diff --git a/components/server/src/auth/generic-auth-provider.ts b/components/server/src/auth/generic-auth-provider.ts
index 22cf40dd013108..f6a08dfb7a0ae4 100644
--- a/components/server/src/auth/generic-auth-provider.ts
+++ b/components/server/src/auth/generic-auth-provider.ts
@@ -37,6 +37,7 @@ import { SignInJWT } from "./jwt";
 import { UserService } from "../user/user-service";
 import { reportLoginCompleted } from "../prometheus-metrics";
 import { TrustedValue } from "@gitpod/gitpod-protocol/lib/util/scrubbing";
+import { isUserSignupBlockedBySunset } from "../util/featureflags";
 
 /**
  * This is a generic implementation of OAuth2-based AuthProvider.
@@ -431,6 +432,13 @@ export abstract class GenericAuthProvider implements AuthProvider {
             };
 
             if (VerifyResult.WithIdentity.is(flowContext)) {
+                // Check if signup is blocked by Classic PAYG sunset
+                if (await isUserSignupBlockedBySunset("anonymous", this.config.isDedicatedInstallation)) {
+                    log.info(context, `(${strategyName}) Signup blocked by Classic PAYG sunset`, logPayload);
+                    response.redirect(302, "https://app.ona.com/login");
+                    return;
+                }
+
                 log.info(context, `(${strategyName}) Creating new user and completing login.`, logPayload);
                 // There is no current session, we need to create a new user because this
                 // identity does not yet exist.
diff --git a/components/server/src/util/featureflags.ts b/components/server/src/util/featureflags.ts
index 67df69bd1e6682..80837abc367039 100644
--- a/components/server/src/util/featureflags.ts
+++ b/components/server/src/util/featureflags.ts
@@ -85,3 +85,19 @@ export async function isUserLoginBlockedBySunset(user: User, isDedicatedInstalla
     // Installation-owned users (no organizationId) are blocked
     return true;
 }
+
+export async function isUserSignupBlockedBySunset(userId: string, isDedicatedInstallation: boolean): Promise<boolean> {
+    // Dedicated installations are never blocked
+    if (isDedicatedInstallation) {
+        return false;
+    }
+
+    const config = await getClassicPaygSunsetConfig(userId);
+
+    if (!config.enabled) {
+        return false;
+    }
+
+    // New users don't have roles/permissions or organizations yet, so we block all signups
+    return true;
+}