diff --git a/MiniKms/docs/context-diagram.mmd b/MiniKms/docs/context-diagram.mmd
new file mode 100644
index 0000000..0c68296
--- /dev/null
+++ b/MiniKms/docs/context-diagram.mmd
@@ -0,0 +1,54 @@
+flowchart TB
+
+    subgraph Internet
+        X["fa:fa-desktop Angular @ localhost:4200<br/>Postman @ localhost"]
+    end
+
+    subgraph DMZ ["API - Spring Boot"]
+        direction LR
+
+        CRYPTO["fa:fa-lock Cryptography<br/>POST /api/v1/crypto<br/>encrypt/decrypt (AES/RSA)<br/>sign/verify (RSA)<br/>compute/verify (HMAC)"]
+        MANAGEMENT["fa:fa-key Key management /api/v1/keys<br/>POST /create<br/>POST /rotate<br/>GET/DELETE /{id}"]
+
+        subgraph RootKeyRealm[Root-key realm]
+            RKM["RootKeyManager<br/>AES-GCM wrap/unwrap<br/>AAD=id:version"]
+        end
+
+        AUTH["fa:fa-shield-alt Authentication<br/>POST /api/v1/auth"]
+    end
+
+    subgraph Persistence["Persistence"]
+        direction LR
+
+        subgraph Database[PostgreSQL]
+            direction LR
+            METADATA[(Key metadata)]
+            WRAPPED[(Wrapped key material)]
+            USERS[(Users)]
+        end
+
+        subgraph Logs[Logging]
+            LOGS[(File logs)]
+        end
+    end
+
+
+    %% Client to API
+    X -- HTTPS --> AUTH
+    AUTH -- JWT token --> X
+    X -- HTTPS + JWT --> MANAGEMENT
+    X -- HTTPS + JWT --> CRYPTO
+    CRYPTO -- compute (AES/RSA/HMAC) --> X
+
+    %% Database connections
+    CRYPTO -- fetch metadata/version --> METADATA
+    MANAGEMENT -- read/write --> METADATA
+    MANAGEMENT -- store wrapped bytes --> WRAPPED
+    AUTH -- verify creds --> USERS
+    
+    %% Root key operations
+    CRYPTO -- unwrap key bytes --> RKM
+    MANAGEMENT -- wrap created key bytes --> RKM
+
+    %% Logging
+    DMZ -- structured events --> LOGS
\ No newline at end of file
diff --git a/MiniKms/src/main/java/ftn/security/minikms/config/SecurityConfig.java b/MiniKms/src/main/java/ftn/security/minikms/config/SecurityConfig.java
index b5be098..63e7342 100644
--- a/MiniKms/src/main/java/ftn/security/minikms/config/SecurityConfig.java
+++ b/MiniKms/src/main/java/ftn/security/minikms/config/SecurityConfig.java
@@ -53,11 +53,10 @@ public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
                 .authorizeHttpRequests(auth -> auth
                         .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                         .requestMatchers("/api/v1/auth/**").permitAll()
-                        .requestMatchers("/api/v1/test/**").permitAll()
-                        .requestMatchers("/api/v1/crypto/**").permitAll()
-                        .requestMatchers("/api/v1/signatures/**").permitAll()
                         .requestMatchers(HttpMethod.GET, "/api/v1/keys/**").authenticated() // Allow all roles to GET
                         .requestMatchers("/api/v1/keys/**").hasRole("MANAGER")
+                        .requestMatchers("/api/v1/crypto/**").hasRole("USER")
+                        .requestMatchers("/api/v1/signatures/**").hasRole("USER")
                         .anyRequest().authenticated()
                 )