diff --git a/.env b/.env
new file mode 100644
index 0000000..311fbca
--- /dev/null
+++ b/.env
@@ -0,0 +1,4 @@
+SECRET_ACCESS_TOKEN_KEY=AuthSecretKey
+SECRET_REFRESH_TOKEN_KEY=RefreshTokenKey
+RATE_LIMIT_PER_SECOND=10
+RESOURCE_LIMIT_PER_DAY=60
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
index 9886518..86a2001 100644
--- a/.idea/misc.xml
+++ b/.idea/misc.xml
@@ -8,6 +8,14 @@
         <option value="$PROJECT_DIR$/use-api/pom.xml" />
       </list>
     </option>
+    <option name="ignoredFiles">
+      <set>
+        <option value="$PROJECT_DIR$/secure-use-api-second/pom.xml" />
+        <option value="$PROJECT_DIR$/secure-use-api/pom.xml" />
+        <option value="$PROJECT_DIR$/secure-use-api_old/pom.xml" />
+      </set>
+    </option>
+    <option name="workspaceImportForciblyTurnedOn" value="true" />
   </component>
   <component name="ProjectRootManager" version="2" languageLevel="JDK_21" default="true" project-jdk-name="21" project-jdk-type="JavaSDK">
     <output url="file://$PROJECT_DIR$/out" />
diff --git a/.vscode/README.md b/.vscode/README.md
deleted file mode 100644
index e577411..0000000
--- a/.vscode/README.md
+++ /dev/null
@@ -1,14 +0,0 @@
-# For VS Code users
-
-This directory contains the configuration files and related contents for Visual Studio Code.
-
-## How to develop USE with Visual Studio Code
-
-1. Install Visual Studio Code from [https://code.visualstudio.com/](https://code.visualstudio.com/).
-    - [Java Extension Pack](https://marketplace.visualstudio.com/items?itemName=vscjava.vscode-java-pack) is recommended for Java development.
-
-2. Clone the USE repository from [https://github.com/useocl/use](https://github.com/useocl/use).
-    - Currently USE is using JDK version 21. Install if you don't have it.
-    - From the USE repository root, open the command prompt and run `mvn package` to generate the `target\generated-sources\antlr3` directory (which use-core depends on), and the `.jar` files.
-
-3. Open the USE repository in Visual Studio Code and start developing!
diff --git a/pom.xml b/pom.xml
index 01f5f2d..9140a31 100644
--- a/pom.xml
+++ b/pom.xml
@@ -12,7 +12,7 @@
         <module>use-core</module>
         <module>use-gui</module>
         <module>use-assembly</module>
-        <module>use-api</module>
+        <module>secure-use-api</module>
     </modules>
 
     <properties>
diff --git a/secure-use-api/.DS_Store b/secure-use-api/.DS_Store
new file mode 100644
index 0000000..4263771
Binary files /dev/null and b/secure-use-api/.DS_Store differ
diff --git a/use-api/Dockerfile b/secure-use-api/Dockerfile
similarity index 100%
rename from use-api/Dockerfile
rename to secure-use-api/Dockerfile
diff --git a/use-api/docker-compose.yml b/secure-use-api/docker-compose.yml
similarity index 100%
rename from use-api/docker-compose.yml
rename to secure-use-api/docker-compose.yml
diff --git a/use-api/pom.xml b/secure-use-api/pom.xml
similarity index 77%
rename from use-api/pom.xml
rename to secure-use-api/pom.xml
index 17b6807..504b433 100644
--- a/use-api/pom.xml
+++ b/secure-use-api/pom.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project xmlns="http://maven.apache.org/POM/4.0.0"
-         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <parent>
         <artifactId>use</artifactId>
         <groupId>org.tzi.use</groupId>
@@ -9,8 +9,7 @@
     </parent>
     <modelVersion>4.0.0</modelVersion>
 
-    <artifactId>use-api</artifactId>
-
+    <artifactId>secure-use-api</artifactId>
 
     <properties>
         <maven.compiler.source>21</maven.compiler.source>
@@ -23,7 +22,7 @@
             <dependency>
                 <groupId>org.springframework.boot</groupId>
                 <artifactId>spring-boot-dependencies</artifactId>
-                <version>3.1.5</version>
+                <version>3.5.5</version>
                 <type>pom</type>
                 <scope>import</scope>
             </dependency>
@@ -84,7 +83,7 @@
         <dependency>
             <groupId>org.springdoc</groupId>
             <artifactId>springdoc-openapi-starter-webmvc-ui</artifactId>
-            <version>2.5.0</version> <!-- or the latest version -->
+            <version>2.8.14</version> <!-- or the latest version -->
         </dependency>
         <dependency>
             <groupId>org.springframework.boot</groupId>
@@ -131,11 +130,93 @@
             <version>7.1.1</version>
             <scope>compile</scope>
         </dependency>
