diff --git a/src/main/java/org/whispersystems/textsecuregcm/controllers/DeviceController.java b/src/main/java/org/whispersystems/textsecuregcm/controllers/DeviceController.java
index 5431dd66e..f2e7d638d 100644
--- a/src/main/java/org/whispersystems/textsecuregcm/controllers/DeviceController.java
+++ b/src/main/java/org/whispersystems/textsecuregcm/controllers/DeviceController.java
@@ -94,6 +94,10 @@ public class DeviceController {
   @DELETE
   @Path("/{device_id}")
   public void removeDevice(@Auth Account account, @PathParam("device_id") long deviceId) {
+    if (account.getAuthenticatedDevice().get().getId() != Device.MASTER_ID) {
+      throw new WebApplicationException(Response.Status.UNAUTHORIZED);
+    }
+
     account.removeDevice(deviceId);
     accounts.update(account);
   }
@@ -111,6 +115,10 @@ public class DeviceController {
       throw new DeviceLimitExceededException(account.getDevices().size(), MAX_DEVICES);
     }
 
+    if (account.getAuthenticatedDevice().get().getId() != Device.MASTER_ID) {
+      throw new WebApplicationException(Response.Status.UNAUTHORIZED);
+    }
+
     VerificationCode verificationCode = generateVerificationCode();
     pendingDevices.store(account.getNumber(), verificationCode.getVerificationCode());