diff --git a/api.go b/api.go
index 59de278..d650856 100644
--- a/api.go
+++ b/api.go
@@ -28,7 +28,7 @@ func (s *Server) category(w http.ResponseWriter, req *http.Request) {
 		if err != nil {
 			log.Printf("%+v", err)
 			b, _ := json.Marshal(NewFailure(err.Error()))
-			http.Error(w, string(b), http.StatusBadRequest)
+			http.Error(w, string(b), http.StatusInternalServerError)
 			return
 		}
 		json.NewEncoder(w).Encode(categories)
@@ -50,7 +50,7 @@ func (s *Server) category(w http.ResponseWriter, req *http.Request) {
 		if err != nil {
 			log.Printf("%+v", err)
 			b, _ := json.Marshal(NewFailure(err.Error()))
-			http.Error(w, string(b), http.StatusBadRequest)
+			http.Error(w, string(b), http.StatusInternalServerError)
 			return
 		}
 	case "DELETE":
@@ -77,3 +77,113 @@ func (s *Server) category(w http.ResponseWriter, req *http.Request) {
 		}
 	}
 }
+
+func (s *Server) user(w http.ResponseWriter, req *http.Request) {
+	// TODO add back in
+	//w.Header().Set("Content-Type", "application/json")
+	//session, err := store.Get(r, "creds")
+	//if err != nil {
+	//	http.Error(w, err.Error(), http.StatusInternalServerError)
+	//	return
+	//}
+	//if loggedIn := session.Values["authenticated"]; loggedIn != true {
+	//	http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
+	//	return
+	//}
+	switch req.Method {
+	default:
+		b, _ := json.Marshal(NewFailure("Allowed methods: GET, POST, DELETE"))
+		http.Error(w, string(b), http.StatusBadRequest)
+		return
+	case "GET":
+		users, err := s.db.getUsers()
+		if err != nil {
+			log.Printf("%+v", err)
+			b, _ := json.Marshal(NewFailure(err.Error()))
+			http.Error(w, string(b), http.StatusInternalServerError)
+			return
+		}
+		json.NewEncoder(w).Encode(users)
+	case "POST":
+		u := user{}
+		err := json.NewDecoder(req.Body).Decode(&u)
+		req.Body.Close()
+		if err != nil {
+			log.Printf("%+v", err)
+			b, _ := json.Marshal(NewFailure(err.Error()))
+			http.Error(w, string(b), http.StatusBadRequest)
+			return
+		}
+
+		// TODO add back in
+		//// verify current user is an admin
+		//session, err := store.Get(req, "creds")
+		//if err != nil {
+		//	http.Error(w, err.Error(), http.StatusInternalServerError)
+		//	return
+		//}
+		//email := ""
+		//if session.Values["uname"] != nil {
+		//	email = session.Values["uname"].(string)
+		//}
+		//if !s.db.adminUser(email) {
+		//	log.Printf("user is not admin")
+		//	b, _ := json.Marshal(NewFailure("not admin"))
+		//	http.Error(w, string(b), http.StatusForbidden)
+		//	return
+		//}
+
+		_, err = s.db.db.Exec(
+			`INSERT INTO users (email, admin) VALUES ($1, $2)`,
+			u.Email,
+			u.Admin,
+		)
+		if err != nil {
+			log.Printf("%+v", err)
+			b, _ := json.Marshal(NewFailure(err.Error()))
+			http.Error(w, string(b), http.StatusBadRequest)
+			return
+		}
+	case "DELETE":
+		u := user{}
+		err := json.NewDecoder(req.Body).Decode(&u)
+		req.Body.Close()
+		if err != nil {
+			b, _ := json.Marshal(NewFailure(err.Error()))
+			http.Error(w, string(b), http.StatusBadRequest)
+			return
+		}
+
+		// TODO add back in
+		//// verify current user is an admin
+		//session, err := store.Get(req, "creds")
+		//if err != nil {
+		//	http.Error(w, err.Error(), http.StatusInternalServerError)
+		//	return
+		//}
+		//email := ""
+		//if session.Values["uname"] != nil {
+		//	email = session.Values["uname"].(string)
+		//}
+		//if !s.db.adminUser(email) {
+		//	log.Printf("user is not admin")
+		//	b, _ := json.Marshal(NewFailure("not admin"))
+		//	http.Error(w, string(b), http.StatusForbidden)
+		//	return
+		//}
+
+		_, err = s.db.db.Exec("DELETE FROM users WHERE email = $1", u.Email)
+		if err != nil {
+			log.Printf("%+v", err)
+			b, _ := json.Marshal(NewFailure(err.Error()))
+			http.Error(w, string(b), http.StatusInternalServerError)
+			return
+		}
+		if err != nil {
+			log.Printf("%+v", err)
+			b, _ := json.Marshal(NewFailure(err.Error()))
+			http.Error(w, string(b), http.StatusBadRequest)
+			return
+		}
+	}
+}
diff --git a/db.go b/db.go
index 2a08e4c..a04af1b 100644
--- a/db.go
+++ b/db.go
@@ -54,6 +54,36 @@ func (d *DB) getCategories() ([]category, error) {
 	return results, nil
 }
 