-
         <dependency>
             <groupId>org.springframework.boot</groupId>
             <artifactId>spring-boot-starter-data-mongodb</artifactId>
         </dependency>
+
+
+        <!-- ######## -->
+        <!-- Security -->
+        <!-- ######## -->
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-validation</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>de.mkammerer</groupId>
+            <artifactId>argon2-jvm</artifactId>
+            <version>2.7</version>
+        </dependency>
+
+        <!-- H2 Database Dependency (In memory for testing) -->
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <scope>runtime</scope>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-data-jpa</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>jakarta.persistence</groupId>
+            <artifactId>jakarta.persistence-api</artifactId>
+            <version>3.1.0</version>
+        </dependency>
+
+        <!-- RateLimiter -->
+        <dependency>
+            <groupId>com.google.guava</groupId>
+            <artifactId>guava</artifactId>
+            <version>32.1.3-jre</version>
+        </dependency>
+
+        <!-- JWT Library -->
+        <dependency>
+            <groupId>com.auth0</groupId>
+            <artifactId>java-jwt</artifactId>
+            <version>4.2.1</version>
+        </dependency>
+
+        <!-- .env Library -->
+        <dependency>
+            <groupId>io.github.cdimascio</groupId>
+            <artifactId>dotenv-java</artifactId>
+            <version>2.0.0</version>
+        </dependency>
+
+        <!-- json Library -->
+        <dependency>
+            <groupId>com.google.code.gson</groupId>
+            <artifactId>gson</artifactId>
+            <version>2.13.2</version>
+        </dependency>
     </dependencies>
 
     <build>
@@ -181,6 +262,9 @@
                         <compilerArg>
                             -Amapstruct.defaultComponentModel=spring
                         </compilerArg>
+                        <compilerArg>
+                            -parameters
+                        </compilerArg>
                     </compilerArgs>
                 </configuration>
             </plugin>
@@ -251,4 +335,5 @@
 <!--            </plugin>-->
         </plugins>
     </build>
+
 </project>
\ No newline at end of file
diff --git a/secure-use-api/src/.DS_Store b/secure-use-api/src/.DS_Store
new file mode 100644
index 0000000..59eccef
Binary files /dev/null and b/secure-use-api/src/.DS_Store differ
diff --git a/secure-use-api/src/main/.DS_Store b/secure-use-api/src/main/.DS_Store
new file mode 100644
index 0000000..ad59c1c
Binary files /dev/null and b/secure-use-api/src/main/.DS_Store differ
diff --git a/secure-use-api/src/main/java/.DS_Store b/secure-use-api/src/main/java/.DS_Store
new file mode 100644
index 0000000..2120347
Binary files /dev/null and b/secure-use-api/src/main/java/.DS_Store differ
diff --git a/use-api/src/main/java/org/tzi/use/UseWebAPIApplication.java b/secure-use-api/src/main/java/org/tzi/use/SecureUseApi.java
similarity index 51%
rename from use-api/src/main/java/org/tzi/use/UseWebAPIApplication.java
rename to secure-use-api/src/main/java/org/tzi/use/SecureUseApi.java
index 0ba75b8..f8636e7 100644
--- a/use-api/src/main/java/org/tzi/use/UseWebAPIApplication.java
+++ b/secure-use-api/src/main/java/org/tzi/use/SecureUseApi.java
@@ -4,8 +4,8 @@
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 
 @SpringBootApplication
-public class UseWebAPIApplication {
-    public static void main(String[] args) {
-        SpringApplication.run(UseWebAPIApplication.class, args);
-    }
-}
+public class SecureUseApi {
+	public static void main(String[] args) {
+		SpringApplication.run(SecureUseApi.class, args);
+	}
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/CustomAuthenticationEntryPoint.java b/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/CustomAuthenticationEntryPoint.java
new file mode 100644
index 0000000..657f575
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/CustomAuthenticationEntryPoint.java
@@ -0,0 +1,22 @@
+package org.tzi.use.api_security.exceptions;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.stereotype.Component;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Component
+public class CustomAuthenticationEntryPoint implements AuthenticationEntryPoint {
+    @Override
+    public void commence(HttpServletRequest request, HttpServletResponse response,
