diff --git a/server/cmd/main.go b/server/cmd/main.go
index ff9dd9b..695ce55 100644
--- a/server/cmd/main.go
+++ b/server/cmd/main.go
@@ -124,7 +124,7 @@ func ensureSchema(opts Opts) error {
 	}
 	rows, err := db.Query("select version from meta")
 	if err == nil {
-		//defer rows.Close()
+		defer rows.Close()
 		rows.Next()
 		var version string
 		err = rows.Scan(&version)
@@ -206,8 +206,33 @@ func setupAPI(opts Opts) {
 
 		opts.Logf("got %s %s", a.TargetUser, a.TargetHash)
 
-		// TODO
-		result := false
+		db := opts.DB
+
+		serverErr := func(err error) {
+			opts.Logf("check_auth error: %s", err.Error())
+			http.Error(w, "database error", 500)
+		}
+
+		stmt, err := db.Prepare("select auth_hash from users where user_name = ?")
+		if err != nil {
+			serverErr(err)
+			return
+		}
+		defer stmt.Close()
+
+		var authHash string
+		err = stmt.QueryRow(a.TargetUser).Scan(&authHash)
+		if err != nil {
+			// TODO check if there were just no results and return 404
+			serverErr(err)
+			return
+		}
+
+		// TODO unique constraint on user_name
+
+		if authHash != a.TargetHash {
+			// TODO 403 probably
+		}
 
 		w.WriteHeader(http.StatusOK)
 		w.Header().Set("Content-Type", "application/json")
diff --git a/server/cmd/schema.sql b/server/cmd/schema.sql
index b93a2a2..7499342 100644
--- a/server/cmd/schema.sql
+++ b/server/cmd/schema.sql
@@ -15,6 +15,8 @@ create table users (
   created real      -- floating point unix timestamp (when this user registered)
 );
 
+-- TODO unique constraint on user_name?
+
 
 create table threads (
   thread_id text,   -- uuid string