diff --git a/control-plane/src/modules/auth/auth.test.ts b/control-plane/src/modules/auth/auth.test.ts
index 97621eb6..b3a41564 100644
--- a/control-plane/src/modules/auth/auth.test.ts
+++ b/control-plane/src/modules/auth/auth.test.ts
@@ -276,7 +276,7 @@ describe("extractAuthState", () => {
 
       const result = await extractAuthState("");
       expect(result).toMatchObject({
-        entityId: "cluster_1",
+        entityId: "clerk:cluster_1",
         organizationId: "org_1",
         organizationRole: "org:member",
         canAccess: expect.any(Function),
@@ -296,7 +296,7 @@ describe("extractAuthState", () => {
 
       const result = await extractAuthState("");
       expect(result).toMatchObject({
-        entityId: owner.userId,
+        entityId: `clerk:${owner.userId}`,
         organizationId: owner.organizationId,
         organizationRole: "org:member",
         canAccess: expect.any(Function),
@@ -337,7 +337,7 @@ describe("extractAuthState", () => {
 
         owner1AuthState = await extractAuthState("");
         expect(owner1AuthState).toMatchObject({
-          entityId: owner1.userId,
+          entityId: `clerk:${owner1.userId}`,
           organizationId: owner1.organizationId,
           organizationRole: "org:member",
           canAccess: expect.any(Function),
@@ -353,7 +353,7 @@ describe("extractAuthState", () => {
 
         owner2AuthState = await extractAuthState("");
         expect(owner2AuthState).toMatchObject({
-          entityId: owner2.userId,
+          entityId: `clerk:${owner2.userId}`,
           organizationId: owner2.organizationId,
           organizationRole: "org:member",
           canAccess: expect.any(Function),
@@ -426,7 +426,7 @@ describe("extractAuthState", () => {
 
           const ownerAuthState = await extractAuthState("");
           expect(ownerAuthState).toMatchObject({
-            entityId: admin.userId,
+            entityId: `clerk:${admin.userId}`,
             organizationId: admin.organizationId,
             organizationRole: "org:admin",
             canAccess: expect.any(Function),
@@ -464,7 +464,7 @@ describe("extractAuthState", () => {
 
           const ownerAuthState = await extractAuthState("");
           expect(ownerAuthState).toMatchObject({
-            entityId: admin.userId,
+            entityId: `clerk:${admin.userId}`,
             organizationId: admin.organizationId,
             organizationRole: "org:admin",
             canAccess: expect.any(Function),
diff --git a/control-plane/src/modules/workflows/metadata.ts b/control-plane/src/modules/workflows/metadata.ts
index e900f0f5..83897e3f 100644
--- a/control-plane/src/modules/workflows/metadata.ts
+++ b/control-plane/src/modules/workflows/metadata.ts
@@ -6,6 +6,7 @@ export const getRunsByMetadata = async ({
   key,
   value,
   limit = 10,
+  userId,
   configId,
 }: {
   clusterId: string;
@@ -13,6 +14,7 @@ export const getRunsByMetadata = async ({
   value: string;
   limit?: number;
   configId?: string;
+  userId?: string
 }) => {
   return await db
     .select({
@@ -36,6 +38,7 @@ export const getRunsByMetadata = async ({
         eq(workflowMetadata.key, key),
         eq(workflowMetadata.value, value),
         ...(configId ? [eq(workflows.config_id, configId)] : []),
+        ...(userId ? [eq(workflows.user_id, userId)] : []),
       ),
     )
     .rightJoin(workflows, eq(workflowMetadata.workflow_id, workflows.id))
diff --git a/control-plane/src/modules/workflows/router.ts b/control-plane/src/modules/workflows/router.ts
index f7aee09e..b62c716c 100644
--- a/control-plane/src/modules/workflows/router.ts
+++ b/control-plane/src/modules/workflows/router.ts
@@ -2,7 +2,7 @@ import { initServer } from "@ts-rest/fastify";
 import { dereferenceSync } from "dereference-json-schema";
 import { JsonSchemaInput } from "inferable/bin/types";
 import { ulid } from "ulid";
-import { NotFoundError } from "../../utilities/errors";
+import { AuthenticationError, NotFoundError } from "../../utilities/errors";
 import { getBlobsForJobs } from "../blobs";
 import { contract } from "../contract";
 import { getJobReferences } from "../jobs/jobs";
@@ -150,7 +150,7 @@ export const runsRouter = initServer().router(
 
         configId: runConfig?.id,
 
-        // Customer Auth
+        // Customer Auth context (In the future all auth types should inject context into the run)
         authContext: customAuth?.context,
 
         context: body.context,
@@ -281,11 +281,17 @@ export const runsRouter = initServer().router(
     },
     listRuns: async request => {
       const { clusterId } = request.params;
-      const { userId, test, limit, metadata, configId } = request.query;
+      const { test, limit, metadata, configId } = request.query;
+      let { userId } = request.query;
 
       const auth = request.request.getAuth();
       await auth.canAccess({ cluster: { clusterId } });
 
+      // Custom auth can only access their own Runs
+      if (auth.type === "custom") {
+        userId = auth.entityId
+      }
+
       if (metadata) {
         // ?meta=key:value
         const [key, value] = metadata.split(":");
@@ -305,6 +311,7 @@ export const runsRouter = initServer().router(
           value,
           limit,
           configId,
+          userId
         });
 
         return {
@@ -313,6 +320,7 @@ export const runsRouter = initServer().router(
         };
       }
 
+
       const result = await getClusterWorkflows({
         clusterId,
         userId,