+                         AuthenticationException authException) throws IOException {
+
+        ExceptionResponse exceptionResponse = new ExceptionResponse(HttpStatus.UNAUTHORIZED, null, "");
+
+        exceptionResponse.writeToResponse(response, request);
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/CustomExceptionHandler.java b/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/CustomExceptionHandler.java
new file mode 100644
index 0000000..3324c94
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/CustomExceptionHandler.java
@@ -0,0 +1,62 @@
+package org.tzi.use.api_security.exceptions;
+
+import org.springframework.http.HttpHeaders;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.HttpStatusCode;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.MethodArgumentNotValidException;
+import org.springframework.web.bind.annotation.ControllerAdvice;
+import org.springframework.web.context.request.WebRequest;
+import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;
+
+import java.util.HashMap;
+import java.util.Map;
+
+@ControllerAdvice
+public class CustomExceptionHandler extends ResponseEntityExceptionHandler {
+
+        @Override
+        protected ResponseEntity<Object> handleMethodArgumentNotValid(MethodArgumentNotValidException ex,
+                        HttpHeaders headers, HttpStatusCode status, WebRequest request) {
+
+                Map<String, String> errors = new HashMap<>();
+
+                ex.getBindingResult().getFieldErrors()
+                                .forEach(error -> errors.put(error.getField(), error.getDefaultMessage()));
+
+                ExceptionResponse exceptionResponse = new ExceptionResponse(HttpStatus.BAD_REQUEST, errors,
+                                request.getDescription(false));
+                
+                // Headers for the response
+                HttpHeaders responseHeaders = new HttpHeaders();
+                responseHeaders.add("content-type", "application/problem+json");
+
+                // Using ExceptionResponseRecord here because else the whole stack trace of
+                // parent class RuntimeError is included which would give a tone of server
+                // information to the client
+                return ResponseEntity
+                                .status(exceptionResponse.getHttpStatus())
+                                .headers(responseHeaders)
+                                .body(exceptionResponse.toExceptionResponseRecord());
+        }
+
+        public ResponseEntity<Object> handleMethodArgumentNotValid(MethodArgumentNotValidException ex,
+                        WebRequest request) {
+
+                Map<String, String> errors = new HashMap<>();
+
+                ex.getBindingResult().getFieldErrors()
+                                .forEach(error -> errors.put(error.getField(), error.getDefaultMessage()));
+
+                ExceptionResponse exceptionResponse = new ExceptionResponse(HttpStatus.BAD_REQUEST, errors,
+                                request.getDescription(false));
+
+                System.out.println(exceptionResponse);
+
+                // Using ExceptionResponseRecord here because else the whole stack trace of
+                // parent class RuntimeError is included which would give a tone of server
+                // information to the client
+                return new ResponseEntity<>(exceptionResponse.toExceptionResponseRecord(),
+                                exceptionResponse.getHttpStatus());
+        }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/ExceptionResponse.java b/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/ExceptionResponse.java
new file mode 100644
index 0000000..0e5ae72
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/ExceptionResponse.java
@@ -0,0 +1,58 @@
+package org.tzi.use.api_security.exceptions;
+
+import java.io.IOException;
+import java.time.Instant;
+import org.springframework.http.HttpStatus;
+
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+
+public class ExceptionResponse extends RuntimeException {
+
+    public record ExceptionResponseRecord(Instant timestamp, String title, int code, Object message, String details) {
+    }
+
+    private final Instant timestamp;
+    private final String title;
+    private final int code;
+    private final Object message;
+    private final String details;
+
