diff --git a/internal/api/auth/validators.go b/internal/api/auth/validators.go
index fa5b02889..83d7bea5b 100644
--- a/internal/api/auth/validators.go
+++ b/internal/api/auth/validators.go
@@ -23,6 +23,17 @@ const (
 
 const userQuery = `select count(*) from "user" u left join application_user au on u.id = au.user_id left join application a on au.application_id = a.id left join node n on a.id = n.application_id`
 
+// ValidateActiveUser validates if the user in the JWT claim is active.
+func ValidateActiveUser() ValidatorFunc {
+	where := [][]string{
+		{"u.username = $1", "u.is_active = true"},
+	}
+
+	return func(db *sqlx.DB, claims *Claims) (bool, error) {
+		return executeQuery(db, userQuery, where, claims.Username)
+	}
+}
+
 // ValidateUsersAccess validates if the client has access to the global users
 // resource.
 func ValidateUsersAccess(flag Flag) ValidatorFunc {
diff --git a/internal/api/user.go b/internal/api/user.go
index 23d4e43a9..688f415ea 100644
--- a/internal/api/user.go
+++ b/internal/api/user.go
@@ -199,6 +199,11 @@ type claims struct {
 }
 
 func (a *InternalUserAPI) Profile(ctx context.Context, req *pb.ProfileRequest) (*pb.ProfileResponse, error) {
+	if err := a.validator.Validate(ctx,
+		auth.ValidateActiveUser()); err != nil {
+		return nil, grpc.Errorf(codes.Unauthenticated, "authentication failed: %s", err)
+	}
+
 	username, err := a.validator.GetUsername(ctx)
 	if nil != err {
 		return nil, errToRPCError(err)