diff --git a/internal/oauth/token.go b/internal/oauth/token.go
index 4da8fee..dc8f6fb 100644
--- a/internal/oauth/token.go
+++ b/internal/oauth/token.go
@@ -76,6 +76,12 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 
+		var roles = []string{"user"}
+
+		if user.IsAdmin {
+			roles = append(roles, "admin")
+		}
+
 		claims := types.ApiClaims{
 			Email: user.Email,
 			// TODO:
@@ -83,7 +89,7 @@ func (h *OAuthHandler) tokenEndpoint(w http.ResponseWriter, r *http.Request) {
 			Name:          user.FullName,
 			Picture:       user.ProfilePicture,
 			Nonce:         nonce,
-			Roles:         []string{"user", "admin"},
+			Roles:         roles,
 			RegisteredClaims: jwt.RegisteredClaims{
 				Issuer: h.cfg.Jwt.Issuer,
 				// TODO: use dedicated API id that is in local DB and bind to user there