diff --git a/bincio/auth/routers/oidc.py b/bincio/auth/routers/oidc.py
index 7eeb8e9..d74b566 100644
--- a/bincio/auth/routers/oidc.py
+++ b/bincio/auth/routers/oidc.py
@@ -112,6 +112,10 @@ async def authorize(
             status_code=302,
         )
 
+    # Per-client access control
+    if client_id == "gitea" and not user.activity_access:
+        return _err("access_denied", "Gitea access is restricted to activity users")
+
     # Issue authorization code
     code = create_oauth2_code(
         deps._get_db(),