diff --git a/includes/class-activitypub.php b/includes/class-activitypub.php
index c2a068d..01246a4 100644
--- a/includes/class-activitypub.php
+++ b/includes/class-activitypub.php
@@ -38,6 +38,11 @@ class Activitypub {
 			return $template;
 		}
 
+		// check if user can publish posts
+		if ( \is_author() && ! user_can( \get_the_author_meta( 'ID' ), 'publish_posts' ) ) {
+			return $template;
+		}
+
 		if ( \is_author() ) {
 			$json_template = \dirname( __FILE__ ) . '/../templates/author-json.php';
 		} elseif ( \is_singular() ) {
diff --git a/includes/rest/class-followers.php b/includes/rest/class-followers.php
index 34392ce..2734c78 100644
--- a/includes/rest/class-followers.php
+++ b/includes/rest/class-followers.php
@@ -101,6 +101,9 @@ class Followers {
 		$params['user_id'] = array(
 			'required' => true,
 			'type' => 'integer',
+			'validate_callback' => function( $param, $request, $key ) {
+				return user_can( $param, 'publish_posts' );
+			},
 		);
 
 		return $params;
diff --git a/includes/rest/class-following.php b/includes/rest/class-following.php
index 06d3f0b..d7caff4 100644
--- a/includes/rest/class-following.php
+++ b/includes/rest/class-following.php
@@ -99,6 +99,9 @@ class Following {
 		$params['user_id'] = array(
 			'required' => true,
 			'type' => 'integer',
+			'validate_callback' => function( $param, $request, $key ) {
+				return user_can( $param, 'publish_posts' );
+			},
 		);
 
 		return $params;
diff --git a/includes/rest/class-inbox.php b/includes/rest/class-inbox.php
index 3408950..258658a 100644
--- a/includes/rest/class-inbox.php
+++ b/includes/rest/class-inbox.php
@@ -33,7 +33,7 @@ class Inbox {
 				array(
 					'methods'             => \WP_REST_Server::EDITABLE,
 					'callback'            => array( '\Activitypub\Rest\Inbox', 'shared_inbox_post' ),
-					'args'                => self::shared_inbox_request_parameters(),
+					'args'                => self::shared_inbox_post_parameters(),
 					'permission_callback' => '__return_true',
 				),
 			)
@@ -46,12 +46,13 @@ class Inbox {
 				array(
 					'methods'             => \WP_REST_Server::EDITABLE,
 					'callback'            => array( '\Activitypub\Rest\Inbox', 'user_inbox_post' ),
-					'args'                => self::user_inbox_request_parameters(),
+					'args'                => self::user_inbox_post_parameters(),
 					'permission_callback' => '__return_true',
 				),
 				array(
 					'methods'             => \WP_REST_Server::READABLE,
 					'callback'            => array( '\Activitypub\Rest\Inbox', 'user_inbox_get' ),
+					'args'                => self::user_inbox_get_parameters(),
 					'permission_callback' => '__return_true',
 				),
 			)
@@ -195,7 +196,7 @@ class Inbox {
 	 *
 	 * @return array list of parameters
 	 */
-	public static function user_inbox_request_parameters() {
+	public static function user_inbox_get_parameters() {
 		$params = array();
 
 		$params['page'] = array(
@@ -205,6 +206,32 @@ class Inbox {
 		$params['user_id'] = array(
 			'required' => true,
 			'type' => 'integer',
+			'validate_callback' => function( $param, $request, $key ) {
+				return user_can( $param, 'publish_posts' );
+			},
+		);
+
+		return $params;
+	}
+
+	/**
+	 * The supported parameters
+	 *
+	 * @return array list of parameters
+	 */
+	public static function user_inbox_post_parameters() {
+		$params = array();
+
+		$params['page'] = array(
+			'type' => 'integer',
+		);
+
+		$params['user_id'] = array(
+			'required' => true,
+			'type' => 'integer',
+			'validate_callback' => function( $param, $request, $key ) {
+				return user_can( $param, 'publish_posts' );
+			},
 		);
 
 		$params['id'] = array(
@@ -243,7 +270,7 @@ class Inbox {
 	 *
 	 * @return array list of parameters
 	 */
-	public static function shared_inbox_request_parameters() {
+	public static function shared_inbox_post_parameters() {
 		$params = array();
 
 		$params['page'] = array(
diff --git a/includes/rest/class-outbox.php b/includes/rest/class-outbox.php
index e43ab71..7eec5ac 100644
--- a/includes/rest/class-outbox.php
+++ b/includes/rest/class-outbox.php
@@ -138,6 +138,9 @@ class Outbox {
 		$params['user_id'] = array(
 			'required' => true,
 			'type' => 'integer',
+			'validate_callback' => function( $param, $request, $key ) {
+				return user_can( $param, 'publish_posts' );
+			},
 		);
 
 		return $params;
diff --git a/includes/rest/class-webfinger.php b/includes/rest/class-webfinger.php
index dc84da4..0c6d5f1 100644
--- a/includes/rest/class-webfinger.php
+++ b/includes/rest/class-webfinger.php
@@ -59,7 +59,7 @@ class Webfinger {
 
 		$user = \get_user_by( 'login', \esc_sql( $resource_identifier ) );
 
-		if ( ! $user ) {
+		if ( ! $user || ! user_can( $user, 'publish_posts' ) ) {
 			return new \WP_Error( 'activitypub_user_not_found', \__( 'User not found', 'activitypub' ), array( 'status' => 404 ) );
 		}