diff --git a/apps/server/src/collaboration/extensions/authentication.extension.ts b/apps/server/src/collaboration/extensions/authentication.extension.ts
index b7925619..1a42bd97 100644
--- a/apps/server/src/collaboration/extensions/authentication.extension.ts
+++ b/apps/server/src/collaboration/extensions/authentication.extension.ts
@@ -46,6 +46,10 @@ export class AuthenticationExtension implements Extension {
       throw new UnauthorizedException();
     }
 
+    if (user.deactivatedAt || user.deletedAt) {
+      throw new UnauthorizedException();
+    }
+
     const page = await this.pageRepo.findById(pageId);
     if (!page) {
       this.logger.warn(`Page not found: ${pageId}`);
diff --git a/apps/server/src/core/auth/auth.controller.ts b/apps/server/src/core/auth/auth.controller.ts
index fb98ed7f..dc1235ec 100644
--- a/apps/server/src/core/auth/auth.controller.ts
+++ b/apps/server/src/core/auth/auth.controller.ts
@@ -108,7 +108,7 @@ export class AuthController {
     @AuthUser() user: User,
     @AuthWorkspace() workspace: Workspace,
   ) {
-    return this.authService.getCollabToken(user.id, workspace.id);
+    return this.authService.getCollabToken(user, workspace.id);
   }
 
   @UseGuards(JwtAuthGuard)
diff --git a/apps/server/src/core/auth/services/auth.service.ts b/apps/server/src/core/auth/services/auth.service.ts
index 9c761ef3..c71bc3bc 100644
--- a/apps/server/src/core/auth/services/auth.service.ts
+++ b/apps/server/src/core/auth/services/auth.service.ts
@@ -22,7 +22,7 @@ import { ForgotPasswordDto } from '../dto/forgot-password.dto';
 import ForgotPasswordEmail from '@docmost/transactional/emails/forgot-password-email';
 import { UserTokenRepo } from '@docmost/db/repos/user-token/user-token.repo';
 import { PasswordResetDto } from '../dto/password-reset.dto';
-import { UserToken, Workspace } from '@docmost/db/types/entity.types';
+import { User, UserToken, Workspace } from '@docmost/db/types/entity.types';
 import { UserTokenType } from '../auth.constants';
 import { KyselyDB } from '@docmost/db/types/kysely.types';
 import { InjectKysely } from 'nestjs-kysely';
@@ -222,9 +222,9 @@ export class AuthService {
     }
   }
 
-  async getCollabToken(userId: string, workspaceId: string) {
+  async getCollabToken(user: User, workspaceId: string) {
     const token = await this.tokenService.generateCollabToken(
-      userId,
+      user,
       workspaceId,
     );
     return { token };
diff --git a/apps/server/src/core/auth/services/token.service.ts b/apps/server/src/core/auth/services/token.service.ts
index 963e8e65..c0e64e25 100644
--- a/apps/server/src/core/auth/services/token.service.ts
+++ b/apps/server/src/core/auth/services/token.service.ts
@@ -22,7 +22,7 @@ export class TokenService {
   ) {}
 
   async generateAccessToken(user: User): Promise<string> {
-    if (user.deletedAt) {
+    if (user.deactivatedAt || user.deletedAt) {
       throw new ForbiddenException();
     }
 
@@ -35,12 +35,13 @@ export class TokenService {
     return this.jwtService.sign(payload);
   }
 
-  async generateCollabToken(
-    userId: string,
-    workspaceId: string,
-  ): Promise<string> {
+  async generateCollabToken(user: User, workspaceId: string): Promise<string> {
+    if (user.deactivatedAt || user.deletedAt) {
+      throw new ForbiddenException();
+    }
+
     const payload: JwtCollabPayload = {
-      sub: userId,
+      sub: user.id,
       workspaceId,
       type: JwtType.COLLAB,
     };