diff --git a/app/views/user_api_keys/new.html.erb b/app/views/user_api_keys/new.html.erb
index f9cd18f41a8..6e0a6892091 100644
--- a/app/views/user_api_keys/new.html.erb
+++ b/app/views/user_api_keys/new.html.erb
@@ -20,8 +20,20 @@
   <%= hidden_field_tag 'auth_redirect', @auth_redirect %>
   <%= hidden_field_tag 'push_url', @push_url %>
   <%= hidden_field_tag 'public_key', @public_key%>
-  <%= submit_tag t('user_api_key.authorize'), class: 'btn btn-danger' %>
+  <%= submit_tag t('user_api_key.authorize'), class: 'btn btn-danger', id: 'submit' %>
 <% end %>
+<script>
+  window.__submitted = false;
+
+  // prevent double submission which would invalidate the nonce
+  document.getElementById('submit').addEventListener('click', function(e){
+    if (window.__submitted) {
+      e.preventDefault();
+    } else {
+      window.__submitted = true;
+    }
+  });
+</script>
 </div>
 <% end %>