diff --git a/programs/cardinal-token-manager/src/errors.rs b/programs/cardinal-token-manager/src/errors.rs
index 540c7877a..00d6ba42d 100644
--- a/programs/cardinal-token-manager/src/errors.rs
+++ b/programs/cardinal-token-manager/src/errors.rs
@@ -74,4 +74,6 @@ pub enum ErrorCode {
     InvalidMintAuthority,
     #[msg("Invalid Permissioned Reward Address")]
     InvalidPermissionedRewardAddress,
+    #[msg("No CPI allowed for the instruction")]
+    NoCPIAllowed,
 }
diff --git a/programs/cardinal-token-manager/src/instructions/permissioned/send.rs b/programs/cardinal-token-manager/src/instructions/permissioned/send.rs
index 55f68a9b3..5103f152d 100644
--- a/programs/cardinal-token-manager/src/instructions/permissioned/send.rs
+++ b/programs/cardinal-token-manager/src/instructions/permissioned/send.rs
@@ -52,10 +52,17 @@ pub struct SendCtx<'info> {
 
 pub fn handler(ctx: Context<SendCtx>) -> Result<()> {
     let instructions_account_info = ctx.accounts.instructions.to_account_info();
-    let current_ix = load_current_index_checked(&instructions_account_info).expect("Error computing current index");
-    if current_ix != 0_u16 {
+    // check instruction is first
+    let current_ix_index = load_current_index_checked(&instructions_account_info).expect("Error computing current index");
+    if current_ix_index != 0_u16 {
         return Err(error!(ErrorCode::InstructionsDisallowed));
     }
+    // check no cpi
+    let current_ix = get_instruction_relative(0, &instructions_account_info);
+    if current_ix.is_ok() && current_ix?.program_id != *ctx.program_id {
+        return Err(error!(ErrorCode::NoCPIAllowed));
+    }
+    // check no next instruction
     let next_ix = get_instruction_relative(1, &instructions_account_info);
     if next_ix.is_ok() {
         return Err(error!(ErrorCode::InstructionsDisallowed));
diff --git a/src/idl/cardinal_token_manager.ts b/src/idl/cardinal_token_manager.ts
index fd26e19e7..c0789a686 100644
--- a/src/idl/cardinal_token_manager.ts
+++ b/src/idl/cardinal_token_manager.ts
@@ -1230,6 +1230,11 @@ export type CardinalTokenManager = {
       code: 6035;
       name: "InvalidPermissionedRewardAddress";
       msg: "Invalid Permissioned Reward Address";
+    },
+    {
+      code: 6036;
+      name: "NoCPIAllowed";
+      msg: "No CPI allowed for the instruction";
     }
   ];
 };
@@ -2467,5 +2472,10 @@ export const IDL: CardinalTokenManager = {
       name: "InvalidPermissionedRewardAddress",
       msg: "Invalid Permissioned Reward Address",
     },
+    {
+      code: 6036,
+      name: "NoCPIAllowed",
+      msg: "No CPI allowed for the instruction",
+    },
   ],
 };