diff --git a/functions/api/game-bans/notes/_middleware.ts b/functions/api/game-bans/notes/_middleware.ts
new file mode 100644
index 0000000..084fb84
--- /dev/null
+++ b/functions/api/game-bans/notes/_middleware.ts
@@ -0,0 +1,8 @@
+import { jsonError } from "../../../common.js";
+
+export async function onRequest(context: RequestContext) {
+  if (!(context.data.current_user?.permissions & (1 << 5)))
+    return jsonError("Forbidden", 403);
+
+  return await context.next();
+}
diff --git a/functions/api/game-bans/notes/create.ts b/functions/api/game-bans/notes/create.ts
new file mode 100644
index 0000000..1fd8b7c
--- /dev/null
+++ b/functions/api/game-bans/notes/create.ts
@@ -0,0 +1,23 @@
+import { jsonError } from "../../../common.js";
+
+export async function onRequestPost(context: RequestContext) {
+  const { content, target } = context.data.body;
+
+  if (typeof content !== "string")
+    return jsonError("'content' property is not a string", 400);
+
+  if (typeof target !== "number" || !Number.isSafeInteger(target))
+    return jsonError("'target' property is not a valid number", 400);
+
+  if (content.length > 1000)
+    return jsonError(
+      "'content' property must be less than 1000 characters",
+      400,
+    );
+
+  const id = `${Date.now()}${crypto.randomUUID().replaceAll("-", "")}`;
+
+  await context.env.D1.prepare(
+    "INSERT INTO game_mod_notes (content, created_at, created_by, id, target) VALUES (?, ?, ?, ?, ?);",
+  ).bind(content, Date.now(), context.data.current_user.id, id, target).first();
+}