+    public ExceptionResponse(Instant timestamp, String title, int code, Object message, String details) {
+        this.timestamp = timestamp;
+        this.title = title;
+        this.code = code;
+        this.message = message;
+        this.details = details;
+    }
+
+    public ExceptionResponse(HttpStatus httpStatus, Object message, String details) {
+        this.timestamp = Instant.now();
+        this.title = httpStatus.getReasonPhrase();
+        this.code = httpStatus.value();
+        this.message = message;
+        this.details = details;
+    }
+
+    public HttpStatus getHttpStatus() {
+        return HttpStatus.valueOf(this.code);
+    }
+
+    public void writeToResponse(HttpServletResponse response, HttpServletRequest request) throws IOException {
+        response.setStatus(this.code);
+
+        response.setHeader("content-type", "application/problem+json");
+
+        response.getWriter().write(String.format(
+                "{\"timestamp\": \"%s\", \"title\": \"%s\", \"code\": %d, \"message\":\"%s\", \"details\": \"%s\"}",
+                this.timestamp, this.title, this.code,
+                this.message, this.details));
+
+        response.getWriter().flush();
+    }
+
+    public ExceptionResponseRecord toExceptionResponseRecord() {
+        return new ExceptionResponseRecord(this.timestamp, this.title, this.code, this.message, this.details);
+    }
+
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/Exceptions.java b/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/Exceptions.java
new file mode 100644
index 0000000..50ecc36
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/exceptions/Exceptions.java
@@ -0,0 +1,21 @@
+package org.tzi.use.api_security.exceptions;
+
+public class Exceptions {
+    public static class UserAlreadyExists extends RuntimeException {
+        public UserAlreadyExists(String message) {
+            super(message);
+        }
+    }
+
+    public static class InvalidException extends RuntimeException {
+        public InvalidException(String message) {
+            super(message);
+        }
+    }
+
+    public static class ExpiredException extends RuntimeException {
+        public ExpiredException(String message) {
+            super(message);
+        }
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/model/ApiTokenModel.java b/secure-use-api/src/main/java/org/tzi/use/api_security/model/ApiTokenModel.java
new file mode 100644
index 0000000..db9e858
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/model/ApiTokenModel.java
@@ -0,0 +1,71 @@
+package org.tzi.use.api_security.model;
+
+import java.sql.Timestamp;
+import java.util.UUID;
+
+import org.hibernate.annotations.CreationTimestamp;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.Lob;
+import jakarta.persistence.ManyToOne;
+import jakarta.persistence.Table;
+
+@Entity
+@Table(name = "ApiToken")
+public class ApiTokenModel {
+
+    @Id
+    private UUID uid;
+
+    @Lob // Allow larger text storage
+    @Column(nullable = false)
+    private String token;
+
+    @Column(nullable = false)
+    private UUID owner;
+
+    @CreationTimestamp
+    private Timestamp createdAt;
+
+    @ManyToOne
+    @JoinColumn(name = "owner", insertable = false, updatable = false)
+    private UserAdditionsModel userAdditions;
+
+    public ApiTokenModel() {
+    }
+
+    public UUID getUid() {
+        return this.uid;
+    }
+
+    public String getToken() {
+        return this.token;
+    }
+
+    public UUID getOwner() {
+        return this.owner;
+    }
+
+    public Timestamp getCreatedAt() {
+        return this.createdAt;
+    }
+
+    public void setUid(UUID uid) {
+        this.uid = uid;
+    }
+
+    public void setToken(String token) {
+        this.token = token;
+    }
+
+    public void setOwner(UUID ownerId) {
+        this.owner = ownerId;
+    }
+
+    public void setCreatedAt(Timestamp createdAt) {
+        this.createdAt = createdAt;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/model/RefreshTokenModel.java b/secure-use-api/src/main/java/org/tzi/use/api_security/model/RefreshTokenModel.java
new file mode 100644
index 0000000..1a45bca
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/model/RefreshTokenModel.java
@@ -0,0 +1,50 @@
+package org.tzi.use.api_security.model;
+
+import java.sql.Timestamp;
+import java.util.UUID;
+
+import jakarta.persistence.Column;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.Table;
+
+@Entity
+@Table(name = "RefreshToken")
