diff --git a/auth.js b/auth.js
index 906b88e622e7641bec1d5507f9d5b2f4e46de66b..07ed2d7125ee755753ab66ad267a57b75d134ef6 100644
--- a/auth.js
+++ b/auth.js
@@ -20,5 +20,17 @@ module.exports = {
       req.decoded = decoded;
       next();
     });
+  },
+
+  validateAdminLevel: function(requiredLevel) {
+    return function(req, res, next) {
+      // check admin level
+      var userLevel = req.decoded._doc.adminLevel;
+      if (userLevel >= requiredLevel) {
+        next();
+      } else {
+        return res.status(401).send({ success: false, message: 'Invalid authorization' });
+      }
+    }
   }
 }
diff --git a/routes/users.js b/routes/users.js
index 6c6e84ad2786b83617904a4047a911dc0d561504..82ba8cca25265fd3861d6bc525e0be4ce44f7f3b 100644
--- a/routes/users.js
+++ b/routes/users.js
@@ -13,7 +13,7 @@ var router = express.Router();
 router.use('/users', auth.validateToken);
 
 // routes
-router.route('/users').get(function(req, res) {
+router.get('/users', auth.validateAdminLevel(1), function(req, res) {
   // get all users
   User.find(function(err, users) {
     if (err) {
@@ -39,7 +39,7 @@ router.route('/users').post(function(req, res) {
   });
 });
 
-router.route('/users/:id').put(function(req, res) {
+router.route('/users/:id').put(auth.validateAdminLevel(1), function(req, res) {
   // get user
   User.findOne({ _id: req.params.id }, function(err, user) {
     if (err) {
@@ -62,7 +62,7 @@ router.route('/users/:id').put(function(req, res) {
   });
 });
 
-router.route('/users/:id').get(function(req, res) {
+router.route('/users/:id').get(auth.validateAdminLevel(1), function(req, res) {
   User.findOne({ _id: req.params.id }, function(err, user) {
     if (err) {
       return res.send(err);
@@ -72,7 +72,7 @@ router.route('/users/:id').get(function(req, res) {
   });
 });
 
-router.route('/users/:id').delete(function(req, res) {
+router.route('/users/:id').delete(auth.validateAdminLevel(1), function(req, res) {
   User.remove({ _id: req.params.id }, function(err) {
     if (err) {
       return res.send(err);
@@ -98,10 +98,17 @@ router.route('/authenticate').post(function(req, res) {
       return res.status(401).send({ success: false, message: 'Invalid credentials' });
     }
 
-    // create authentication token
-    var token = jwt.sign(user, config.secret, {});
+    // validate password
+    user.verifyPassword(req.body.password, function(err, isMatch) {
+      if (err || !isMatch) {
+        return res.status(401).send({ success: false, message: 'Invalid credentials' });
+      }
+
+      // create authentication token
+      var token = jwt.sign(user, config.secret, {});
 
-    return res.send({ success: true, message: 'Authenticated', token: token});
+      return res.send({ success: true, message: 'Authenticated', token: token});
+    });
   });
 });
 
diff --git a/server.js b/server.js
index 48b16611425e2cb1daefd49301b0d10bf1590900..414935cbe6f1aea338e1c77ec7ffe981507855a6 100644
--- a/server.js
+++ b/server.js
@@ -29,13 +29,3 @@ app.use('/api/v1', users);
 app.listen(config.port, function() {
   console.log('Express server listening on port ' + config.port);
 });
-
-var newUser = User({ username: 'admin', password: 'test' });
-newUser.save(function(err) {
-  if (err) {
-    console.log(err);
-    return;
-  }
-
-  console.log('Created default admin user from config file');
-});