+func (d *DB) getUsers() ([]user, error) {
+	results := []user{}
+	rows, err := d.db.Queryx("SELECT id, email, admin FROM users")
+	if err != nil {
+		return nil, err
+	}
+	for rows.Next() {
+		var result user
+		err := rows.StructScan(&result)
+		if err != nil {
+			return nil, err
+		}
+		results = append(results, result)
+	}
+	return results, nil
+}
+
+func (d *DB) adminUser(e string) bool {
+	result := user{}
+	row := d.db.QueryRow("SELECT admin FROM users WHERE email = $1",
+		e,
+	)
+	err := row.Scan(&result)
+	if err != nil {
+		return false
+	}
+
+	return result.Admin
+}
+
 //func (d *DB) checkOwner(filename, client string) error {
 //	row := d.db.QueryRowx("SELECT client FROM pics WHERE filename = $1", filename)
 //	var owner string
diff --git a/routes.go b/routes.go
index 3e7be5d..221c968 100644
--- a/routes.go
+++ b/routes.go
@@ -22,10 +22,9 @@ func addRoutes(sm *http.ServeMux, server *Server, staticFiles string) {
 		"oauth":     "/api/v0/oauth_cb/",
 		"auth":      "/api/v0/auth/",
 		"health":    "/healthz",
-		"list":      "/api/v0/list/",
 		"category":  "/api/v0/category/",
 		"tranx":     "/api/v0/tranx/",
-		"cost":      "/api/v0/costpermonth/",
+		"user":      "/api/v0/user/",
 
 		"fake": "/fake/",
 	}
@@ -70,16 +69,15 @@ func addRoutes(sm *http.ServeMux, server *Server, staticFiles string) {
 	}
 
 	store = sessions.NewCookieStore([]byte(server.cookieSecret))
-	//sm.HandleFunc(prefix["list"], server.listUsers)
 	//sm.HandleFunc(prefix["tranx"], server.tranx)
-	//sm.HandleFunc(prefix["cost"], server.costPerMonth)
+	sm.HandleFunc(prefix["fake"], server.fakeSetup)
 	sm.HandleFunc(prefix["category"], server.category)
+	sm.HandleFunc(prefix["user"], server.user)
 	sm.HandleFunc(prefix["protected"], server.plist)
 	sm.HandleFunc(prefix["info"], server.serverInfo)
 	sm.HandleFunc(prefix["login"], server.login)
 	sm.HandleFunc(prefix["logout"], server.logout)
 	sm.HandleFunc(prefix["oauth"], server.oauthCallback)
 	sm.HandleFunc(prefix["auth"], server.auth)
-	sm.HandleFunc(prefix["fake"], server.fakeSetup)
 	sm.HandleFunc(prefix["health"], server.health)
 }
diff --git a/server.go b/server.go
index dfcf840..a2fc1fc 100644
--- a/server.go
+++ b/server.go
@@ -77,10 +77,10 @@ func NewServer(sm *http.ServeMux, clientId, clientSecret, cookieSecret, dbhost,
 }
 
 func (s *Server) fakeSetup(w http.ResponseWriter, r *http.Request) {
-	u := userInfo{
-		Email: "derekmcquay@gmail.com",
-	}
-	addUser(u)
+	//u := userInfo{
+	//	Email: "derekmcquay@gmail.com",
+	//}
+	//addUser(u)
 }
 
 //func (s *Server) tranx(w http.ResponseWriter, r *http.Request) {
@@ -265,7 +265,8 @@ func (s *Server) oauthCallback(w http.ResponseWriter, r *http.Request) {
 		if err := session.Save(r, w); err != nil {
 			http.Redirect(w, r, "/", http.StatusTemporaryRedirect)
 		}
-		addUser(u)
+		// TODO add psql user here
+		//addUser(u)
 		http.Redirect(w, r, "/static/", http.StatusTemporaryRedirect)
 		return
 	}