diff --git a/server/src/middleware/auth.ts b/server/src/middleware/auth.ts
index 82b7b4547d4f7bbc8647f3e0f5172d7662d64c56..3026469e048065cbf4b358cc3772720ce7be7005 100644
--- a/server/src/middleware/auth.ts
+++ b/server/src/middleware/auth.ts
@@ -17,9 +17,13 @@
  */
 import { NextFunction, Request, Response } from 'express'
 import { HttpStatusCode } from 'jami-web-common'
+import { Container } from 'typedi'
 
+import { Accounts } from '../storage/accounts.js'
 import { verifyJwt } from '../utils/jwt.js'
 
+const accounts = Container.get(Accounts)
+
 function createAuthenticationMiddleware(isAuthenticationRequired: boolean) {
   return async (req: Request, res: Response, next: NextFunction) => {
     const authorizationHeader = req.headers.authorization
@@ -42,7 +46,14 @@ function createAuthenticationMiddleware(isAuthenticationRequired: boolean) {
 
     try {
       const { payload } = await verifyJwt(token)
-      res.locals.accountId = payload.accountId
+      const accountId = String(payload.accountId)
+      const isValid = accounts.isValidAccountId(accountId)
+      if (!isValid) {
+        res.status(HttpStatusCode.Unauthorized).send('Invalid account ID')
+        return
+      }
+      res.locals.accountId = accountId
+      // si accId
       next()
     } catch (e) {
       res.status(HttpStatusCode.Unauthorized).send('Invalid access token')
diff --git a/server/src/storage/accounts.ts b/server/src/storage/accounts.ts
index fbda83aa2927a60124334d8d544e1d52d01005d1..820ba11f86fa4c84ba799039fc1d686c4d5bbb78 100644
--- a/server/src/storage/accounts.ts
+++ b/server/src/storage/accounts.ts
@@ -46,6 +46,7 @@ const METHODS = ['local', 'jams', 'guest', 'openid']
 export class Accounts {
   private readonly filename = paths.data + '/accounts.json'
   private accounts: AccountsFormat
+  private accountsIds: Set<string>
 
   constructor() {
     let buffer: Buffer
@@ -55,6 +56,21 @@ export class Accounts {
       buffer = Buffer.from('{"local":{},"jams":{}, "guest":{}, "openid":{}}')
     }
     this.accounts = JSON.parse(buffer.toString())
+
+    this.accountsIds = new Set<string>()
+    // add the accountIds to the set
+    for (const accId of Object.keys(this.accounts.guest)) {
+      this.accountsIds.add(accId)
+    }
+    for (const key of Object.keys(this.accounts.jams)) {
+      this.accountsIds.add(this.accounts.jams[key].accountId)
+    }
+    for (const key of Object.keys(this.accounts.local)) {
+      this.accountsIds.add(this.accounts.local[key].accountId)
+    }
+    for (const key of Object.keys(this.accounts.openid)) {
+      this.accountsIds.add(this.accounts.openid[key].accountId)
+    }
   }
 
   get(username: string, authMethod: string = 'local') {
@@ -126,6 +142,7 @@ export class Accounts {
         default:
           throw new Error('Invalid auth method')
       }
+      this.accountsIds.add(accountId)
     } catch (e) {
       console.log(e)
     }
@@ -145,6 +162,14 @@ export class Accounts {
       return
     }
 
+    const account = this.accounts[authMethod as keyof AccountsFormat][username.toLowerCase()]
+    if (typeof account !== 'string') {
+      this.accountsIds.delete(account.accountId)
+    } else {
+      // guest removal
+      this.accountsIds.delete(username)
+    }
+
     delete this.accounts[authMethod as keyof AccountsFormat][username.toLowerCase()]
   }
 
@@ -164,6 +189,10 @@ export class Accounts {
     return this.accounts.guest
   }
 
+  isValidAccountId(accountId: string) {
+    return this.accountsIds.has(accountId)
+  }
+
   async save(): Promise<void> {
     await writeFile(this.filename, JSON.stringify(this.accounts, null, 2) + '\n')
   }