diff --git a/server.js b/server.js
index 5758b6c..d3cf42f 100644
--- a/server.js
+++ b/server.js
@@ -155,6 +155,23 @@ app.use('/files', express.static(uploadDir));
 
 const apiRouter = express.Router();
 
+apiRouter.use('/admin', async (req, res, next) => {
+  const authHeader = req.headers.authorization;
+  const teamId = authHeader ? authHeader.replace('Bearer mock-token-', '') : null;
+  if (!teamId) return res.status(401).json({ message: 'Unauthorized' });
+
+  try {
+    const team = await dbGet("SELECT isAdmin FROM teams WHERE id = ?", [teamId]);
+    if (team && team.isAdmin === 1) {
+      next();
+    } else {
+      res.status(403).json({ message: 'Forbidden' });
+    }
+  } catch (err) {
+    res.status(500).json({ message: 'Server error' });
+  }
+});
+
 apiRouter.post('/auth/register', (req, res) => {
   const { name, password } = req.body;
   if (!name || !password) return res.status(400).json({ message: 'Missing credentials' });