diff --git a/json-api/src/invites.rs b/json-api/src/invites.rs
index a0374e4..fb64a5a 100644
--- a/json-api/src/invites.rs
+++ b/json-api/src/invites.rs
@@ -10,6 +10,8 @@ use hyper::{Response, Body, StatusCode};
 
 use chrono::Utc;
 
+use std::collections::HashMap;
+
 use db::{UBigInt, BigInt};
 use db::common::FromDB;
 use db::member::Member;
@@ -148,35 +150,62 @@ async fn process_expires_parameter(p: &Pool, exp: &Value, id: UBigInt) -> bool {
     }
 }
 
-pub async fn create(pool: &Pool, response: &mut Response<Body>, params: Value) {
+async fn allowed_perm_invite(pool: &Pool, uid: u64) -> bool {
+    use crate::perms;
+
+    return match db::member::Member::get(pool, uid).await {
+        db::Response::Row(user) => perms::has_perm(user.permissions, perms::CREATE_PERM_INVITES),
+        _ => false
+    };
+}
+pub async fn create(pool: &Pool, response: &mut Response<Body>, params: HashMap<&str, &str>) {
     /*
      * Creates a new invite
+     * Parameters required asked of the user to provide
+     * uses : Option<i64>
+     * expires: Option<bool>
      */
 
-    // no user can actually have an id of 0 this won't find anyone on the backend
-    let id = match params.get("id") {
-        Some(val) => val.as_u64().unwrap_or(0),
-        None => 0
-    };
+    let id = crate::http::extract_uid(&params);
 
     let use_count = match params.get("uses")  {
-        Some(val) => val.as_i64(),
+        Some(val) => {
+            match (*val).to_string().parse::<i64>() {
+                Ok(count) => Some(count),
+                Err(_) => None
+            }
+        },
         None => None
     };
 
-    let expires = match params.get("expires") {
-        Some(exp_val) => process_expires_parameter(pool, exp_val, id).await,
+    let expirey_request = match params.get("expires") {
+        Some(exp_val) => {
+            match exp_val.to_string().parse::<bool>() {
+                Ok(exp) => {
+                    match exp {
+                        true => allowed_perm_invite(pool, id).await,
+                        false => false
+                    }
+                },
+                _ => false
+            }
+        }
         None => true
     };
 
+    // TODO: prolly add some kind option to set an expire time
     let invite = Invite {
         id: (Utc::now() + chrono::Duration::minutes(30)).timestamp(),
         uses: use_count,
-        expires: expires
+        expires: expirey_request
     };
 
     match insert_new_invite(&pool, &invite).await {
-        Ok(_) => {},
+        Ok(_) => {
+            // return the id of the invite
+            // Link format from here is basically hostname.io:4536/join/<id>
+            crate::http::set_json_body(response, serde_json::json!(invite))
+        },
         Err(mysqle) => {
             println!("\tINVITES::CREATE::ERROR: {}", mysqle);
             *response.status_mut() = StatusCode::BAD_REQUEST;