diff --git a/interfaces/innerkits/client/client_socket.cpp b/interfaces/innerkits/client/client_socket.cpp
index d9ec6a1ea242e05d593ca259d25a1ad0e069b874..7884a4d3b40393d08f9cac70722ee1d5fd6463ec 100644
--- a/interfaces/innerkits/client/client_socket.cpp
+++ b/interfaces/innerkits/client/client_socket.cpp
@@ -32,6 +32,11 @@ int ClientSocket::CreateClient()
         APPSPAWN_CHECK(socketFd_ >= 0, return socketFd_, "Client: Create socket failed");
     }
 
+    int opt = 1;
+    int ret = setsockopt(socketFd_, SOL_SOCKET, SO_PASSCRED, &opt, sizeof(opt));
+    if (ret < 0) {
+        APPSPAWN_LOGE("Client: setsockopt failed!");
+    }
     APPSPAWN_LOGV("Client: CreateClient socket fd %d", socketFd_);
     return 0;
 }
diff --git a/standard/appspawn_service.c b/standard/appspawn_service.c
index ec8c666b5cc8d6781a4bba91f4a18933f4e9a6e3..f0e2643c9efc24c3a625f358bebea59d4ed6557b 100644
--- a/standard/appspawn_service.c
+++ b/standard/appspawn_service.c
@@ -19,12 +19,14 @@
 
 #include <fcntl.h>
 #include <sys/signalfd.h>
+#include <sys/socket.h>
 #include <sys/stat.h>
 #include <sys/wait.h>
 #include <unistd.h>
 
 #include "init_hashmap.h"
 #include "init_socket.h"
+#include "init_utils.h"
 #include "parameter.h"
 #include "securec.h"
 
@@ -423,6 +425,18 @@ APPSPAWN_STATIC int OnConnection(const LoopHandle loopHandle, const TaskHandle s
     AppSpawnClientExt *client = (AppSpawnClientExt *)LE_GetUserData(stream);
     APPSPAWN_CHECK(client != NULL, return -1, "Failed to alloc stream");
 
+    struct ucred cred = {-1, -1, -1};
+    socklen_t credSize  = sizeof(struct ucred);
+    if (getsockopt(LE_GetSocketFd(stream), SOL_SOCKET, SO_PEERCRED, &cred, &credSize) < 0) {
+        APPSPAWN_LOGE("get cred failed!");
+        return -1;
+    }
+
+    if (cred.uid != DecodeUid("foundation")) {
+        APPSPAWN_LOGE("OnConnection client fd %d is nerverallow!", LE_GetSocketFd(stream));
+        return -1;
+    }
+
     client->stream = stream;
     client->client.id = ++clientId;
     client->client.flags = 0;