diff --git a/lib/phoenix_api_template_web/auth/error_response.ex b/lib/phoenix_api_template_web/auth/error_response.ex
index cdf0f7f..847c0e3 100644
--- a/lib/phoenix_api_template_web/auth/error_response.ex
+++ b/lib/phoenix_api_template_web/auth/error_response.ex
@@ -1,3 +1,7 @@
 defmodule PhoenixApiTemplateWeb.Auth.ErrorResponse.Unauthorized do
   defexception message: "Unauthorized", plug_status: 401
 end
+
+defmodule PhoenixApiTemplateWeb.Auth.ErrorResponse.Forbidden do
+  defexception message: "Forbidden", plug_status: 403
+end
diff --git a/lib/phoenix_api_template_web/controllers/user_controller.ex b/lib/phoenix_api_template_web/controllers/user_controller.ex
index 5a76095..9e6552e 100644
--- a/lib/phoenix_api_template_web/controllers/user_controller.ex
+++ b/lib/phoenix_api_template_web/controllers/user_controller.ex
@@ -1,6 +1,7 @@
 defmodule PhoenixApiTemplateWeb.UserController do
   use PhoenixApiTemplateWeb, :controller
 
+  alias PhoenixApiTemplateWeb.Auth.ErrorResponse
   alias PhoenixApiTemplateWeb.Auth.ErrorResponse.Unauthorized
   alias PhoenixApiTemplateWeb.Auth.Guardian
   alias PhoenixApiTemplate.Accounts
@@ -8,8 +9,21 @@ defmodule PhoenixApiTemplateWeb.UserController do
   alias PhoenixApiTemplate.Profiles
   alias PhoenixApiTemplate.Profiles.Profile
 
+  plug :is_authorized_user when action in [:update, :delete]
+
   action_fallback(PhoenixApiTemplateWeb.FallbackController)
 
+  defp is_authorized_user(conn, _options) do
+    %{params: %{"id" => id}} = conn
+    user = Accounts.get_user!(id)
+
+    if conn.assigns.user.id == user.id do
+      conn
+    else
+      raise ErrorResponse.Forbidden
+    end
+  end
+
   def index(conn, _params) do
     users = Accounts.list_users()
     render(conn, "index.json", users: users)
diff --git a/lib/phoenix_api_template_web/router.ex b/lib/phoenix_api_template_web/router.ex
index dba4bd6..4477da4 100644
--- a/lib/phoenix_api_template_web/router.ex
+++ b/lib/phoenix_api_template_web/router.ex
@@ -2,18 +2,26 @@ defmodule PhoenixApiTemplateWeb.Router do
   use PhoenixApiTemplateWeb, :router
   use Plug.ErrorHandler
 
-  defp handle_errors(conn, %{reason: %Phoenix.Router.NoRouteError{message: message}}) do
+  def handle_errors(conn, %{reason: %Phoenix.Router.NoRouteError{message: message}}) do
     conn
     |> json(%{errors: message})
     |> halt()
   end
 
-  defp handle_errors(conn, %{reason: %{message: message}}) do
+  def handle_errors(conn, %{reason: %{message: message}}) do
     conn
     |> json(%{errors: message})
     |> halt()
   end
 
+  def handle_errors(conn, error) do
+    IO.inspect(error)
+
+    conn
+    |> json(%{errors: "unknown error"})
+    |> halt()
+  end
+
   pipeline :api do
     plug(:accepts, ["json"])
     plug :fetch_session
@@ -36,5 +44,6 @@ defmodule PhoenixApiTemplateWeb.Router do
     pipe_through([:api, :auth])
 
     get "/users/by_id/:id", UserController, :show
+    put "/users/:id", UserController, :update
   end
 end
diff --git a/test_requests/update_user.http b/test_requests/update_user.http
new file mode 100644
index 0000000..be0471f
--- /dev/null
+++ b/test_requests/update_user.http
@@ -0,0 +1,9 @@
+PUT http://localhost:4000/api/users/eae6f03c-6276-48e3-b6df-0797b2f8cb99 HTTP/1.1
+content-type: application/json
+Authorization: Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwaG9lbml4X2FwaV90ZW1wbGF0ZSIsImV4cCI6MTY3OTE1Njk5NiwiaWF0IjoxNjc2NzM3Nzk2LCJpc3MiOiJwaG9lbml4X2FwaV90ZW1wbGF0ZSIsImp0aSI6Ijk0ZjJlOGQ5LTJkZmYtNDM4Zi1hY2Y4LWZiMzAwODJmZDU2YiIsIm5iZiI6MTY3NjczNzc5NSwic3ViIjoiZWFlNmYwM2MtNjI3Ni00OGUzLWI2ZGYtMDc5N2IyZjhjYjk5IiwidHlwIjoiYWNjZXNzIn0.32jNDsUQZemN6V_sR8xZtmlQp1kECPEcS63yCR655HlyWYsaNYCF3t4Wi37to6lmYUuE8QUD0qI3BHkqhroScQ
+
+{
+    "user": {
+        "password": "safe"
+    }
+}
\ No newline at end of file