1) When you create a new session, you need to add some metadata to the access token (like:

{role: "admin}

2) Post session verification, you can get the role from the access token, and check if it's

"admin"

. If it's not, then you can throw an error to the frontend.