diff --git a/src/pages/api/decrypt.js b/src/pages/api/decrypt.js
index bd85185..595f587 100644
--- a/src/pages/api/decrypt.js
+++ b/src/pages/api/decrypt.js
@@ -1,10 +1,18 @@
 import { nip04 } from 'nostr-tools';
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"
 
 export default async function handler(req, res) {
+  const session = await getServerSession(req, res, authOptions)
+
   if (req.method !== 'POST') {
     return res.status(405).json({ error: 'Method Not Allowed' });
   }
 
+  if (!session) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
   const { encryptedContent } = req.body;
 
   if (!encryptedContent) {
diff --git a/src/pages/api/encrypt.js b/src/pages/api/encrypt.js
index 5645062..1040f39 100644
--- a/src/pages/api/encrypt.js
+++ b/src/pages/api/encrypt.js
@@ -1,10 +1,18 @@
 import { nip04 } from 'nostr-tools';
+import { getServerSession } from "next-auth/next"
+import { authOptions } from "@/pages/api/auth/[...nextauth]"
 
 export default async function handler(req, res) {
+  const session = await getServerSession(req, res, authOptions)
+
   if (req.method !== 'POST') {
     return res.status(405).json({ error: 'Method Not Allowed' });
   }
 
+  if (!session || !session.user.role?.admin) {
+    return res.status(401).json({ error: 'Unauthorized' });
+  }
+
   const { content } = req.body;
 
   if (!content) {