diff --git a/routes/api.php b/routes/api.php
index ffa4b29b9..8b28177f3 100644
--- a/routes/api.php
+++ b/routes/api.php
@@ -71,7 +71,7 @@
     Route::get('/cloud-tokens/{uuid}', [CloudProviderTokensController::class, 'show'])->middleware(['api.ability:read']);
     Route::patch('/cloud-tokens/{uuid}', [CloudProviderTokensController::class, 'update'])->middleware(['api.ability:write']);
     Route::delete('/cloud-tokens/{uuid}', [CloudProviderTokensController::class, 'destroy'])->middleware(['api.ability:write']);
-    Route::post('/cloud-tokens/{uuid}/validate', [CloudProviderTokensController::class, 'validateToken'])->middleware(['api.ability:read']);
+    Route::post('/cloud-tokens/{uuid}/validate', [CloudProviderTokensController::class, 'validateToken'])->middleware(['api.ability:write']);
 
     Route::match(['get', 'post'], '/deploy', [DeployController::class, 'deploy'])->middleware(['api.ability:deploy']);
     Route::get('/deployments', [DeployController::class, 'deployments'])->middleware(['api.ability:read']);
@@ -84,7 +84,7 @@
     Route::get('/servers/{uuid}/domains', [ServersController::class, 'domains_by_server'])->middleware(['api.ability:read']);
     Route::get('/servers/{uuid}/resources', [ServersController::class, 'resources_by_server'])->middleware(['api.ability:read']);
 
-    Route::get('/servers/{uuid}/validate', [ServersController::class, 'validate_server'])->middleware(['api.ability:read']);
+    Route::get('/servers/{uuid}/validate', [ServersController::class, 'validate_server'])->middleware(['api.ability:write']);
 
     Route::post('/servers', [ServersController::class, 'create_server'])->middleware(['api.ability:write']);
     Route::patch('/servers/{uuid}', [ServersController::class, 'update_server'])->middleware(['api.ability:write']);
diff --git a/tests/Feature/ApiTokenPermissionTest.php b/tests/Feature/ApiTokenPermissionTest.php
index 44efb7e06..f1782de2a 100644
--- a/tests/Feature/ApiTokenPermissionTest.php
+++ b/tests/Feature/ApiTokenPermissionTest.php
@@ -73,3 +73,28 @@
         $response->assertStatus(403);
     });
 });
+
+describe('GET /api/v1/servers/{uuid}/validate', function () {
+    test('read-only token cannot trigger server validation', function () {
+        $token = $this->user->createToken('read-only', ['read']);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$token->plainTextToken,
+        ])->getJson('/api/v1/servers/fake-uuid/validate');
+
+        $response->assertStatus(403);
+    });
+});
+
+describe('POST /api/v1/cloud-tokens/{uuid}/validate', function () {
+    test('read-only token cannot validate cloud provider token', function () {
+        $token = $this->user->createToken('read-only', ['read']);
+
+        $response = $this->withHeaders([
+            'Authorization' => 'Bearer '.$token->plainTextToken,
+            'Content-Type' => 'application/json',
+        ])->postJson('/api/v1/cloud-tokens/fake-uuid/validate');
+
+        $response->assertStatus(403);
+    });
+});