diff --git a/src/main/java/org/ntlab/citrusserver/repositories/TodoManager.java b/src/main/java/org/ntlab/citrusserver/repositories/TodoManager.java
index 76399d1..1d5d9dc 100644
--- a/src/main/java/org/ntlab/citrusserver/repositories/TodoManager.java
+++ b/src/main/java/org/ntlab/citrusserver/repositories/TodoManager.java
@@ -33,6 +33,12 @@
     }
 
 
+    private void checkToken(String accountId, String token){
+        if(!accountManager.checkToken(accountId, token)){
+            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
+        }
+    }
+
     /**
      * アカウントと本を指定してそれに所属するtodoをすべて返す
      *
@@ -57,6 +63,10 @@
         if(!todos.get(accountId).containsKey(bookId)){
             throw new ResponseStatusException(HttpStatus.NOT_FOUND);
         }
+        if(accountManager.checkToken(accountId, token)){
+            throw new ResponseStatusException(HttpStatus.FORBIDDEN);
+        }
+        checkToken(accountId, token);
         return todos.get(accountId).get(bookId);
     }
 
@@ -82,6 +92,7 @@
         if(!todos.get(accountId).get(bookId).get(year).containsKey(month)){
             return new HashMap<Integer, HashMap<Integer, Todo>>();
         }
+        checkToken(accountId, token);
         return todos.get(accountId).get(bookId).get(year).get(month);
     }
 
@@ -126,6 +137,7 @@
         if(!todos.get(accountId).get(bookId).get(year).get(month).containsKey(day)){
             return new HashMap<Integer, Todo>();
         }
+        checkToken(accountId, token);
         return todos.get(accountId).get(bookId).get(year).get(month).get(day);
     }
 
@@ -176,6 +188,7 @@
         if(!todos.get(accountId).get(bookId).get(year).get(month).get(day).containsKey(todoId)){
             throw new ResponseStatusException(HttpStatus.NOT_FOUND);
         }
+        checkToken(accountId, token);
         return todos.get(accountId).get(bookId).get(year).get(month).get(day).get(todoId);
     }
 
@@ -224,6 +237,7 @@
         if(!todos.get(accountId).get(bookId).get(year).get(month).containsKey(day)){
             todos.get(accountId).get(bookId).get(year).get(month).put(day, new HashMap<>());
         }
+        checkToken(accountId, token);
         String accountBook = accountId + bookId + year + month + day;
         if(!nextTodoId.containsKey(accountBook)){
             nextTodoId.put(accountBook, 0);
@@ -279,6 +293,7 @@
         if(!todos.get(accountId).get(bookId).get(year).get(month).get(day).containsKey(todoId)){
             throw new ResponseStatusException(HttpStatus.NOT_FOUND);
         }
+        checkToken(accountId, token);
         todos.get(accountId).get(bookId).get(year).get(month).get(day).remove(todoId);
     }
 
@@ -325,6 +340,7 @@
         if(!todos.get(accountId).get(bookId).get(year).get(month).get(day).containsKey(todoId)){
             throw new ResponseStatusException(HttpStatus.NOT_FOUND);
         }
+        checkToken(accountId, token);
         todos.get(accountId).get(bookId).get(year).get(month).get(day).get(todoId).setCheck(check);
     }