diff --git a/ee/lib/api/internal/ai/x_ray/scan.rb b/ee/lib/api/internal/ai/x_ray/scan.rb
index 8ce125f451282639d3481a723e6e49adfdf2b022..0ebc356a248f40361e576478383d25ee92a831de 100644
--- a/ee/lib/api/internal/ai/x_ray/scan.rb
+++ b/ee/lib/api/internal/ai/x_ray/scan.rb
@@ -48,6 +48,7 @@ def code_suggestions_add_on?
                 ::GitlabSubscriptions::AddOnPurchase
                   .for_code_suggestions
                   .by_namespace_id(current_namespace.id)
+                  .active
                   .any?
               else
                 current_namespace.namespace_settings.code_suggestions?
diff --git a/ee/spec/requests/api/internal/ai/x_ray/scan_spec.rb b/ee/spec/requests/api/internal/ai/x_ray/scan_spec.rb
index 77e8a171ec3c1e91b8f8dcbbac14bb90ecde4682..a2b71d657473c69f6eb6fccd5e0d21258145848b 100644
--- a/ee/spec/requests/api/internal/ai/x_ray/scan_spec.rb
+++ b/ee/spec/requests/api/internal/ai/x_ray/scan_spec.rb
@@ -259,7 +259,7 @@
     end
 
     context 'when on SaaS instance', :saas do
-      before_all { create(:gitlab_subscription_add_on_purchase, namespace: namespace) }
+      let_it_be(:code_suggestion_add_on) { create(:gitlab_subscription_add_on, :code_suggestions) }
 
       let(:gitlab_realm) { "saas" }
       let(:namespace_workhorse_headers) do
@@ -268,6 +268,15 @@
         }
       end
 
+      before_all do
+        create(
+          :gitlab_subscription_add_on_purchase,
+          :active,
+          add_on: code_suggestion_add_on,
+          namespace: namespace
+        )
+      end
+
       before do
         allow_next_instance_of(::CloudConnector::AccessService) do |instance|
           allow(instance).to receive(:access_token).and_return(ai_gateway_token)
@@ -307,8 +316,36 @@
 
         it_behaves_like 'successful send request via workhorse'
 
+        context 'when add on subscription is expired' do
+          let(:namespace_without_expired_ai_access) { create(:group) }
+          let(:job_without_ai_access) { create(:ci_build, :running, namespace: namespace_without_expired_ai_access) }
+          let(:api_url) { "/internal/jobs/#{job_without_ai_access.id}/x_ray/scan" }
+
+          let(:params) do
+            {
+              token: job_without_ai_access.token,
+              prompt_components: [{ payload: "test" }]
+            }
+          end
+
+          before do
+            create(
+              :gitlab_subscription_add_on_purchase,
+              :expired,
+              add_on: code_suggestion_add_on,
+              namespace: namespace_without_expired_ai_access
+            )
+          end
+
+          it 'returns UNAUTHORIZED status' do
+            post_api
+
+            expect(response).to have_gitlab_http_status(:unauthorized)
+          end
+        end
+
         context 'when job does not have AI access' do
-          let(:namespace_without_ai_access) { create(:namespace_settings, code_suggestions: true).namespace }
+          let(:namespace_without_ai_access) { create(:group) }
           let(:job_without_ai_access) { create(:ci_build, :running, namespace: namespace_without_ai_access) }
           let(:api_url) { "/internal/jobs/#{job_without_ai_access.id}/x_ray/scan" }