diff --git a/upub/core/src/config.rs b/upub/core/src/config.rs
index c51477b..7a38f98 100644
--- a/upub/core/src/config.rs
+++ b/upub/core/src/config.rs
@@ -136,6 +136,12 @@ pub struct RejectConfig {
 
 	#[serde(default)]
 	pub delivery: Vec<String>,
+
+	#[serde(default)]
+	pub fetch: Vec<String>,
+
+	#[serde(default)]
+	pub access: Vec<String>,
 }
 
 impl Config {
diff --git a/upub/routes/src/auth.rs b/upub/routes/src/auth.rs
index fbff387..1136cad 100644
--- a/upub/routes/src/auth.rs
+++ b/upub/routes/src/auth.rs
@@ -150,10 +150,16 @@ where
 						return Err(ApiError::unauthorized());
 					}
 
-					let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db())
-						.await?
-						.ok_or_else(ApiError::internal_server_error)?; // user but not their domain???
-					identity = Identity::Remote { user: user.id, domain: user.domain, internal };
+					if ctx.cfg().reject.fetch.contains(&user.domain) {
+						return Err(ApiError::Status(axum::http::StatusCode::UNAVAILABLE_FOR_LEGAL_REASONS));
+					}
+
+					if !ctx.cfg().reject.access.contains(&user.domain) {
+						let internal = upub::model::instance::Entity::domain_to_internal(&user.domain, ctx.db())
+							.await?
+							.ok_or_else(ApiError::internal_server_error)?; // user but not their domain???
+						identity = Identity::Remote { user: user.id, domain: user.domain, internal };
+					}
 				},
 			}