diff --git a/src/Core/KeyManagement/Utilities/EncryptionParsing.cs b/src/Core/KeyManagement/Utilities/EncryptionParsing.cs
index 4658f4cf59..f288cfd99a 100644
--- a/src/Core/KeyManagement/Utilities/EncryptionParsing.cs
+++ b/src/Core/KeyManagement/Utilities/EncryptionParsing.cs
@@ -10,36 +10,19 @@ public static class EncryptionParsing
     /// </summary>
     public static EncryptionType GetEncryptionType(string encString)
     {
-        if (string.IsNullOrWhiteSpace(encString))
-        {
-            throw new ArgumentException("Encrypted string cannot be null or empty.", nameof(encString));
-        }
-
         var parts = encString.Split('.');
         if (parts.Length == 1)
         {
-            // No header detected; assume AES CBC variants based on number of pieces
-            var splitParts = encString.Split('|');
-            if (splitParts.Length == 3)
-            {
-                return EncryptionType.AesCbc128_HmacSha256_B64;
-            }
-
-            return EncryptionType.AesCbc256_B64;
+            throw new ArgumentException("Invalid encryption type string.");
         }
-
-        // Try parse header as numeric, then as enum name, else fail
         if (byte.TryParse(parts[0], out var encryptionTypeNumber))
         {
-            return (EncryptionType)encryptionTypeNumber;
+            if (Enum.IsDefined(typeof(EncryptionType), encryptionTypeNumber))
+            {
+                return (EncryptionType)encryptionTypeNumber;
+            }
         }
-
-        if (Enum.TryParse(parts[0], out EncryptionType parsed))
-        {
-            return parsed;
-        }
-
-        throw new ArgumentException("Invalid encryption type header.", nameof(encString));
+        throw new ArgumentException("Invalid encryption type string.");
     }
 }
 
diff --git a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
index 4226098b4e..ae6aaed2bd 100644
--- a/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/BaseRequestValidator.cs
@@ -122,6 +122,10 @@ public abstract class BaseRequestValidator<T> where T : class
                 return;
             }
 
+            // 1.5 We need to check now the version number
+            await ValidateClientVersionAsync(context, validatorContext);
+
+
             // 2. Decide if this user belongs to an organization that requires SSO.
             validatorContext.SsoRequired = await RequireSsoLoginAsync(user, request.GrantType);
             if (validatorContext.SsoRequired)
diff --git a/src/Identity/IdentityServer/RequestValidators/ClientVersionValidator.cs b/src/Identity/IdentityServer/RequestValidators/ClientVersionValidator.cs
index 3d35db7f17..5896061e13 100644
--- a/src/Identity/IdentityServer/RequestValidators/ClientVersionValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/ClientVersionValidator.cs
@@ -11,7 +11,8 @@ public interface IClientVersionValidator
     Task<bool> ValidateAsync(User user, CustomValidatorRequestContext requestContext);
 }
 
-public class ClientVersionValidator(ICurrentContext currentContext,
+public class ClientVersionValidator(
+    ICurrentContext currentContext,
     IGetMinimumClientVersionForUserQuery getMinimumClientVersionForUserQuery)
     : IClientVersionValidator
 {
@@ -37,7 +38,7 @@ public class ClientVersionValidator(ICurrentContext currentContext,
         {
             requestContext.ValidationErrorResult = new ValidationResult
             {
-                Error = "invalid_grant",
+                Error = "invalid_client_version",
                 ErrorDescription = UpgradeMessage,
                 IsError = true
             };
diff --git a/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs b/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
index e7fc4b6498..4a5befc42b 100644
--- a/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
+++ b/src/Identity/IdentityServer/RequestValidators/CustomTokenRequestValidator.cs
@@ -16,11 +16,8 @@ using Bit.Core.Settings;
 using Duende.IdentityModel;
 using Duende.IdentityServer.Extensions;
 using Duende.IdentityServer.Validation;
-using HandlebarsDotNet;
 using Microsoft.AspNetCore.Identity;
 
-#nullable enable
-
 namespace Bit.Identity.IdentityServer.RequestValidators;
 
 public class CustomTokenRequestValidator : BaseRequestValidator<CustomTokenRequestValidationContext>,