diff --git a/config/migrations.go b/config/migrations.go
index a1f71221..184b04ab 100644
--- a/config/migrations.go
+++ b/config/migrations.go
@@ -12,6 +12,7 @@ type OIDCToStytchConfig struct {
 }
 
 type EmailMigrationConfig struct {
-	Enabled      bool   `toml:"enabled"`
-	IssuerPrefix string `toml:"issuer_prefix"`
+	Enabled      bool     `toml:"enabled"`
+	IssuerPrefix string   `toml:"issuer_prefix"`
+	Projects     []uint64 `toml:"projects"`
 }
diff --git a/etc/waas-auth.dev.conf b/etc/waas-auth.dev.conf
index 60f03d8a..a3cd2f84 100644
--- a/etc/waas-auth.dev.conf
+++ b/etc/waas-auth.dev.conf
@@ -62,4 +62,5 @@ QwIDAQAB
 [migrations.oidc_to_email]
     enabled = true
     issuer_prefix = "https://cognito-idp.ca-central-1.amazonaws.com/"
+    projects = [694]
 
diff --git a/rpc/migration/oidc_to_email.go b/rpc/migration/oidc_to_email.go
index e99962bb..3b406159 100644
--- a/rpc/migration/oidc_to_email.go
+++ b/rpc/migration/oidc_to_email.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"slices"
 	"strings"
 
 	"github.com/0xsequence/waas-authenticator/config"
@@ -28,6 +29,9 @@ func (m *OIDCToEmail) OnRegisterSession(ctx context.Context, originalAccount *da
 	if originalAccount.ProjectID != tntData.ProjectID {
 		return errors.New("project id does not match")
 	}
+	if !slices.Contains(m.config.Projects, originalAccount.ProjectID) {
+		return nil
+	}
 	if originalAccount.Identity.Type != proto.IdentityType_OIDC {
 		return nil
 	}
@@ -79,6 +83,10 @@ func (m *OIDCToEmail) OnRegisterSession(ctx context.Context, originalAccount *da
 }
 
 func (m *OIDCToEmail) NextBatch(ctx context.Context, projectID uint64, page data.Page) ([]string, data.Page, error) {
+	if !slices.Contains(m.config.Projects, projectID) {
+		return nil, data.Page{}, fmt.Errorf("project id does not match")
+	}
+
 	items := make([]string, 0, page.Limit)
 	for {
 		accounts, page, err := m.accounts.ListByProjectAndIdentity(ctx, page, projectID, proto.IdentityType_OIDC, m.config.IssuerPrefix)
@@ -109,6 +117,10 @@ func (m *OIDCToEmail) NextBatch(ctx context.Context, projectID uint64, page data
 }
 
 func (m *OIDCToEmail) ProcessItems(ctx context.Context, tenant *proto.TenantData, items []string) (*Result, error) {
+	if !slices.Contains(m.config.Projects, tenant.ProjectID) {
+		return nil, fmt.Errorf("project id does not match")
+	}
+
 	if len(items) > 100 {
 		return nil, fmt.Errorf("can only process 100 items at a time")
 	}
diff --git a/rpc/migrations_test.go b/rpc/migrations_test.go
index 263e69c2..738cfe73 100644
--- a/rpc/migrations_test.go
+++ b/rpc/migrations_test.go
@@ -249,10 +249,12 @@ func TestMigrationEmail(t *testing.T) {
 		issuer, tok, closeJWKS := issueAccessTokenAndRunJwksServer(t, tokBuilderFn)
 		defer closeJWKS()
 
+		projectID := currentProjectID.Load() + 1
 		svc := initRPC(t, func(cfg *config.Config) {
 			cfg.Migrations.Email = config.EmailMigrationConfig{
 				Enabled:      true,
 				IssuerPrefix: issuer,
+				Projects:     []uint64{projectID},
 			}
 		})
 		tenant, _ := newTenant(t, svc.Enclave, issuer)
@@ -316,6 +318,7 @@ func TestMigrationEmail(t *testing.T) {
 			cfg.Migrations.Email = config.EmailMigrationConfig{
 				Enabled:      true,
 				IssuerPrefix: issuer,
+				Projects:     []uint64{projectID},
 			}
 		})
 		tenant, _ := newTenant(t, svc.Enclave, issuer)