diff --git a/handlers.go b/handlers.go
index 82565ec..5ad4c18 100644
--- a/handlers.go
+++ b/handlers.go
@@ -28,12 +28,13 @@ func NewHandler(oauth2Config *oauth2.Config, session SessionStorer, verifier *oi
 }
 
 type UserClaims struct {
-	Email    string `json:"email"`
-	Verified bool   `json:"email_verified"`
-	Name     string `json:"given_name"`
-	Username string `json:"cognito:username"`
-	Picture  string `json:"picture"`
-	Sub      string `json:"sub"`
+	Email    string   `json:"email"`
+	Verified bool     `json:"email_verified"`
+	Name     string   `json:"given_name"`
+	Username string   `json:"cognito:username"`
+	Picture  string   `json:"picture"`
+	Sub      string   `json:"sub"`
+	Groups   []string `json:"cognito:groups"`
 }
 
 func generateState() (string, error) {
diff --git a/middleware.go b/middleware.go
index f50c9e0..d792090 100644
--- a/middleware.go
+++ b/middleware.go
@@ -85,6 +85,31 @@ func (m *Middleware) ProtectedRouteWithRedirect(next http.Handler) http.Handler
 	})
 }
 
+// IsAdmin Checks if admin group is present
+func IsAdmin(groups []string) bool {
+	for _, group := range groups {
+		if group == "admin" {
+			return true
+		}
+	}
+	return false
+}
+
+// AdminProtectedRoute Checks if user is member of admin group, if not return forbidden
+func (m *Middleware) AdminProtectedRoute(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		userOptional := r.Context().Value(userContextKey)
+		if userOptional != nil {
+			user := userOptional.(UserClaims)
+			if IsAdmin(user.Groups) {
+				next.ServeHTTP(w, r)
+			}
+		}
+
+		http.Error(w, "Forbidden", http.StatusForbidden)
+	})
+}
+
 func GetUserFromContext(r *http.Request) *UserClaims {
 	userOptional := r.Context().Value(userContextKey)
 	if userOptional != nil {