diff --git a/server.js b/server.js
index 32eda9c1..e584d975 100644
--- a/server.js
+++ b/server.js
@@ -2579,10 +2579,14 @@ ${excerpt}
         }
     });
 
-    // GET /together/groups/:groupId — グループ情報
+    // GET /together/groups/:groupId — グループ情報（メンバーのみ）
     r.get('/together/groups/:groupId', async (req, res) => {
         if (!/^[a-zA-Z0-9_-]+$/.test(req.params.groupId)) return res.status(400).json({ error: 'invalid groupId' });
+        const username = req.query.u;
+        if (!username) return res.status(400).json({ error: 'u (username) は必須です' });
+        const jwtUserId = getTogetherJwtUserId(req);
         try {
+            if (!(await togetherEnsureMember(pool, res, req.params.groupId, username, jwtUserId))) return;
             const result = await pool.query('SELECT id, name, invite_code, created_at FROM together_groups WHERE id=$1', [req.params.groupId]);
             if (result.rows.length === 0) return res.status(404).json({ error: 'グループが見つかりません' });
             res.json(result.rows[0]);