diff --git a/server.ts b/server.ts
index 30dc31b..e05fbea 100644
--- a/server.ts
+++ b/server.ts
@@ -1,5 +1,6 @@
 import { Application, Router } from "@oak/oak";
 import { deleteNote, getNotes, getNotesByDid } from "./src/data/db.ts";
+import { authenticateRequest } from "./src/auth/verify.ts";
 
 const router = new Router();
 
@@ -20,8 +21,23 @@ router.get("/:did/notes", (ctx) => {
   ctx.response.body = getNotesByDid(did, cursor, limit);
 });
 
-router.delete("/:did/:rkey", (ctx) => {
+router.delete("/:did/:rkey", async (ctx) => {
   const { did, rkey } = ctx.params;
+  let verifiedDid: string;
+  try {
+    verifiedDid = await authenticateRequest(
+      ctx.request.headers.get("Authorization"),
+    );
+  } catch {
+    ctx.response.status = 401;
+    ctx.response.body = { error: "Unauthorized" };
+    return;
+  }
+  if (verifiedDid !== did) {
+    ctx.response.status = 403;
+    ctx.response.body = { error: "You can only delete your own notes" };
+    return;
+  }
   deleteNote({ did, rkey });
   ctx.response.status = 204;
 })
diff --git a/src/auth/verify.ts b/src/auth/verify.ts
new file mode 100644
index 0000000..e06af05
--- /dev/null
+++ b/src/auth/verify.ts
@@ -0,0 +1,49 @@
+interface JwtPayload {
+  sub: string;
+  [key: string]: unknown;
+}
+
+interface DidDocument {
+  service?: { id: string; serviceEndpoint: string }[];
+}
+
+function decodeJwtPayload(token: string): JwtPayload {
+  const parts = token.split(".");
+  if (parts.length !== 3) throw new Error("Invalid JWT format");
+  const payload = parts[1].replace(/-/g, "+").replace(/_/g, "/");
+  return JSON.parse(atob(payload));
+}
+
+async function resolvePds(did: string): Promise<string> {
+  const res = await fetch(`https://plc.directory/${did}`);
+  if (!res.ok) throw new Error(`Failed to resolve DID: ${res.status}`);
+  const doc: DidDocument = await res.json();
+  const pds = doc.service?.find((s) => s.id === "#atproto_pds");
+  if (!pds) throw new Error("No PDS service found in DID document");
+  return pds.serviceEndpoint;
+}
+
+async function verifySession(
+  pdsUrl: string,
+  token: string,
+): Promise<string> {
+  const res = await fetch(
+    `${pdsUrl}/xrpc/com.atproto.server.getSession`,
+    { headers: { Authorization: `Bearer ${token}` } },
+  );
+  if (!res.ok) throw new Error(`Session verification failed: ${res.status}`);
+  const session: { did: string } = await res.json();
+  return session.did;
+}
+
+export async function authenticateRequest(
+  authHeader: string | null,
+): Promise<string> {
+  if (!authHeader?.startsWith("Bearer ")) {
+    throw new Error("Missing or invalid Authorization header");
+  }
+  const token = authHeader.slice(7);
+  const { sub } = decodeJwtPayload(token);
+  const pdsUrl = await resolvePds(sub);
+  return await verifySession(pdsUrl, token);
+}