diff --git a/src/modules/user/user.resolver.ts b/src/modules/user/user.resolver.ts
index 168803d..3e36b53 100644
--- a/src/modules/user/user.resolver.ts
+++ b/src/modules/user/user.resolver.ts
@@ -1,4 +1,4 @@
-import { Arg, Args, Mutation, Query, Resolver, FieldResolver, Root, Ctx } from 'type-graphql';
+import { Arg, Args, Mutation, Query, Resolver, FieldResolver, Root, Ctx, Authorized } from 'type-graphql';
 import { Inject } from 'typedi';
 import { Fields, StandardDeleteResponse, UserId, BaseContext } from 'warthog';
 
@@ -37,6 +37,7 @@ export class UserResolver {
     return ctx.dataLoader.loaders.User.collection.load(user);
   }
 
+  @Authorized('signedIn')
   @Mutation(() => User)
   async createUser(@Arg('data') data: UserCreateInput, @UserId() userId: string): Promise<User> {
     return this.service.create(data, userId);
diff --git a/src/server.ts b/src/server.ts
index 59b80df..e9bacde 100644
--- a/src/server.ts
+++ b/src/server.ts
@@ -1,6 +1,6 @@
 import 'reflect-metadata';
 
-import { BaseContext, Server } from 'warthog';
+import { BaseContext, Server, authChecker } from 'warthog';
 
 import { Logger } from './logger';
 
@@ -15,13 +15,15 @@ interface Context extends BaseContext {
 export function getServer(AppOptions = {}, dbOptions = {}) {
   return new Server<Context>(
     {
+      authChecker,
       // Inject a fake user.  In a real app you'd parse a JWT to add the user
       context: (request: any) => {
         const userId = JSON.stringify(request.headers).length.toString();
 
         return {
           user: {
-            id: `user:${userId}`
+            id: `user:${userId}`,
+            permissions: ['signedIn']
           }
         };
       },