diff --git a/auth/routes.go b/auth/routes.go
index cb1131e..c10ab83 100644
--- a/auth/routes.go
+++ b/auth/routes.go
@@ -8,6 +8,7 @@ import (
 	"gitea.ravianand.me/Dan6erbond/listy/core"
 	"gitea.ravianand.me/Dan6erbond/listy/internal"
 	"gitea.ravianand.me/Dan6erbond/listy/users"
+	"github.com/spf13/viper"
 	"github.com/zmb3/spotify/v2"
 )
 
@@ -65,6 +66,24 @@ func Callback(app *core.App) func(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		var allowUser bool
+
+		if allowUserIDs := viper.GetStringSlice("alloweduserids"); len(viper.GetStringSlice("alloweduserids")) != 0 {
+			for _, userID := range allowUserIDs {
+				if user.ID == userID {
+					allowUser = true
+					break
+				}
+			}
+		} else {
+			allowUser = true
+		}
+
+		if !allowUser {
+			http.Error(w, "You aren't allowed to access this application", http.StatusUnauthorized)
+			return
+		}
+
 		_, err = users.SaveUserToken(ctx, app, user.ID, token)
 
 		if err != nil {