diff --git a/include/ircd/m/resource.h b/include/ircd/m/resource.h
index 7e7c0bc27..d01240992 100644
--- a/include/ircd/m/resource.h
+++ b/include/ircd/m/resource.h
@@ -66,6 +66,9 @@ enum ircd::m::resource::method::flag
 	/// Method will verify X-Matrix-authorization. This is used on the
 	/// federation API.
 	VERIFY_ORIGIN = 0x0002'0000,
+
+	/// Method requires operator access. This is used on the client-server API.
+	REQUIRES_OPER = 0x0004'0000,
 };
 
 struct ircd::m::resource::request
diff --git a/matrix/resource.cc b/matrix/resource.cc
index bad7ddb36..84fa418de 100644
--- a/matrix/resource.cc
+++ b/matrix/resource.cc
@@ -342,10 +342,16 @@ ircd::m::authenticate_user(const resource::method &method,
                            const client &client,
                            resource::request &request)
 {
+	static const auto auth_requires
+	{0
+		| resource::method::REQUIRES_AUTH
+		| resource::method::REQUIRES_OPER
+	};
+
 	assert(method.opts);
 	const auto requires_auth
 	{
-		method.opts->flags & resource::method::REQUIRES_AUTH
+		method.opts->flags & auth_requires
 	};
 
 	if(!requires_auth && !request.access_token)
@@ -397,6 +403,14 @@ ircd::m::authenticate_user(const resource::method &method,
 			"Credentials for this method are required but invalid."
 		};
 
+	// Operator access required for method.
+	if(method.opts->flags & resource::method::REQUIRES_OPER)
+		if(!is_oper(m::user::id(sender)))
+			throw m::ACCESS_DENIED
+			{
+				"You are not an operator."
+			};
+
 	return sender;
 }