+public class RefreshTokenModel {
+
+    @Id
+    private UUID uid;
+
+    @Column(nullable = false, unique = true)
+    private UUID spouseId;
+
+    @Column(nullable = false)
+    private Timestamp expireAt;
+
+    public RefreshTokenModel() {
+    }
+
+    public UUID getUid() {
+        return this.uid;
+    }
+
+    public UUID getSpouseId() {
+        return this.spouseId;
+    }
+
+    public Timestamp getExpireAt() {
+        return this.expireAt;
+    }
+
+    public void setUid(UUID uid) {
+        this.uid = uid;
+    }
+
+    public void setSpouse(UUID spouseId) {
+        this.spouseId = spouseId;
+    }
+
+    public void setExpireAt(Timestamp expireAt) {
+        this.expireAt = expireAt;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserAdditionsModel.java b/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserAdditionsModel.java
new file mode 100644
index 0000000..6286b08
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserAdditionsModel.java
@@ -0,0 +1,57 @@
+package org.tzi.use.api_security.model;
+
+import java.sql.Timestamp;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.UUID;
+
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.MapsId;
+import jakarta.persistence.OneToMany;
+import jakarta.persistence.OneToOne;
+import jakarta.persistence.Table;
+
+@Entity
+@Table(name = "UserAdditions")
+public class UserAdditionsModel {
+    @Id
+    private UUID userId;
+
+    @OneToOne
+    @MapsId
+    @JoinColumn(name = "userId")
+    private UserMetaModel userMeta;
+
+    @OneToMany(mappedBy = "owner", cascade = CascadeType.ALL)
+    private List<ApiTokenModel> items = new ArrayList<ApiTokenModel>();
+
+    private int resourceTimeUsed;
+
+    private Timestamp resourceTimeUsedLastChangedAt;
+
+    public UserAdditionsModel() {
+    }
+
+    public int getResourceLimitUsed() {
+        return this.resourceTimeUsed;
+    }
+
+    public Timestamp getResourceTimeUsedLastChangedAt() {
+        return this.resourceTimeUsedLastChangedAt;
+    }
+
+    public void setUserId(UUID userId) {
+        this.userId = userId;
+    }
+
+    public void setResourceLimitUsed(int resourceTimeUsed) {
+        this.resourceTimeUsed = resourceTimeUsed;
+    }
+
+    public void setUserMeta(UserMetaModel userMetaModel) {
+        this.userMeta = userMetaModel;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserComposite.java b/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserComposite.java
new file mode 100644
index 0000000..4cb52dd
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserComposite.java
@@ -0,0 +1,28 @@
+package org.tzi.use.api_security.model;
+
+public class UserComposite {
+    private UserMetaModel userMeta;
+    private UserSecurityModel userSecurity;
+
+    public UserComposite(UserMetaModel userMeta, UserSecurityModel userSecurity) {
+        this.userMeta = userMeta;
+        this.userSecurity = userSecurity;
+    }
+
+    // Getters and Setters
+    public UserMetaModel getUserMeta() {
+        return userMeta;
+    }
+
+    public void setUserMeta(UserMetaModel userMeta) {
+        this.userMeta = userMeta;
+    }
+
+    public UserSecurityModel getUserSecurity() {
+        return userSecurity;
+    }
+
+    public void setUserSecurity(UserSecurityModel userSecurity) {
+        this.userSecurity = userSecurity;
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserMetaModel.java b/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserMetaModel.java
new file mode 100644
index 0000000..eb0bd5e
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserMetaModel.java
@@ -0,0 +1,80 @@
+package org.tzi.use.api_security.model;
+
+import java.sql.Timestamp;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.UUID;
+
+import org.hibernate.annotations.CreationTimestamp;
+import org.hibernate.annotations.UpdateTimestamp;
+
+import jakarta.persistence.CascadeType;
+import jakarta.persistence.Column;
+import jakarta.persistence.ElementCollection;
+import jakarta.persistence.Entity;
+import jakarta.persistence.GeneratedValue;
+import jakarta.persistence.Id;
+import jakarta.persistence.OneToOne;
+import jakarta.persistence.Table;
+
+@Entity
+@Table(name = "UserMeta")
+public class UserMetaModel {
+
+    @Id
+    @GeneratedValue
+    private UUID userId;
+
+    @Column(nullable = false, unique = true)
+    private String email;
+
+    private String provider;
+
+    private String externalId;
+
+    @ElementCollection
