diff --git a/backend/benefit/users/api/v1/serializers.py b/backend/benefit/users/api/v1/serializers.py
index 28efb82dee..762a115fb7 100644
--- a/backend/benefit/users/api/v1/serializers.py
+++ b/backend/benefit/users/api/v1/serializers.py
@@ -26,6 +26,7 @@ class Meta:
             "terms_of_service_approvals",
             "terms_of_service_approval_needed",
             "terms_of_service_in_effect",
+            "is_staff",
         ]
         read_only_fields = [
             "id",
@@ -34,6 +35,7 @@ class Meta:
             "terms_of_service_approvals",
             "terms_of_service_approval_needed",
             "terms_of_service_in_effect",
+            "is_staff",
         ]
 
     terms_of_service_in_effect = serializers.SerializerMethodField(
diff --git a/frontend/benefit/handler/src/auth/AuthProvider.tsx b/frontend/benefit/handler/src/auth/AuthProvider.tsx
index 14583505e9..103a2b400b 100644
--- a/frontend/benefit/handler/src/auth/AuthProvider.tsx
+++ b/frontend/benefit/handler/src/auth/AuthProvider.tsx
@@ -5,11 +5,11 @@ import AuthContext from 'shared/auth/AuthContext';
 const AuthProvider = <P,>({
   children,
 }: React.PropsWithChildren<P>): JSX.Element => {
-  const userQuery = useUserQuery((user) => Boolean(user));
+  const userQuery = useUserQuery((user) => user);
   return (
     <AuthContext.Provider
       value={{
-        isAuthenticated: userQuery.isSuccess && userQuery.data,
+        isAuthenticated: userQuery.isSuccess && Boolean(userQuery.data),
         isLoading: userQuery.isLoading,
         isError: userQuery.isError,
       }}
diff --git a/frontend/benefit/handler/src/hooks/useUserQuery.ts b/frontend/benefit/handler/src/hooks/useUserQuery.ts
index f2740dae48..fa6e947743 100644
--- a/frontend/benefit/handler/src/hooks/useUserQuery.ts
+++ b/frontend/benefit/handler/src/hooks/useUserQuery.ts
@@ -1,3 +1,4 @@
+import { AxiosError } from 'axios';
 import { BackendEndpoint } from 'benefit-shared/backend-api/backend-api';
 import { useRouter } from 'next/router';
 import { useQuery, UseQueryResult } from 'react-query';
@@ -5,31 +6,43 @@ import useBackendAPI from 'shared/hooks/useBackendAPI';
 import useLocale from 'shared/hooks/useLocale';
 import User from 'shared/types/user';
 
+import { ROUTES } from '../constants';
+import useLogout from './useLogout';
+
 // check that authentication is still alive in every 5 minutes
 const FIVE_MINUTES = 5 * 60 * 1000;
 
-const useUserQuery = <T = User>(
+const useUserQuery = <T extends User>(
   select?: (user: User) => T
-): UseQueryResult<T, Error> => {
+): UseQueryResult<T | User, AxiosError> => {
   const router = useRouter();
   const locale = useLocale();
+  const noPermissionLogout = useLogout();
+
   // Don't fetch user state if status is logged out
   const logout =
-    (router.route === '/login' || router.route === `${locale}/login`) &&
+    (router.route === ROUTES.LOGIN ||
+      router.route === `${locale}${ROUTES.LOGIN}`) &&
     (router.asPath.includes('logout=true') ||
       router.asPath.includes('userStateError=true'));
   const { axios, handleResponse } = useBackendAPI();
 
-  const handleError = (error: Error): void => {
+  const handleError = (error: AxiosError): void => {
     if (logout) {
-      void router.push(`${locale}/login?logout=true`);
+      void router.push(`${locale}${ROUTES.LOGIN}?logout=true`);
     } else if (/40[13]/.test(error.message)) {
-      void router.push(`${locale}/login`);
+      void router.push(`${locale}${ROUTES.LOGIN}`);
     } else if (
       !process.env.NEXT_PUBLIC_MOCK_FLAG ||
       process.env.NEXT_PUBLIC_MOCK_FLAG === '0'
     ) {
-      void router.push(`${locale}/login?userStateError=true`);
+      void router.push(`${locale}${ROUTES.LOGIN}?userStateError=true`);
+    }
+  };
+
+  const checkForStaffStatus = (user: User): void => {
+    if (user && !user.is_staff) {
+      void noPermissionLogout();
     }
   };
 
@@ -41,6 +54,7 @@ const useUserQuery = <T = User>(
       enabled: !logout,
       retry: false,
       select,
+      onSuccess: checkForStaffStatus,
       onError: (error) => handleError(error),
     }
   );
diff --git a/frontend/shared/src/types/user.d.ts b/frontend/shared/src/types/user.d.ts
index d72931a874..3b331ada1b 100644
--- a/frontend/shared/src/types/user.d.ts
+++ b/frontend/shared/src/types/user.d.ts
@@ -5,5 +5,6 @@ type User = {
   family_name: string;
   name: string;
   organization_name?: string;
+  is_staff?: boolean;
 };
 export default User;