diff --git a/synapse/api/constants.py b/synapse/api/constants.py
index 28f8285da9..c39268f607 100644
--- a/synapse/api/constants.py
+++ b/synapse/api/constants.py
@@ -57,7 +57,7 @@ class JoinRules:
 
 class LoginType:
     PASSWORD = "m.login.password"
-    APPSERVICE = "uk.half-shot.unstable.login.appservice"
+    APPSERVICE = "uk.half-shot.msc2778.login.application_service"
     EMAIL_IDENTITY = "m.login.email.identity"
     MSISDN = "m.login.msisdn"
     RECAPTCHA = "m.login.recaptcha"
diff --git a/synapse/rest/client/v1/login.py b/synapse/rest/client/v1/login.py
index 7db7ce3197..d3ed8c83d0 100644
--- a/synapse/rest/client/v1/login.py
+++ b/synapse/rest/client/v1/login.py
@@ -240,7 +240,12 @@ class LoginRestServlet(RestServlet):
         else:
             qualified_user_id = UserID(identifier["user"], self.hs.hostname).to_string()
 
-        if login_submission["type"] == LoginType.APPSERVICE and appservice is not None:
+        if login_submission["type"] == LoginType.APPSERVICE:
+            if appservice is None or not appservice.is_interested_in_user(
+                qualified_user_id
+            ):
+                raise LoginError(403, "Invalid access_token", errcode=Codes.FORBIDDEN)
+
             result = await self._complete_login(qualified_user_id, login_submission)
             return result