diff --git a/lib/browserid/wsapi.js b/lib/browserid/wsapi.js
index 93e2de99d714abab2d992033186d071f8c2c8599..0e94ed046b26e9c2159af0bf6b5f7d6a4535edfb 100644
--- a/lib/browserid/wsapi.js
+++ b/lib/browserid/wsapi.js
@@ -420,16 +420,19 @@ function setup(app) {
   });
 
   app.post('/wsapi/cert_key', checkAuthed, validate(["email", "pubkey"]), function(req, res) {
-    // forward to the keysigner!
-    var keysigner = config.get('keysigner_url');
-    keysigner.path = '/wsapi/cert_key';
-    forward(
-      keysigner, req, res,
-      function(err) {
+    db.emailsBelongToSameAccount(req.session.authenticatedUser, req.body.email, function(sameAccount) {
+      // not same account? big fat error
+      if (!sameAccount) return httputils.badRequest(res, "that email does not belong to you");
+
+      // forward to the keysigner!
+      var keysigner = config.get('keysigner_url');
+      keysigner.path = '/wsapi/cert_key';
+      forward(keysigner, req, res, function(err) {
         if (err) {
           logger.error("error forwarding request:", err);
         }
       });
+    });
   });
 
   app.post('/wsapi/logout', function(req, resp) {