diff --git a/app/controllers/api/v1/users_controller.rb b/app/controllers/api/v1/users_controller.rb
index be01669f4..0a87bf43e 100644
--- a/app/controllers/api/v1/users_controller.rb
+++ b/app/controllers/api/v1/users_controller.rb
@@ -2,6 +2,7 @@
 
 class Api::V1::UsersController < Api::V1::BaseController
   before_action :ensure_write_scope
+  before_action :ensure_admin, only: :reset
 
   def reset
     FamilyResetJob.perform_later(Current.family)
@@ -24,4 +25,11 @@ class Api::V1::UsersController < Api::V1::BaseController
     def ensure_write_scope
       authorize_scope!(:write)
     end
+
+    def ensure_admin
+      return true if current_resource_owner&.admin?
+
+      render_json({ error: "forbidden", message: I18n.t("users.reset.unauthorized") }, status: :forbidden)
+      false
+    end
 end
diff --git a/test/controllers/api/v1/users_controller_test.rb b/test/controllers/api/v1/users_controller_test.rb
index 9ea8b89cb..9a8be9d85 100644
--- a/test/controllers/api/v1/users_controller_test.rb
+++ b/test/controllers/api/v1/users_controller_test.rb
@@ -50,6 +50,24 @@ class Api::V1::UsersControllerTest < ActionDispatch::IntegrationTest
 
   # -- Reset -----------------------------------------------------------------
 
+
+  test "reset requires admin role" do
+    non_admin_api_key = ApiKey.create!(
+      user: users(:family_member),
+      name: "Member Read-Write Key",
+      scopes: [ "read_write" ],
+      display_key: "test_member_#{SecureRandom.hex(8)}"
+    )
+
+    assert_no_enqueued_jobs only: FamilyResetJob do
+      delete "/api/v1/users/reset", headers: api_headers(non_admin_api_key)
+    end
+
+    assert_response :forbidden
+    body = JSON.parse(response.body)
+    assert_equal "You are not authorized to perform this action", body["message"]
+  end
+
   test "reset enqueues FamilyResetJob and returns 200" do
     assert_enqueued_with(job: FamilyResetJob) do
       delete "/api/v1/users/reset", headers: api_headers(@api_key)