diff --git a/admin/src/utils/axios.js b/admin/src/utils/axios.js
index c8e52250..e677dff6 100644
--- a/admin/src/utils/axios.js
+++ b/admin/src/utils/axios.js
@@ -10,6 +10,7 @@ axios.defaults.withCredentials = true
 axios.defaults.headers['X-Requested-With'] = 'XMLHttpRequest'
 axios.defaults.headers['Content-Type'] = 'application/json'
 axios.defaults.headers['Accept'] = 'application/json'
+axios.defaults.headers['Platform'] = 'admin'
 // axios.defaults.headers['Authorization'] = 'Bearer ' + localGet('token')
 
 axios.interceptors.request.use(config => {
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
index d8320799..fca7997b 100644
--- a/app/Http/Kernel.php
+++ b/app/Http/Kernel.php
@@ -42,6 +42,7 @@ class Kernel extends HttpKernel
         'api' => [
             'throttle:api',
             \Illuminate\Routing\Middleware\SubstituteBindings::class,
+            \App\Http\Middleware\Platform::class,
         ],
     ];
 
diff --git a/app/Http/Middleware/Permission.php b/app/Http/Middleware/Permission.php
index 9e5f98fa..0b824eb8 100644
--- a/app/Http/Middleware/Permission.php
+++ b/app/Http/Middleware/Permission.php
@@ -20,7 +20,7 @@ class Permission
     {
         /** @var User $user */
         $user = $request->user();
-        if (!$user || !$user->canAccessAdmin()) {
+        if (!$user || (IS_PLATFORM_ADMIN && !$user->canAccessAdmin())) {
             do_log("denied!");
             throw new UnauthorizedException('Unauthorized!');
         }
diff --git a/app/Http/Middleware/Platform.php b/app/Http/Middleware/Platform.php
new file mode 100644
index 00000000..372592f6
--- /dev/null
+++ b/app/Http/Middleware/Platform.php
@@ -0,0 +1,27 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use Illuminate\Http\Request;
+
+class Platform
+{
+    /**
+     * Handle an incoming request.
+     *
+     * @param  \Illuminate\Http\Request  $request
+     * @param  \Closure  $next
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        if (empty(CURRENT_PLATFORM)) {
+            throw new \InvalidArgumentException("Require platform header.");
+        }
+        if (!in_array(CURRENT_PLATFORM, PLATFORMS)) {
+            throw new \InvalidArgumentException("Invalid platform: " . CURRENT_PLATFORM);
+        }
+        return $next($request);
+    }
+}
diff --git a/include/constants.php b/include/constants.php
index caf3d3cd..ac4d02f1 100644
--- a/include/constants.php
+++ b/include/constants.php
@@ -12,6 +12,14 @@ defined('ROOT_PATH') || define('ROOT_PATH', dirname(__DIR__) . '/');
 defined('CURRENT_SCRIPT') || define('CURRENT_SCRIPT', strstr(basename($_SERVER['SCRIPT_FILENAME']), '.', true));
 defined('IS_ANNOUNCE') || define('IS_ANNOUNCE', CURRENT_SCRIPT == 'announce');
 
+defined('PLATFORM_ADMIN') || define('PLATFORM_ADMIN', 'admin');
+defined('PLATFORM_USER') || define('PLATFORM_USER', 'user');
+defined('PLATFORMS') || define('PLATFORMS', [PLATFORM_ADMIN, PLATFORM_USER]);
+defined('CURRENT_PLATFORM') || define('CURRENT_PLATFORM', $_SERVER['HTTP_PLATFORM'] ?? '');
+defined('IS_PLATFORM_ADMIN') || define('IS_PLATFORM_ADMIN', CURRENT_PLATFORM == PLATFORM_ADMIN);
+defined('IS_PLATFORM_USER') || define('IS_PLATFORM_USER', CURRENT_PLATFORM == PLATFORM_USER);
+
+
 //define the REQUEST_ID
 if (!defined('REQUEST_ID')) {
     if (!empty($_SERVER['HTTP_X_REQUEST_ID'])) {