diff --git a/server.py b/server.py
index 04b77b6..67d64aa 100644
--- a/server.py
+++ b/server.py
@@ -1309,17 +1309,30 @@ async def get_me(user: User = Depends(get_required_user)):
     }
 
 
+class VerifyRequest(BaseModel):
+    l1_server: str  # URL of the L1 server requesting verification
+
+
 @app.post("/auth/verify")
-async def verify_auth(credentials: HTTPAuthorizationCredentials = Depends(security)):
-    """Verify a token and return username. Used by L1 server."""
+async def verify_auth(
+    request: VerifyRequest,
+    credentials: HTTPAuthorizationCredentials = Depends(security)
+):
+    """Verify a token and return username. Only authorized L1 servers can call this."""
     if not credentials:
         raise HTTPException(401, "No token provided")
 
+    # Check L1 is authorized
+    l1_normalized = request.l1_server.rstrip("/")
+    authorized = any(l1_normalized == s.rstrip("/") for s in L1_SERVERS)
+    if not authorized:
+        raise HTTPException(403, f"L1 server not authorized: {request.l1_server}")
+
     username = verify_token(credentials.credentials)
     if not username:
         raise HTTPException(401, "Invalid token")
 
-    return {"username": username, "valid": True}
+    return {"username": username, "valid": True, "l1_server": request.l1_server}
 
 
 @app.get("/.well-known/webfinger")