diff --git a/powerdnsadmin/decorators.py b/powerdnsadmin/decorators.py
index e2a35bb..b3baae9 100644
--- a/powerdnsadmin/decorators.py
+++ b/powerdnsadmin/decorators.py
@@ -367,6 +367,39 @@ def apikey_can_configure_dnssec(http_methods=[]):
         return decorated_function
     return decorator
 
+def allowed_record_types(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.apikey.role.name in ['Administrator', 'Operator']:
+            return f(*args, **kwargs)
+
+        records_allowed_to_edit = Setting().get_records_allow_to_edit()
+        content = request.get_json()
+        for record in content['rrsets']:
+            if record['type'] not in records_allowed_to_edit:
+                current_app.logger.error(f"Error: Record type not allowed: {record['type']}")
+                abort(401)
+        return f(*args, **kwargs)
+
+    return decorated_function
+
+def allowed_record_ttl(f):
+    @wraps(f)
+    def decorated_function(*args, **kwargs):
+        if g.apikey.role.name in ['Administrator', 'Operator']:
+            return f(*args, **kwargs)
+
+        allowed_ttls = Setting().get_ttl_options()
+        allowed_numric_ttls = [ ttl[0] for ttl in allowed_ttls ]
+        content = request.get_json()
+        for record in content['rrsets']:
+                if record['ttl'] not in allowed_numric_ttls:
+                    current_app.logger.error(f"Error: Record TTL not allowed: {record['ttl']}")
+                    abort(401)
+        return f(*args, **kwargs)
+
+    return decorated_function
+
 
 def apikey_auth(f):
     @wraps(f)
diff --git a/powerdnsadmin/routes/api.py b/powerdnsadmin/routes/api.py
index 4fce368..5d0d6e0 100644
--- a/powerdnsadmin/routes/api.py
+++ b/powerdnsadmin/routes/api.py
@@ -30,7 +30,7 @@ from ..decorators import (
     apikey_can_create_domain, apikey_can_remove_domain,
     apikey_is_admin, apikey_can_access_domain, apikey_can_configure_dnssec,
     api_role_can, apikey_or_basic_auth,
-    callback_if_request_body_contains_key,
+    callback_if_request_body_contains_key, allowed_record_types, allowed_record_ttl
 )
 import secrets
 import string
@@ -1060,6 +1060,8 @@ def api_zone_subpath_forward(server_id, zone_id, subpath):
 @api_bp.route('/servers/<string:server_id>/zones/<string:zone_id>',
               methods=['GET', 'PUT', 'PATCH', 'DELETE'])
 @apikey_auth
+@allowed_record_types
+@allowed_record_ttl
 @apikey_can_access_domain
 @apikey_can_remove_domain(http_methods=['DELETE'])
 @callback_if_request_body_contains_key(apikey_can_configure_dnssec()(),