diff --git a/.env.example b/.env.example
index 9d80167..03b5b40 100644
--- a/.env.example
+++ b/.env.example
@@ -21,3 +21,6 @@ AUTH_DISCORD_SECRET=""
 
 # Drizzle
 DATABASE_URL="postgresql://postgres:password@localhost:5432/ls"
+
+# Comma separated list of emails allowed to use the app
+PERMITTED_USERS=me@example.com,you@example.com
\ No newline at end of file
diff --git a/src/env.js b/src/env.js
index bf52369..308c0cb 100644
--- a/src/env.js
+++ b/src/env.js
@@ -17,6 +17,7 @@ export const env = createEnv({
     NODE_ENV: z
       .enum(["development", "test", "production"])
       .default("development"),
+    PERMITTED_USERS: z.string(),
   },
 
   /**
@@ -38,6 +39,7 @@ export const env = createEnv({
     AUTH_GOOGLE_SECRET: process.env.AUTH_GOOGLE_SECRET,
     DATABASE_URL: process.env.DATABASE_URL,
     NODE_ENV: process.env.NODE_ENV,
+    PERMITTED_USERS: process.env.PERMITTED_USERS,
   },
   /**
    * Run `build` or `dev` with `SKIP_ENV_VALIDATION` to skip env validation. This is especially
diff --git a/src/server/auth/config.ts b/src/server/auth/config.ts
index 03a4c0a..67dadc2 100644
--- a/src/server/auth/config.ts
+++ b/src/server/auth/config.ts
@@ -1,6 +1,7 @@
 import { DrizzleAdapter } from "@auth/drizzle-adapter";
 import { type DefaultSession, type NextAuthConfig } from "next-auth";
 import Google from "next-auth/providers/google";
+import { env } from "~/env";
 
 import { db } from "~/server/db";
 import {
@@ -56,6 +57,8 @@ export const authConfig = {
     verificationTokensTable: verificationTokens,
   }),
   callbacks: {
+    signIn: ({ user }) =>
+      !!user?.email && env.PERMITTED_USERS.includes(user.email),
     session: ({ session, user }) => ({
       ...session,
       user: {