diff --git a/changelog/28204.txt b/changelog/28204.txt
new file mode 100644
index 0000000000..beaef7968c
--- /dev/null
+++ b/changelog/28204.txt
@@ -0,0 +1,3 @@
+```release-note:bug
+ui: fixes renew-self being called right after login for non-renewable tokens
+```
\ No newline at end of file
diff --git a/ui/app/components/auth-jwt.js b/ui/app/components/auth-jwt.js
index 610b6d0993..9cf587d585 100644
--- a/ui/app/components/auth-jwt.js
+++ b/ui/app/components/auth-jwt.js
@@ -87,6 +87,8 @@ export default Component.extend({
     this.onError(err);
   },
 
+  // NOTE TO DEVS: Be careful when updating the OIDC flow and ensure the updates
+  // work with implicit flow. See issue https://github.com/hashicorp/vault-plugin-auth-jwt/pull/192
   prepareForOIDC: task(function* (oidcWindow) {
     const thisWindow = this.getWindow();
     // show the loading animation in the parent
diff --git a/ui/app/services/auth.js b/ui/app/services/auth.js
index 37c5118816..5f33a5a5e1 100644
--- a/ui/app/services/auth.js
+++ b/ui/app/services/auth.js
@@ -390,7 +390,7 @@ export default Service.extend({
     const now = this.now();
     this.set('lastFetch', timestamp);
     // if expiration was allowed and we're over half the ttl we want to go ahead and renew here
-    if (this.allowExpiration && now >= this.renewAfterEpoch) {
+    if (this.allowExpiration && this.renewAfterEpoch && now >= this.renewAfterEpoch) {
       this.renew();
     }
     this.set('allowExpiration', false);
diff --git a/ui/tests/acceptance/auth-test.js b/ui/tests/acceptance/auth-test.js
index e17bf56968..4d9feb8c24 100644
--- a/ui/tests/acceptance/auth-test.js
+++ b/ui/tests/acceptance/auth-test.js
@@ -6,8 +6,9 @@
 import { module, test } from 'qunit';
 import { setupApplicationTest } from 'ember-qunit';
 import { click, currentURL, visit, waitUntil, find, fillIn } from '@ember/test-helpers';
-import { allSupportedAuthBackends, supportedAuthBackends } from 'vault/helpers/supported-auth-backends';
 import { setupMirage } from 'ember-cli-mirage/test-support';
+import { allSupportedAuthBackends, supportedAuthBackends } from 'vault/helpers/supported-auth-backends';
+import VAULT_KEYS from 'vault/tests/helpers/vault-keys';
 
 const AUTH_FORM = {
   method: '[data-test-select=auth-method]',
@@ -15,6 +16,7 @@ const AUTH_FORM = {
   login: '[data-test-auth-submit]',
 };
 const ENT_AUTH_METHODS = ['saml'];
+const { rootToken } = VAULT_KEYS;
 
 module('Acceptance | auth', function (hooks) {
   setupApplicationTest(hooks);
@@ -193,4 +195,17 @@ module('Acceptance | auth', function (hooks) {
     await fillIn(AUTH_FORM.method, 'token');
     await click('[data-test-auth-submit]');
   });
+
+  test('it does not call renew-self after successful login with non-renewable token', async function (assert) {
+    this.server.post(
+      '/auth/token/renew-self',
+      () => new Error('should not call renew-self directly after logging in')
+    );
+
+    await visit('/vault/auth');
+    await fillIn(AUTH_FORM.method, 'token');
+    await fillIn(AUTH_FORM.token, rootToken);
+    await click('[data-test-auth-submit]');
+    assert.strictEqual(currentURL(), '/vault/dashboard');
+  });
 });