diff --git a/src/web/routes/api.ts b/src/web/routes/api.ts
index 5439391..c1d2fa2 100644
--- a/src/web/routes/api.ts
+++ b/src/web/routes/api.ts
@@ -30,13 +30,29 @@ router.get('/me', requireAuth, (req, res) => {
   res.json({ user: { ...req.session.user, isAdmin } });
 });
 
-router.get('/guilds', requireAuth, (_req, res) => {
+router.get('/guilds', requireAuth, (req, res) => {
+  const sessionGuilds = Array.isArray(req.session?.guilds) ? req.session.guilds : [];
+  // Only allow guilds the user owns or can manage (manage_guild or admin) and where the bot is present
+  const allowedIds = new Set(
+    sessionGuilds
+      .filter((g: any) => {
+        if (!g) return false;
+        if (g.owner) return true;
+        const perms = g.permissions ? BigInt(g.permissions) : 0n;
+        const hasAdmin = (perms & 0x8n) === 0x8n;
+        const hasManageGuild = (perms & 0x20n) === 0x20n;
+        return hasAdmin || hasManageGuild;
+      })
+      .map((g: any) => g.id)
+  );
   const guilds =
-    context.client?.guilds.cache.map((g) => ({
-      id: g.id,
-      name: g.name,
-      icon: g.icon
-    })) ?? [];
+    context.client?.guilds.cache
+      .filter((g) => allowedIds.has(g.id))
+      .map((g) => ({
+        id: g.id,
+        name: g.name,
+        icon: g.icon
+      })) ?? [];
   res.json({ guilds });
 });