diff --git a/api/controllers/web/app.py b/api/controllers/web/app.py
index 6fec23f90c..0bed3897a7 100644
--- a/api/controllers/web/app.py
+++ b/api/controllers/web/app.py
@@ -1,12 +1,11 @@
 
-from flask import request
-from flask_restful import Resource, marshal_with, reqparse  # type: ignore
-
 from controllers.common import fields
 from controllers.common import helpers as controller_helpers
 from controllers.web import api
 from controllers.web.error import AppUnavailableError
 from controllers.web.wraps import WebApiResource
+from flask import request
+from flask_restful import Resource, marshal_with, reqparse  # type: ignore
 from libs.passport import PassportService
 from models.model import App, AppMode
 from services.app_service import AppService
diff --git a/api/controllers/web/error.py b/api/controllers/web/error.py
index 4371e679db..3fe8cdcc79 100644
--- a/api/controllers/web/error.py
+++ b/api/controllers/web/error.py
@@ -7,6 +7,12 @@ class AppUnavailableError(BaseHTTPException):
     code = 400
 
 
+class AppNotPublishedError(BaseHTTPException):
+    error_code = "app_not_published"
+    description = "App not published, please check your app configurations."
+    code = 400
+
+
 class NotCompletionAppError(BaseHTTPException):
     error_code = "not_completion_app"
     description = "Please check if your Completion app mode matches the right API route."
diff --git a/api/controllers/web/wraps.py b/api/controllers/web/wraps.py
index ef4b7872be..a9b82ac8e0 100644
--- a/api/controllers/web/wraps.py
+++ b/api/controllers/web/wraps.py
@@ -1,7 +1,8 @@
 from datetime import UTC, datetime
 from functools import wraps
 
-from controllers.web.error import (WebAppAuthAccessDeniedError,
+from controllers.web.error import (AppNotPublishedError,
+                                   WebAppAuthAccessDeniedError,
                                    WebAppAuthRequiredError)
 from extensions.ext_database import db
 from flask import request
@@ -55,8 +56,8 @@ def decode_jwt_token():
             raise NotFound()
         if not app_code or not site:
             raise BadRequest("Site URL is no longer valid.")
-        if app_model.enable_site is False:
-            raise BadRequest("Site is disabled.")
+        if app_model.enable_site is False or app_model.status != "normal":
+            raise AppNotPublishedError()
         end_user_id = decoded.get("end_user_id")
         end_user = db.session.query(EndUser).filter(EndUser.id == end_user_id).first()
         if not end_user: