diff --git a/src/ohmyapi/builtin/auth/routes.py b/src/ohmyapi/builtin/auth/routes.py
index 3a9ea39..e1cb3cc 100644
--- a/src/ohmyapi/builtin/auth/routes.py
+++ b/src/ohmyapi/builtin/auth/routes.py
@@ -95,7 +95,7 @@ async def require_admin(current_user: User = Depends(get_current_user)) -> User:
 
 async def require_staff(current_user: User = Depends(get_current_user)) -> User:
     """Ensure the current user is a staff member."""
-    if not current_user.is_staff:
+    if not current_user.is_admin and not current_user.is_staff:
         raise HTTPException(403, "Staff privileges required")
     return current_user