diff --git a/management/server/http/middleware/auth_middleware.go b/management/server/http/middleware/auth_middleware.go
index a8e6790a9..8b944367c 100644
--- a/management/server/http/middleware/auth_middleware.go
+++ b/management/server/http/middleware/auth_middleware.go
@@ -142,6 +142,12 @@ func (m *AuthMiddleware) checkPATFromRequest(r *http.Request, auth []string) (*h
 		return r, fmt.Errorf("token expired")
 	}
 
+	if impersonate, ok := r.URL.Query()["account"]; ok && len(impersonate) == 1 {
+		if user.AccountID != impersonate[0] {
+			return r, fmt.Errorf("token is not valid for this account")
+		}
+	}
+
 	err = m.authManager.MarkPATUsed(ctx, pat.ID)
 	if err != nil {
 		return r, err