diff --git a/CHANGELOG.md b/CHANGELOG.md
index 0b42602..5bd543e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,9 @@ All notable changes to this project will be documented in this file.
 
 ## [Unreleased]
 
+### Changed
+- `src/auth/middleware.js`: `authorize()` now accepts an array of roles for multi-role access control (Fixes #9)
+
 ## [1.0.0] - 2026-03-20
 ### Added
 - Initial Express.js API with health, users endpoints
diff --git a/src/auth/middleware.js b/src/auth/middleware.js
index 82cf53a..5a36f91 100644
--- a/src/auth/middleware.js
+++ b/src/auth/middleware.js
@@ -21,13 +21,15 @@ function authenticate(req, res, next) {
 
 /**
  * authorize — simple role-based access control.
+ * Supports array of roles for multi-role checks.
  */
 function authorize(role) {
+  const allowed = Array.isArray(role) ? role : [role];
   return (req, res, next) => {
     if (!req.user) {
       return res.status(401).json({ error: 'Not authenticated' });
     }
-    if (req.user.role !== role) {
+    if (!allowed.includes(req.user.role)) {
       return res.status(403).json({ error: 'Insufficient permissions' });
     }
     next();