diff --git a/errors/auth.go b/errors/auth.go
index 2602f55..30fab3f 100644
--- a/errors/auth.go
+++ b/errors/auth.go
@@ -5,4 +5,6 @@ import "errors"
 var (
 	// ErrExpiredToken when expired token.
 	ErrExpiredToken = errors.New("this token has expired")
+	// ErrInvalidToken when the role doesn't match the DB
+	ErrInvalidToken = errors.New("this token needs to be reissued")
 )
diff --git a/handlers/token.go b/handlers/token.go
index 5b4b11f..57fa38b 100644
--- a/handlers/token.go
+++ b/handlers/token.go
@@ -16,19 +16,30 @@ import (
 )
 
 func verifyClaims(claims []byte, r *http.Request) error {
-	// TODO: use helper
 	currentTime := time.Now()
 	var c types.Claims
 	err := json.Unmarshal(claims, &c)
 	if err != nil {
 		return err
 	}
+
 	if currentTime.After(time.Unix(c.Exp, 0)) {
 		return errors.ErrExpiredToken
 	}
+
+	user, err := models.GetUser(c.Sub, "", &c)
+	if err != nil {
+		return err
+	}
+
+	if c.Role != user.Role {
+		return errors.ErrInvalidToken
+	}
+
 	context.Set(r, "claims", c)
 	return nil
 }
+
 func tokenHandler(h http.Handler) http.Handler {
 	token := func(w http.ResponseWriter, r *http.Request) {
 		recorder := httptest.NewRecorder()
@@ -73,16 +84,19 @@ func tokenRefresh(j *jwt.Middleware) errorHandler {
 		if err != nil {
 			return newJSONError(err, http.StatusInternalServerError)
 		}
+
 		user.Password = ""
 		token, err := auth.Middleware.CreateToken(user.Email)
 		if err != nil {
 			return newJSONError(err, http.StatusInternalServerError)
 		}
+
 		data, _ := json.Marshal(struct {
 			Token string `json:"token"`
 		}{
 			Token: token,
 		})
+
 		w.Write(data)
 		return nil
 	}