diff --git a/tests/Unit/Auth/Middleware/AdminMiddlewareTest.php b/tests/Unit/Auth/Middleware/AdminMiddlewareTest.php
new file mode 100644
index 0000000..7ff5d88
--- /dev/null
+++ b/tests/Unit/Auth/Middleware/AdminMiddlewareTest.php
@@ -0,0 +1,118 @@
+<?php
+
+namespace Tests\Unit\Auth\Middleware;
+
+use App\Auth\AdminMiddleware;
+use App\User\User;
+use App\ValueObjects\EmailAddress;
+use PHPUnit\Framework\TestCase;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Slim\Psr7\Factory\ServerRequestFactory;
+use Slim\Psr7\Response;
+
+class AdminMiddlewareTest extends TestCase
+{
+    private AdminMiddleware $middleware;
+
+    public function setUp(): void
+    {
+        $this->middleware = new AdminMiddleware();
+    }
+
+    private function makeApiRequest(?User $user): ServerRequestInterface
+    {
+        $request = new ServerRequestFactory()
+            ->createServerRequest('POST', 'http://localhost/api/texts');
+        if ($user !== null) {
+            $request = $request->withAttribute('user', $user);
+        }
+        return $request;
+    }
+
+    private function makeHtmlRequest(?User $user): ServerRequestInterface
+    {
+        $request = new ServerRequestFactory()
+            ->createServerRequest('GET', 'http://localhost/admin')
+            ->withHeader('Accept', 'text/html');
+        if ($user !== null) {
+            $request = $request->withAttribute('user', $user);
+        }
+        return $request;
+    }
+
+    private function makeHandler(): RequestHandlerInterface
+    {
+        return new class() implements RequestHandlerInterface {
+            public bool $wasCalled = false;
+
+            public function handle(
+                ServerRequestInterface $request
+            ): \Psr\Http\Message\ResponseInterface {
+                $this->wasCalled = true;
+                return new Response(200);
+            }
+        };
+    }
+
+    private function makeUser(bool $isAdmin): User
+    {
+        return new User(
+            id: 1,
+            email: new EmailAddress('test@test.com'),
+            passwordHash: '',
+            isAdmin: $isAdmin,
+        );
+    }
+
+    public function test_passes_through_when_user_is_admin(): void
+    {
+        $handler = $this->makeHandler();
+
+        $response = $this->middleware->process(
+            $this->makeApiRequest($this->makeUser(isAdmin: true)),
+            $handler,
+        );
+
+        $this->assertTrue($handler->wasCalled);
+        $this->assertEquals(200, $response->getStatusCode());
+    }
+
+    public function test_returns_403_json_when_user_not_admin_for_api(): void
+    {
+        $response = $this->middleware->process(
+            $this->makeApiRequest($this->makeUser(isAdmin: false)),
+            $this->makeHandler(),
+        );
+
+        $this->assertEquals(403, $response->getStatusCode());
+        $this->assertStringContainsString(
+            'application/json',
+            $response->getHeaderLine('Content-Type')
+        );
+    }
+
+    public function test_returns_403_html_when_user_not_admin_for_view(): void
+    {
+        $response = $this->middleware->process(
+            $this->makeHtmlRequest($this->makeUser(isAdmin: false)),
+            $this->makeHandler(),
+        );
+
+        $this->assertEquals(403, $response->getStatusCode());
+        $this->assertStringContainsString(
+            '403 Forbidden',
+            (string) $response->getBody()
+        );
+    }
+
+    public function test_returns_403_when_no_user_attribute(): void
+    {
+        $response = $this->middleware->process(
+            $this->makeApiRequest(null),
+            $this->makeHandler(),
+        );
+
+        $this->assertEquals(403, $response->getStatusCode());
+    }
+}