diff --git a/server/core/middleware.py b/server/core/middleware.py
index 3d3752c5..11d31c6f 100644
--- a/server/core/middleware.py
+++ b/server/core/middleware.py
@@ -1,12 +1,10 @@
-import json
 import re
 
 from django.conf import settings
-from django.http import Http404, HttpResponsePermanentRedirect, HttpResponse
+from django.http import Http404, HttpResponsePermanentRedirect
 from django.shortcuts import redirect
 from django.utils.deprecation import MiddlewareMixin
 
-from core.utils import is_private_api_call_allowed
 
 try:
     from threading import local
@@ -99,12 +97,3 @@ class UserLoggedInCookieMiddleWare(MiddlewareMixin):
             response.delete_cookie(self.cookie_name)
         return response
 
-
-class UserHasLicenseMiddleWare(MiddlewareMixin):
-
-    def process_response(self, request, response):
-        if request.path == '/api/graphql/':
-            if not is_private_api_call_allowed(request.user, request.body):
-                return HttpResponse(json.dumps({'errors': ['no active license']}), status=402)
-
-        return response
diff --git a/server/core/settings.py b/server/core/settings.py
index 9d6fd355..736052d0 100644
--- a/server/core/settings.py
+++ b/server/core/settings.py
@@ -131,7 +131,7 @@ MIDDLEWARE += [
     'core.middleware.ThreadLocalMiddleware',
     'core.middleware.CommonRedirectMiddleware',
     'core.middleware.UserLoggedInCookieMiddleWare',
-    'core.middleware.UserHasLicenseMiddleWare',
+    'users.middleware.UserHasLicenseMiddleWare',
 ]
 
 ROOT_URLCONF = 'core.urls'
diff --git a/server/users/middleware.py b/server/users/middleware.py
new file mode 100644
index 00000000..3131174a
--- /dev/null
+++ b/server/users/middleware.py
@@ -0,0 +1,16 @@
+import json
+
+from django.http import HttpResponse
+from django.utils.deprecation import MiddlewareMixin
+
+from core.utils import is_private_api_call_allowed
+
+
+class UserHasLicenseMiddleWare(MiddlewareMixin):
+
+    def process_response(self, request, response):
+        if request.path == '/api/graphql/':
+            if not is_private_api_call_allowed(request.user, request.body):
+                return HttpResponse(json.dumps({'errors': ['no active license']}), status=402)
+
+        return response