diff --git a/todo.md b/todo.md
index e3a07b5..7aebf65 100644
--- a/todo.md
+++ b/todo.md
@@ -1,7 +1,5 @@
 # 31 Oct 2020 Launch List
 
-- [ ] Anyone can delete tokens
-- [ ] QR codes for admin are broken
 - [ ] General security review.
 - [ ] Invalid database is wiping out tunnels
 - [ ] Improve SSH key download UI.
diff --git a/ui_handler.go b/ui_handler.go
index 84c9c0a..ad3740c 100644
--- a/ui_handler.go
+++ b/ui_handler.go
@@ -211,7 +211,6 @@ func (h *WebUiHandler) handleWebUiRequest(w http.ResponseWriter, r *http.Request
 
 		var tokens map[string]TokenData
 		var users map[string]User
-		qrCodes := make(map[string]template.URL)
 
 		if user.IsAdmin {
 			tokens = h.db.GetTokens()
@@ -224,24 +223,28 @@ func (h *WebUiHandler) handleWebUiRequest(w http.ResponseWriter, r *http.Request
 					tokens[token] = td
 				}
 
-				loginUrl := fmt.Sprintf("https://%s/login?access_token=%s", h.config.WebUiDomain, token)
-
-				var png []byte
-				png, err := qrcode.Encode(loginUrl, qrcode.Medium, 256)
-				if err != nil {
-					w.WriteHeader(500)
-					h.alertDialog(w, r, err.Error(), "/#/tokens")
-					return
-				}
-
-				data := base64.StdEncoding.EncodeToString(png)
-				qrCodes[token] = template.URL("data:image/png;base64," + data)
 			}
 
 			users = make(map[string]User)
 			users[tokenData.Owner] = user
 		}
 
+		qrCodes := make(map[string]template.URL)
+		for token := range tokens {
+			loginUrl := fmt.Sprintf("https://%s/login?access_token=%s", h.config.WebUiDomain, token)
+
+			var png []byte
+			png, err := qrcode.Encode(loginUrl, qrcode.Medium, 256)
+			if err != nil {
+				w.WriteHeader(500)
+				h.alertDialog(w, r, err.Error(), "/#/tokens")
+				return
+			}
+
+			data := base64.StdEncoding.EncodeToString(png)
+			qrCodes[token] = template.URL("data:image/png;base64," + data)
+		}
+
 		indexData := IndexData{
 			Head:    h.headHtml,
 			Tunnels: tunnels,