diff --git a/cloudformation/iam.yml b/cloudformation/iam.yml
index 756c970..d779558 100644
--- a/cloudformation/iam.yml
+++ b/cloudformation/iam.yml
@@ -77,6 +77,8 @@ Resources:
                 - !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-iam-userroles/*
                 - !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-iam-grouproles
                 - !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-iam-grouproles/*
+                - !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-membership-logs
+                - !Sub arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-membership-logs/*
 
         PolicyName: lambda-dynamo
 Outputs:
@@ -85,4 +87,4 @@ Outputs:
     Value:
       Fn::GetAtt:
       - ApiLambdaIAMRole
-      - Arn
\ No newline at end of file
+      - Arn
diff --git a/cloudformation/main.yml b/cloudformation/main.yml
index 823e594..7c1da46 100644
--- a/cloudformation/main.yml
+++ b/cloudformation/main.yml
@@ -93,7 +93,7 @@ Resources:
       Environment:
         Variables:
           RunEnvironment: !Ref RunEnvironment
-      VpcConfig: 
+      VpcConfig:
         Ipv6AllowedForDualStack: !If [ShouldAttachVpc, True, !Ref AWS::NoValue]
         SecurityGroupIds: !If [ShouldAttachVpc, !FindInMap [EnvironmentToCidr, !Ref RunEnvironment, SecurityGroupIds], !Ref AWS::NoValue]
         SubnetIds: !If [ShouldAttachVpc, !FindInMap [EnvironmentToCidr, !Ref RunEnvironment, SubnetIds], !Ref AWS::NoValue]
@@ -107,7 +107,7 @@ Resources:
 
   IamGroupRolesTable:
     Type: 'AWS::DynamoDB::Table'
-    DeletionPolicy: "Retain"  
+    DeletionPolicy: "Retain"
     Properties:
       BillingMode: 'PAY_PER_REQUEST'
       TableName: infra-core-api-iam-grouproles
@@ -123,7 +123,7 @@ Resources:
 
   IamUserRolesTable:
     Type: 'AWS::DynamoDB::Table'
-    DeletionPolicy: "Retain"  
+    DeletionPolicy: "Retain"
     Properties:
       BillingMode: 'PAY_PER_REQUEST'
       TableName: infra-core-api-iam-userroles
@@ -139,7 +139,7 @@ Resources:
 
   EventRecordsTable:
     Type: 'AWS::DynamoDB::Table'
-    DeletionPolicy: "Retain"  
+    DeletionPolicy: "Retain"
     Properties:
       BillingMode: 'PAY_PER_REQUEST'
       TableName: infra-core-api-events
@@ -162,9 +162,25 @@ Resources:
         Projection:
           ProjectionType: ALL
 
+  MembershipRecordsTable:
+    Type: 'AWS::DynamoDB::Table'
+    DeletionPolicy: "Retain"
+    Properties:
+      BillingMode: 'PAY_PER_REQUEST'
+      TableName: infra-core-api-membership-logs
+      DeletionProtectionEnabled: true
+      PointInTimeRecoverySpecification:
+        PointInTimeRecoveryEnabled: !If [IsProd, true, false]
+      AttributeDefinitions:
+        - AttributeName: email
+          AttributeType: S
+      KeySchema:
+        - AttributeName: email
+          KeyType: HASH
+
   CacheRecordsTable:
     Type: 'AWS::DynamoDB::Table'
-    DeletionPolicy: "Retain"  
+    DeletionPolicy: "Retain"
     Properties:
       BillingMode: 'PAY_PER_REQUEST'
       TableName: infra-core-api-cache
@@ -183,7 +199,7 @@ Resources:
 
