diff --git a/packages/server/src/api/client.ts b/packages/server/src/api/client.ts
index 01d04a2..e637264 100644
--- a/packages/server/src/api/client.ts
+++ b/packages/server/src/api/client.ts
@@ -174,6 +174,30 @@ app.get("/callback", RateLimiter.HIGH, async (req, res) => {
 
     const [username, hostname] = whoami.sub.split("@");
 
+    const whitelistedInstances = [
+      "cannibal.cafe",
+      "cottoncandy.cafe",
+      "eepy.express",
+      "imouto.exposed",
+      "mapsupport.de",
+      "my.thoughtcrimes.top",
+      "nnia.space",
+      "oddballs.online",
+      "rape.pet",
+      "tummy.town",
+    ];
+
+    if (!whitelistedInstances.includes(hostname)) {
+      res.redirect(
+        "/" +
+          buildQuery({
+            TYPE: "banned",
+            ERROR_DESC: "instance not whitelisted",
+          })
+      );
+      return;
+    }
+
     const instance = await Instance.fromAuth(
       hostname,
       whoami.instance.instance