diff --git a/server.ts b/server.ts
index 7bcae54..bab0941 100644
--- a/server.ts
+++ b/server.ts
@@ -7,6 +7,7 @@ import {
   getNotesByDids,
   type WebhookVerb,
 } from "./src/data/db.ts";
+import { authenticateRequest } from "./src/auth/verify.ts";
 import { log } from "./src/log.ts";
 
 const router = new Router();
@@ -89,6 +90,21 @@ const ALLOWED_VERBS = ["create", "delete", "bulk-create"] as const;
 
 router.post("/:did/webhooks", async (ctx) => {
   const { did } = ctx.params;
+  let verifiedDid: string;
+  try {
+    verifiedDid = await authenticateRequest(
+      ctx.request.headers.get("Authorization"),
+    );
+  } catch {
+    ctx.response.status = 401;
+    ctx.response.body = { error: "Unauthorized" };
+    return;
+  }
+  if (verifiedDid !== did) {
+    ctx.response.status = 403;
+    ctx.response.body = { error: "You can only manage your own webhooks" };
+    return;
+  }
   const body = await ctx.request.body.json();
   const { method, url, token, verb } = body ?? {};
   if (!method || !url) {
@@ -111,8 +127,23 @@ router.post("/:did/webhooks", async (ctx) => {
   ctx.response.body = subscriptions;
 });
 
-router.delete("/:did/webhooks", (ctx) => {
+router.delete("/:did/webhooks", async (ctx) => {
   const { did } = ctx.params;
+  let verifiedDid: string;
+  try {
+    verifiedDid = await authenticateRequest(
+      ctx.request.headers.get("Authorization"),
+    );
+  } catch {
+    ctx.response.status = 401;
+    ctx.response.body = { error: "Unauthorized" };
+    return;
+  }
+  if (verifiedDid !== did) {
+    ctx.response.status = 403;
+    ctx.response.body = { error: "You can only manage your own webhooks" };
+    return;
+  }
   deleteWebhooksByDid(did);
   ctx.response.status = 204;
 });