published"
     And follow "Close the CMS toolbar"
     Then there should not be a CMS toolbar
 
+  Scenario: Hide the toolbar when providing an expired signature
+    When they visit the developer portal in CMS mode with an expired signature
+    Then there should not be a CMS toolbar
+    And should see "Invalid or expired signature"
+
   Rule: There is a John Doe admin user
     Background:
       When the admin user is John Doe
 
-    Scenario: An admin visist de dev portal
+    Scenario: An admin visits the dev portal
       When they visit the developer portal in CMS mode
       Then the cms toolbar should be visible
       And should see "Templates used on this page"
diff --git a/features/step_definitions/developer_portal/cms_toolbar_steps.rb b/features/step_definitions/developer_portal/cms_toolbar_steps.rb
index 1d9182d8d1..1d753a549c 100644
--- a/features/step_definitions/developer_portal/cms_toolbar_steps.rb
+++ b/features/step_definitions/developer_portal/cms_toolbar_steps.rb
@@ -1,9 +1,15 @@
 # frozen_string_literal: true
 
-Given "they visit the developer portal in CMS mode" do
+Given /^they visit the developer portal in CMS mode(\swith an expired signature)?/ do |token_is_expired|
+  cms_token = @provider.settings.cms_token!
+  expires_at = Time.now.utc.round - 30.seconds
+  expires_at += 1.minute unless token_is_expired
+  signature = CMS::Signature.generate(cms_token, expires_at)
+
   visit access_code_url(host: @provider.external_domain,
                         cms: 'draft',
-                        cms_token: @provider.settings.cms_token!,
+                        expires_at: expires_at.to_i,
+                        signature:,
                         access_code: @provider.site_access_code)
 end
 
diff --git a/test/integration/cms/toolbar_test.rb b/test/integration/cms/toolbar_test.rb
index 825ece40c9..9848b95ac3 100644
--- a/test/integration/cms/toolbar_test.rb
+++ b/test/integration/cms/toolbar_test.rb
@@ -8,9 +8,12 @@ def setup
   end
 
   test 'CMS toolbar rendering' do
+    cms_token = @provider.settings.cms_token!
+    expires_at = Time.now.utc.round + 1.minute
+    signature = CMS::Signature.generate(cms_token, expires_at)
     host! @provider.internal_domain
 
-    get "/?cms_token=#{@provider.settings.cms_token!}"
+    get "/", params: { expires_at: expires_at.to_i, signature: }
     assert_response :success
 
     get '/api_docs/login'