diff --git a/pkg/internal/server/api/order_api.go b/pkg/internal/server/api/order_api.go
index d1b8809..b09db1b 100644
--- a/pkg/internal/server/api/order_api.go
+++ b/pkg/internal/server/api/order_api.go
@@ -12,6 +12,7 @@ import (
 	"git.solsynth.dev/hypernet/wallet/pkg/internal/services"
 	"github.com/gofiber/fiber/v2"
 	"github.com/shopspring/decimal"
+	"golang.org/x/crypto/bcrypt"
 )
 
 func getOrder(c *fiber.Ctx) error {
@@ -87,6 +88,14 @@ func payOrder(c *fiber.Ctx) error {
 
 	orderId, _ := c.ParamsInt("orderId")
 
+	var data struct {
+		WalletPassword string `json:"wallet_password" validate:"required"`
+	}
+
+	if err := exts.BindAndValidate(c, &data); err != nil {
+		return err
+	}
+
 	var order models.Order
 	if err := database.C.Where("id = ?", orderId).First(&order).Error; err != nil {
 		return fiber.NewError(fiber.StatusNotFound, err.Error())
@@ -104,6 +113,11 @@ func payOrder(c *fiber.Ctx) error {
 			return fiber.NewError(fiber.StatusBadRequest, "account wallet was not found")
 		}
 	}
+	if payer != nil {
+		if bcrypt.CompareHashAndPassword([]byte(payer.Password), []byte(data.WalletPassword)) != nil {
+			return fiber.NewError(fiber.StatusForbidden, "invalid wallet password")
+		}
+	}
 
 	var payee *models.Wallet
 	if order.PayeeID != nil {