   AppApiGateway:
     Type: AWS::Serverless::Api
-    DependsOn: 
+    DependsOn:
       - AppApiLambdaFunction
     Properties:
       Name: !Sub ${ApplicationPrefix}-gateway
@@ -194,7 +210,7 @@ Resources:
           Name: AWS::Include
           Parameters:
             Location: ./phony-swagger.yml
-      Domain: 
+      Domain:
         DomainName: !Sub
           - "${ApplicationPrefix}.${BaseDomainName}"
           - BaseDomainName: !FindInMap
@@ -296,4 +312,4 @@ Resources:
           - !Ref AWS::AccountId
           - ":"
           - !Ref AppApiGateway
-          - "/*/*/*"
\ No newline at end of file
+          - "/*/*/*"
diff --git a/src/api/functions/validation.ts b/src/api/functions/validation.ts
index b9f241f..d861667 100644
--- a/src/api/functions/validation.ts
+++ b/src/api/functions/validation.ts
@@ -5,3 +5,8 @@ export function validateEmail(email: string): boolean {
   const result = emailSchema.safeParse(email);
   return result.success;
 }
+
+export function validateNetId(netId: string): boolean {
+  // TODO: write this function to check if the netid matches this regex: [a-zA-Z0-9\-]+
+  return true;
+}
diff --git a/src/api/index.ts b/src/api/index.ts
index 55f9d31..3ec12ce 100644
--- a/src/api/index.ts
+++ b/src/api/index.ts
@@ -17,8 +17,8 @@ import vendingPlugin from "./routes/vending.js";
 import * as dotenv from "dotenv";
 import iamRoutes from "./routes/iam.js";
 import ticketsPlugin from "./routes/tickets.js";
+import membershipPlugin from "./routes/membership.js";
 import { STSClient, GetCallerIdentityCommand } from "@aws-sdk/client-sts";
-
 dotenv.config();
 
 const now = () => Date.now();
@@ -79,6 +79,7 @@ async function init() {
       api.register(organizationsPlugin, { prefix: "/organizations" });
       api.register(icalPlugin, { prefix: "/ical" });
       api.register(iamRoutes, { prefix: "/iam" });
+      api.register(membershipPlugin, { prefix: "/membership" });
       api.register(ticketsPlugin, { prefix: "/tickets" });
       if (app.runEnvironment === "dev") {
         api.register(vendingPlugin, { prefix: "/vending" });
diff --git a/src/api/routes/membership.ts b/src/api/routes/membership.ts
new file mode 100644
index 0000000..917bd7b
--- /dev/null
+++ b/src/api/routes/membership.ts
@@ -0,0 +1,39 @@
+import { validateNetId } from "api/functions/validation.js";
+import { FastifyPluginAsync } from "fastify";
+import { ValidationError } from "zod-validation-error";
+
+const membershipPlugin: FastifyPluginAsync = async (fastify, _options) => {
+  fastify.get<{
+    Body: undefined;
+    Querystring: { netId: string };
+  }>(
+    "/:netId",
+    {
+      schema: {
+        querystring: {
+          type: "object",
+          properties: {
+            netId: {
+              type: "string",
+            },
+          },
+        },
+      },
+    },
+    async (request, reply) => {
+      const netId = (request.params as Record<string, string>).netId;
+      if (!validateNetId(netId)) {
+        // TODO: implement the validateNetId function
+        throw new ValidationError(`${netId} is not a valid Illinois NetID!`);
+      }
+      // TODOs below:
+      // 1. Check Dynamo table infra-core-api-membership-logs to see if `netid@illinois.edu` has an entry. if yes, return the json {netid: netid, isPaidMember: true}
+      // 2. Call checkGroupMembership(token, `netid@acm.illinois.edu`, groupId). if yes, {netid: netid, isPaidMember: result}
+      // 3. If AAD says they're a member, insert this yes result into infra-core-api-membership-logs so that it's cached for the next time.
+      // request.log.debug(`Checking the group ID ${fastify.environmentConfig.PaidMemberGroupId} for membership`)
+      reply.send(`Hello, ${netId}!`);
+    },
+  );
+};
+
+export default membershipPlugin;
diff --git a/src/common/config.ts b/src/common/config.ts
index 09d1a34..b6530ca 100644
--- a/src/common/config.ts
+++ b/src/common/config.ts
@@ -16,6 +16,7 @@ export type ConfigType = {
   UserRoleMapping: UserRoleMapping;
   ValidCorsOrigins: ValueOrArray<OriginType> | OriginFunction;
   AadValidClientId: string;
+  PaidMemberGroupId: string;
 };
 
 type GenericConfigType = {
@@ -82,6 +83,7 @@ const environmentConfig: EnvironmentConfigType = {
       /^https:\/\/(?:.*\.)?acmuiuc\.pages\.dev$/,
     ],
     AadValidClientId: "39c28870-94e4-47ee-b4fb-affe0bf96c9f",
+    PaidMemberGroupId: "9222451f-b354-4e64-ba28-c0f367a277c2"
   },
   prod: {
     GroupRoleMapping: {
@@ -112,6 +114,8 @@ const environmentConfig: EnvironmentConfigType = {
       /^https:\/\/(?:.*\.)?acmuiuc\.pages\.dev$/,
     ],
     AadValidClientId: "5e08cf0f-53bb-4e09-9df2-e9bdc3467296",
+    PaidMemberGroupId: "172fd9ee-69f0-4384-9786-41ff1a43cf8e"
+  },
   }
 };