diff --git a/api/server/handlers/user/migrate.go b/api/server/handlers/user/migrate.go
index 4b2a63770e8..21ef4114aa7 100644
--- a/api/server/handlers/user/migrate.go
+++ b/api/server/handlers/user/migrate.go
@@ -5,6 +5,9 @@ import (
 	"fmt"
 	"net/http"
 	"strconv"
+	"strings"
+
+	"github.com/porter-dev/porter/api/types"
 
 	"github.com/porter-dev/porter/internal/models"
 
@@ -41,6 +44,13 @@ func (u *MigrateUsersHandler) ServeHTTP(w http.ResponseWriter, r *http.Request)
 
 	r = r.Clone(ctx)
 
+	user, _ := r.Context().Value(types.UserScope).(*models.User)
+	if !strings.HasSuffix(user.Email, "@porter.run") {
+		err := telemetry.Error(ctx, span, nil, "user is not a porter user")
+		u.HandleAPIError(w, r, apierrors.NewErrForbidden(err))
+		return
+	}
+
 	users, err := u.Repo().User().ListUsers()
 	if err != nil {
 		err := telemetry.Error(ctx, span, nil, "error listing users")
diff --git a/api/server/router/user.go b/api/server/router/user.go
index ea90ba5122f..bd524649729 100644
--- a/api/server/router/user.go
+++ b/api/server/router/user.go
@@ -472,5 +472,30 @@ func getUserRoutes(
 		Router:   r,
 	})
 
+	// Get /api/users/migrate -> user.NewMigrateUsersHandler
+	migrateUsersEndpoint := factory.NewAPIEndpoint(
+		&types.APIRequestMetadata{
+			Verb:   types.APIVerbGet,
+			Method: types.HTTPVerbGet,
+			Path: &types.Path{
+				Parent:       basePath,
+				RelativePath: "/users/migrate",
+			},
+			Scopes: []types.PermissionScope{types.UserScope},
+		},
+	)
+
+	migrateUsersHandler := user.NewMigrateUsersHandler(
+		config,
+		factory.GetDecoderValidator(),
+		factory.GetResultWriter(),
+	)
+
+	routes = append(routes, &router.Route{
+		Endpoint: migrateUsersEndpoint,
+		Handler:  migrateUsersHandler,
+		Router:   r,
+	})
+
 	return routes
 }