diff --git a/README.md b/README.md
index 2595e90..739f984 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # backend-store
 
-Single Badger store to serve bite, transcription and any others. Is kinda bite-centric, so required values revolve around a Bite. Receives stores through [NATS](https://nats.io) while data is retrieved via a http api.
+Single Badger store to serve bite, transcription and any others. Is kinda bite-centric, so required values revolve around a Bite. Receives stores through [NATS](https://nats.io) while data is retrieved via a http api. Checks `backend-permissions` for permissions to access the store.
 
 **Relies on being behind a traefik instance forwarding auth to backend-auth for authentication**
 
@@ -76,6 +76,7 @@ All numbers are Unix epoch timestamps. `starts` goes on for as long as it needs
 | Code | Description |
 | ---- | ----------- |
 | 400 | From/to are not unix epoch/Error marshalling key from params. |
+| 401 | `permissions` denied permission for user to access this store. |
 | 500 | Error scanning badger store. |
 
 ---
@@ -105,4 +106,5 @@ Raw data of the bite.
 | Code | Description |
 | ---- | ----------- |
 | 400 | Error marshalling key from params/`start` was not a valid Epoch timestamp. |
+| 401 | `permissions` denied permission for user to access this store. |
 | 500 | Error retrieving bite from store. |
diff --git a/main.go b/main.go
index 737129e..9256195 100644
--- a/main.go
+++ b/main.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+  "context"
   "encoding/json"
   "log"
   "net/http"
@@ -19,6 +20,7 @@ import (
 var listen string
 var dbPath string
 var natsHost string
+var permissionsHost string
 
 var db *badger.DB
 var nc *nats.Conn
@@ -32,6 +34,7 @@ func main() {
   dbPath = os.Getenv("DBPATH")
   natsHost = os.Getenv("NATS")
   listen = os.Getenv("LISTEN")
+  permissionsHost = os.Getenv("PERMISSIONS_HOST")
 
   // Open badger
 	log.Printf("starting badger at %s", dbPath)
@@ -54,14 +57,53 @@ func main() {
 
   // Routes
   router := httprouter.New()
-  router.GET("/:type/:key/scan", ScanStore)
-  router.GET("/:type/:key/start/:start", GetStore)
+  router.GET("/:type/:key/scan", AuthMiddleware(PermissionMiddleware(ScanStore)))
+  router.GET("/:type/:key/start/:start", AuthMiddleware(PermissionMiddleware(GetStore)))
 
   // Start server
   log.Printf("starting server on %s", listen)
   log.Fatal(http.ListenAndServe(listen, router))
 }
 
+type RawClient struct {
+  UserId   string `json:"userid"`
+  ClientId string `json:"clientid"`
+}
+func AuthMiddleware(next httprouter.Handle) httprouter.Handle {
+  return func (w http.ResponseWriter, r *http.Request, p httprouter.Params) {
+    ua := r.Header.Get("X-User-Claim")
+    if ua == "" {
+      http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+      return
+    }
+
+    var client RawClient
+    err := json.Unmarshal([]byte(ua), &client)
+    if err != nil {
+      http.Error(w, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+      return
+    }
+
+    context := context.WithValue(r.Context(), "user", client.UserId)
+    next(w, r.WithContext(context), p)
+  }
+}
+
+func PermissionMiddleware(next httprouter.Handle) httprouter.Handle {
+  return func (w http.ResponseWriter, r *http.Request, p httprouter.Params) {
+    userID := r.Context().Value("user").(string)
+    conversationID := p.ByName("key")
+
+    response, err := http.Get(permissionsHost + "/user/" + userID + "/conversation/" + conversationID)
+    if err != nil {
+      http.Error(w, http.StatusText(http.StatusUnauthorized), http.StatusUnauthorized)
+      return
+    }
+    response.Body.Close()
+    next(w, r, p)
+  }
+}
+
 func NewStore(m *nats.Msg) {
   storeRequest := Store{}
   if err := proto.Unmarshal(m.Data, &storeRequest); err != nil {