diff --git a/src/pages/api/room/[id]/action.ts b/src/pages/api/room/[id]/action.ts
index fd88290..acd3126 100644
--- a/src/pages/api/room/[id]/action.ts
+++ b/src/pages/api/room/[id]/action.ts
@@ -1,8 +1,9 @@
 import { getRoom, updateRoom } from '@/db'
+import { getSession } from '@/db/sessions'
 import type { Action } from '@/ggwp'
 import type { APIRoute } from 'astro'
 
-export const POST: APIRoute = async ({ params, request }) => {
+export const POST: APIRoute = async ({ params, request, cookies }) => {
     const { id: roomId } = params
     if (!roomId) {
         return new Response('Invalid room id', { status: 400 })
@@ -13,6 +14,17 @@ export const POST: APIRoute = async ({ params, request }) => {
         return new Response('Room not found', { status: 404 })
     }
 
+    // check auth
+    const sid = cookies.get('sid')
+    if (!sid) {
+        return new Response('Unauthorized', { status: 401 })
+    }
+
+    const sessionRoom = getSession(sid.value)
+    if (sessionRoom !== roomId) {
+        return new Response('Unauthorized', { status: 401 })
+    }
+
     const action = (await request.json()) as Action
     room.actions.push(action)
 
diff --git a/src/pages/api/room/[id]/index.ts b/src/pages/api/room/[id]/index.ts
index ce56951..192beec 100644
--- a/src/pages/api/room/[id]/index.ts
+++ b/src/pages/api/room/[id]/index.ts
@@ -1,6 +1,7 @@
 import { getRoom, updateRoom } from '@/db'
 import { addRoomUpdateListener, removeRoomUpdateListener } from '@/db/events'
 import type { RoomData } from '@/db/model'
+import { getSession } from '@/db/sessions'
 import type { APIRoute } from 'astro'
 
 function sseHandler(roomId: string) {
@@ -54,7 +55,7 @@ export const GET: APIRoute = async ({ params, url }) => {
     })
 }
 
-export const POST: APIRoute = async ({ params, request }) => {
+export const POST: APIRoute = async ({ params, request, cookies }) => {
     const { id: roomId } = params
     if (!roomId) {
         return new Response('Invalid room id', { status: 400 })
@@ -65,6 +66,17 @@ export const POST: APIRoute = async ({ params, request }) => {
         return new Response('Room not found', { status: 404 })
     }
 
+    // check auth
+    const sid = cookies.get('sid')
+    if (!sid) {
+        return new Response('Unauthorized', { status: 401 })
+    }
+
+    const sessionRoom = getSession(sid.value)
+    if (sessionRoom !== roomId) {
+        return new Response('Unauthorized', { status: 401 })
+    }
+
     const newRoom = (await request.json()) as RoomData
 
     // @ts-ignore
diff --git a/src/pages/api/rooms.ts b/src/pages/api/rooms.ts
index 647afc8..8c05b5c 100644
--- a/src/pages/api/rooms.ts
+++ b/src/pages/api/rooms.ts
@@ -2,7 +2,7 @@ import { createRoom, getRoom, getRooms } from '@/db'
 import { createSession } from '@/db/sessions'
 import type { APIRoute } from 'astro'
 
-export const POST: APIRoute = async ({ params, request, cookies }) => {
+export const POST: APIRoute = async ({ request, cookies }) => {
     const body = await request.json()
 
     console.log(body)