diff --git a/lib/http/server.js b/lib/http/server.js
index b02d642c..9460f211 100644
--- a/lib/http/server.js
+++ b/lib/http/server.js
@@ -160,14 +160,18 @@ HTTPServer.prototype._init = function _init() {
   this.use(function(req, res, send, next) {
     var hash;
 
-    if (this.options.noAuth)
+    if (this.options.noAuth) {
+      req.admin = true;
       return next();
+    }
 
     hash = hash256(req.password);
 
     // Regular API key gives access to everything.
-    if (crypto.ccmp(hash, this.apiHash))
+    if (crypto.ccmp(hash, this.apiHash)) {
+      req.admin = true;
       return next();
+    }
 
     // If they're hitting the wallet services,
     // they can use the less powerful API key.
@@ -762,6 +766,9 @@ HTTPServer.prototype._init = function _init() {
 
   // Get wallet master key
   this.get('/wallet/:id/master', function(req, res, send, next) {
+    if (!req.admin)
+      return send(403, { error: 'Admin access required.' });
+
     send(200, req.wallet.master.toJSON(true));
   });