diff --git a/src/backend/src/middleware/configurable_auth.js b/src/backend/src/middleware/configurable_auth.js
index c2e8543184..0bb002c2a6 100644
--- a/src/backend/src/middleware/configurable_auth.js
+++ b/src/backend/src/middleware/configurable_auth.js
@@ -19,6 +19,7 @@
 const APIError = require('../api/APIError');
 const config = require('../config');
 const { LegacyTokenError } = require('../services/auth/AuthService');
+const { AccessTokenActorType } = require('../services/auth/Actor');
 const { Context } = require('../util/context');
 const jwt = require('jsonwebtoken');
 
@@ -163,10 +164,17 @@ const configurable_auth = options => async (req, res, next) => {
         }
         context.set('user', actor.type.user);
     }
+    if ( actor.type instanceof AccessTokenActorType ) {
+        // AccessTokenActorType has no .user; the effective user is the authorizer's user
+        const authorizerUser = actor.type.authorizer?.type?.user;
+        if ( authorizerUser?.suspended ) {
+            throw APIError.create('forbidden');
+        }
+    }
 
     // === Populate Request ===
     req.actor = actor;
-    req.user = actor.type.user;
+    req.user = actor.type.user ?? (actor.type instanceof AccessTokenActorType ? actor.type.authorizer?.type?.user : undefined);
     req.token = token;
 
     next();