diff --git a/website/api/controllers/get-est-device-certificate.js b/website/api/controllers/get-est-device-certificate.js
index a69e83d0eb..5a69979f2f 100644
--- a/website/api/controllers/get-est-device-certificate.js
+++ b/website/api/controllers/get-est-device-certificate.js
@@ -83,11 +83,11 @@ module.exports = {
       throw 'invalidToken';
     }
 
-    if (!introspectResponse.body.active) {
+    const introspectBody = JSON.parse(introspectResponse.body);
+    if (!introspectBody.active) {
       throw 'invalidToken';
     }
-
-    const introspectUsername = introspectResponse.body.username;
+    const introspectUsername = introspectBody.username;
 
     // Extract the email and username from the CSR. Ensure they match.
     let jsrsasign = require('jsrsasign');