diff --git a/apps/labrinth/src/routes/internal/flows.rs b/apps/labrinth/src/routes/internal/flows.rs
index 49c81fdaa..c6b41ba62 100644
--- a/apps/labrinth/src/routes/internal/flows.rs
+++ b/apps/labrinth/src/routes/internal/flows.rs
@@ -1117,7 +1117,14 @@ pub async fn init(
     }
 
     let user_id = if let Some(token) = info.token {
-        let (_, user) = get_user_record_from_bearer_token(
+        // Linking a new auth provider changes how the account can be accessed,
+        // so only first-party session tokens may authorize this flow. OAuth and
+        // PAT tokens can be delegated or stored outside an interactive login.
+        if !token.starts_with("mra_") {
+            return Err(AuthenticationError::InvalidCredentials);
+        }
+
+        let (scopes, user) = get_user_record_from_bearer_token(
             &req,
             Some(&token),
             &**client,
@@ -1128,6 +1135,10 @@ pub async fn init(
         .await?
         .ok_or_else(|| AuthenticationError::InvalidCredentials)?;
 
+        if !scopes.contains(Scopes::USER_AUTH_WRITE) {
+            return Err(AuthenticationError::InvalidCredentials);
+        }
+
         Some(user.id)
     } else {
         None