diff --git a/go.mod b/go.mod
index 2cdf9a258..eede62fef 100644
--- a/go.mod
+++ b/go.mod
@@ -23,7 +23,7 @@ require (
 	github.com/jxskiss/base62 v1.1.0
 	github.com/livekit/mageutil v0.0.0-20230125210925-54e8a70427c1
 	github.com/livekit/mediatransportutil v0.0.0-20250310153736-45596af895b6
-	github.com/livekit/protocol v1.36.2-0.20250408183714-0975d348643e
+	github.com/livekit/protocol v1.36.2-0.20250409063348-18e676b49301
 	github.com/livekit/psrpc v0.6.1-0.20250205181828-a0beed2e4126
 	github.com/mackerelio/go-osstat v0.2.5
 	github.com/magefile/mage v1.15.0
diff --git a/go.sum b/go.sum
index 8bb4a4338..b979da6eb 100644
--- a/go.sum
+++ b/go.sum
@@ -171,8 +171,8 @@ github.com/livekit/mageutil v0.0.0-20230125210925-54e8a70427c1 h1:jm09419p0lqTkD
 github.com/livekit/mageutil v0.0.0-20230125210925-54e8a70427c1/go.mod h1:Rs3MhFwutWhGwmY1VQsygw28z5bWcnEYmS1OG9OxjOQ=
 github.com/livekit/mediatransportutil v0.0.0-20250310153736-45596af895b6 h1:6ZhtnY9I9knfm3ieIPpznQSEU2rDECO8yliW/ANLQ7U=
 github.com/livekit/mediatransportutil v0.0.0-20250310153736-45596af895b6/go.mod h1:36s+wwmU3O40IAhE+MjBWP3W71QRiEE9SfooSBvtBqY=
-github.com/livekit/protocol v1.36.2-0.20250408183714-0975d348643e h1:uCdTqLPDVdJeJdXkSx7hlfUlY1MBmfBo8fOk2TF28cU=
-github.com/livekit/protocol v1.36.2-0.20250408183714-0975d348643e/go.mod h1:WrT/CYRxtMNOVUjnIPm5OjWtEkmreffTeE1PRZwlRg4=
+github.com/livekit/protocol v1.36.2-0.20250409063348-18e676b49301 h1:XiI1VuokjisdmPhU2z7GJa4Q+cv6Z4fqNBl363L4bwA=
+github.com/livekit/protocol v1.36.2-0.20250409063348-18e676b49301/go.mod h1:WrT/CYRxtMNOVUjnIPm5OjWtEkmreffTeE1PRZwlRg4=
 github.com/livekit/psrpc v0.6.1-0.20250205181828-a0beed2e4126 h1:fzuYpAQbCid7ySPpQWWePfQOWUrs8x6dJ0T3Wl07n+Y=
 github.com/livekit/psrpc v0.6.1-0.20250205181828-a0beed2e4126/go.mod h1:X5WtEZ7OnEs72Fi5/J+i0on3964F1aynQpCalcgMqRo=
 github.com/mackerelio/go-osstat v0.2.5 h1:+MqTbZUhoIt4m8qzkVoXUJg1EuifwlAJSk4Yl2GXh+o=
diff --git a/pkg/service/auth.go b/pkg/service/auth.go
index 8edcf91c5..b259aa698 100644
--- a/pkg/service/auth.go
+++ b/pkg/service/auth.go
@@ -219,6 +219,19 @@ func EnsureSIPCallPermission(ctx context.Context) error {
 	return nil
 }
 
+func EnsureForwardPermission(ctx context.Context, source livekit.RoomName, destination livekit.RoomName) error {
+	claims := GetGrants(ctx)
+	if claims == nil || claims.Video == nil {
+		return ErrPermissionDenied
+	}
+
+	if !claims.Video.RoomAdmin || source != livekit.RoomName(claims.Video.Room) || destination != livekit.RoomName(claims.Video.DestinationRoom) {
+		return ErrPermissionDenied
+	}
+
+	return nil
+}
+
 // wraps authentication errors around Twirp
 func twirpAuthError(err error) error {
 	return twirp.NewError(twirp.Unauthenticated, err.Error())
diff --git a/pkg/service/roomservice.go b/pkg/service/roomservice.go
index 2ec41b228..ae2847fa7 100644
--- a/pkg/service/roomservice.go
+++ b/pkg/service/roomservice.go
@@ -321,7 +321,7 @@ func (s *RoomService) ForwardParticipant(ctx context.Context, req *livekit.Forwa
 
 	roomName := livekit.RoomName(req.Room)
 	AppendLogFields(ctx, "room", roomName, "participant", req.Identity)
-	if err := EnsureAdminPermission(ctx, roomName); err != nil {
+	if err := EnsureForwardPermission(ctx, roomName, livekit.RoomName(req.DestinationRoom)); err != nil {
 		return nil, twirpAuthError(err)
 	}