diff --git a/middleware.ts b/middleware.ts
new file mode 100644
index 0000000..8f2e9b1
--- /dev/null
+++ b/middleware.ts
@@ -0,0 +1,67 @@
+import { NextResponse } from "next/server"
+import type { NextRequest } from "next/server"
+import { getToken } from "next-auth/jwt"
+
+export async function middleware(request: NextRequest) {
+  const pathname = request.nextUrl.pathname
+
+  // Public routes - allow access
+  if (pathname === "/login" || pathname.startsWith("/api/auth")) {
+    return NextResponse.next()
+  }
+
+  // Get token (works in Edge runtime)
+  // getToken automatically detects the cookie name from NextAuth config
+  const token = await getToken({ 
+    req: request,
+    secret: process.env.NEXTAUTH_SECRET
+  })
+  
+  // Debug logging for production troubleshooting
+  if (!token) {
+    console.log("Middleware: No token found", {
+      pathname,
+      cookieHeader: request.headers.get("cookie")?.substring(0, 200),
+      origin: request.headers.get("origin"),
+      referer: request.headers.get("referer")
+    })
+  } else {
+    console.log("Middleware: Token found", {
+      pathname,
+      tokenId: token.id,
+      tokenRole: token.role,
+      tokenEmail: token.email
+    })
+  }
+
+  // Protected routes - require authentication
+  if (!token) {
+    const loginUrl = new URL("/login", request.url)
+    loginUrl.searchParams.set("callbackUrl", pathname)
+    return NextResponse.redirect(loginUrl)
+  }
+
+  // Admin routes - require ADMIN role
+  if (pathname.startsWith("/admin")) {
+    if (token.role !== "ADMIN") {
+      return NextResponse.redirect(new URL("/", request.url))
+    }
+  }
+
+  return NextResponse.next()
+}
+
+export const config = {
+  matcher: [
+    /*
+     * Match all request paths except for the ones starting with:
+     * - _next/static (static files)
+     * - _next/image (image optimization files)
+     * - _next/rsc (RSC payload requests)
+     * - _next/webpack (webpack chunks)
+     * - favicon.ico (favicon file)
+     * - public folder
+     */
+    "/((?!_next/static|_next/image|_next/rsc|_next/webpack|favicon.ico|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
+  ],
+}
diff --git a/proxy.ts b/proxy.ts
index d91b612..ba03d79 100644
--- a/proxy.ts
+++ b/proxy.ts
@@ -11,10 +11,22 @@ export async function proxy(request: NextRequest) {
   }
 
   // Get token (works in Edge runtime)
+  // getToken automatically detects the cookie name from NextAuth config
   const token = await getToken({ 
     req: request,
-    secret: process.env.NEXTAUTH_SECRET 
+    secret: process.env.NEXTAUTH_SECRET
   })
+  
+  // Debug logging (remove in production if not needed)
+  if (process.env.NODE_ENV !== "production") {
+    console.log("Middleware token check:", {
+      pathname,
+      hasToken: !!token,
+      tokenId: token?.id,
+      tokenRole: token?.role,
+      cookieHeader: request.headers.get("cookie")?.substring(0, 100)
+    })
+  }
 
   // Protected routes - require authentication
   if (!token) {