diff --git a/schemes/auth.py b/schemes/auth.py
index 43fa19c7..ea6ee2ad 100644
--- a/schemes/auth.py
+++ b/schemes/auth.py
@@ -16,13 +16,18 @@ def callback() -> BaseResponse:
     user = oauth.govuk.userinfo(token=token)
 
     if user["email"] not in current_app.extensions["users"]:
-        return Response("<h1>Unauthorized</h1>", status=401)
+        return redirect(url_for("auth.unauthorized"))
 
     session["user"] = user
     session["id_token"] = token["id_token"]
     return redirect(url_for("home.index"))
 
 
+@bp.route("/unauthorized")
+def unauthorized() -> Response:
+    return Response("<h1>Unauthorized</h1>", status=401)
+
+
 @bp.route("/logout")
 def logout() -> BaseResponse:
     id_token = session["id_token"]
diff --git a/tests/integration/test_auth.py b/tests/integration/test_auth.py
index 4b5f4989..e4f9f41f 100644
--- a/tests/integration/test_auth.py
+++ b/tests/integration/test_auth.py
@@ -34,13 +34,19 @@ def test_callback_redirects_to_home(client: FlaskClient) -> None:
     assert response.status_code == 302 and response.location == "/home"
 
 
-def test_callback_when_unauthorized_shows_unauthorized(client: FlaskClient) -> None:
+def test_callback_when_unauthorized_redirects_to_unauthorized(client: FlaskClient) -> None:
     current_app.extensions["users"].append("boardman@example.com")
     _given_oidc_returns_token_response({"id_token": "jwt"})
     _given_oidc_returns_user_info(UserInfo({"email": "obree@example.com"}))
 
     response = client.get("/auth")
 
+    assert response.status_code == 302 and response.location == "/auth/unauthorized"
+
+
+def test_unauthorized(client: FlaskClient) -> None:
+    response = client.get("/auth/unauthorized")
+
     assert response.status_code == 401 and response.text == "<h1>Unauthorized</h1>"