+    private List<String> roles = new ArrayList<>();
+
+    @CreationTimestamp
+    private Timestamp createdAt;
+
+    @UpdateTimestamp
+    private Timestamp lastChangedAt;
+
+    @OneToOne(mappedBy = "userMeta", cascade = CascadeType.ALL)
+    private UserSecurityModel userSecurityModel;
+
+    @OneToOne(mappedBy = "userMeta", cascade = CascadeType.ALL)
+    private UserAdditionsModel userAdditionsModel;
+
+    public UserMetaModel() {
+    }
+
+    public UUID getUserId() {
+        return this.userId;
+    }
+
+    public String getEmail() {
+        return this.email;
+    }
+
+    public String getProvider() {
+        return this.provider;
+    }
+
+    public String getExternalId() {
+        return this.externalId;
+    }
+
+    public List<String> getRoles() {
+        return this.roles;
+    }
+
+    public void setEmail(String email) {
+        this.email = email;
+    }
+
+    public void setRoles(ArrayList<String> roles) {
+        this.roles = roles;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserSecurityModel.java b/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserSecurityModel.java
new file mode 100644
index 0000000..fbffa51
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/model/UserSecurityModel.java
@@ -0,0 +1,65 @@
+package org.tzi.use.api_security.model;
+
+import java.sql.Timestamp;
+import java.util.UUID;
+
+import jakarta.persistence.Entity;
+import jakarta.persistence.Id;
+import jakarta.persistence.JoinColumn;
+import jakarta.persistence.MapsId;
+import jakarta.persistence.OneToOne;
+import jakarta.persistence.Table;
+
+@Entity
+@Table(name = "UserSecurity")
+public class UserSecurityModel {
+
+    @Id
+    private UUID userId;
+
+    @OneToOne
+    @MapsId
+    @JoinColumn(name = "UserId")
+    private UserMetaModel userMeta;
+
+    private String hashedSaltedPassword;
+
+    private int failedLogInAttempts;
+
+    private Timestamp LastLogInAt;
+
+    public UserSecurityModel() {
+    }
+
+    public String getPassword() {
+        return this.hashedSaltedPassword;
+    }
+
+    public int getFailedLogInAttempts() {
+        return this.failedLogInAttempts;
+    }
+
+    public Timestamp getLastLogInAt() {
+        return this.LastLogInAt;
+    }
+
+    public void setUserId(UUID userId) {
+        this.userId = userId;
+    }
+
+    public void setUserMeta(UserMetaModel userMeta) {
+        this.userMeta = userMeta;
+    }
+
+    public void setPassword(String password) {
+        this.hashedSaltedPassword = password;
+    }
+
+    public void setFailedLogInAttempts(int failedLogInAttempt) {
+        this.failedLogInAttempts = failedLogInAttempt;
+    }
+
+    public void setLastLogInAt(Timestamp lastLogInAt) {
+        this.LastLogInAt = lastLogInAt;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/repository/ApiTokenRepository.java b/secure-use-api/src/main/java/org/tzi/use/api_security/repository/ApiTokenRepository.java
new file mode 100644
index 0000000..588dab4
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/repository/ApiTokenRepository.java
@@ -0,0 +1,18 @@
+package org.tzi.use.api_security.repository;
+
+import java.util.List;
+import java.util.UUID;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+import org.tzi.use.api_security.model.ApiTokenModel;
+
+@Repository
+public interface ApiTokenRepository extends JpaRepository<ApiTokenModel, UUID> {
+    List<ApiTokenModel> findByOwner(UUID ownerId);
+
+    int deleteByUidAndOwner(UUID uid, UUID owner);
+
+    ApiTokenModel findByUidAndOwner(UUID uid, UUID ownerId);
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/repository/RefreshTokenRepository.java b/secure-use-api/src/main/java/org/tzi/use/api_security/repository/RefreshTokenRepository.java
new file mode 100644
index 0000000..6769936
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/repository/RefreshTokenRepository.java
@@ -0,0 +1,20 @@
+package org.tzi.use.api_security.repository;
+
+import java.util.Date;
+import java.util.UUID;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.stereotype.Repository;
+
+import jakarta.transaction.Transactional;
+import org.tzi.use.api_security.model.RefreshTokenModel;
+
+@Repository
+public interface RefreshTokenRepository extends JpaRepository<RefreshTokenModel, UUID> {
+    @Transactional
+    @Modifying
+    @Query(value = "DELETE FROM REFRESH_TOKEN r WHERE r.uid=?1 AND r.spouse_id=?2 AND r.expire_at>?3", nativeQuery = true)
+    int deleteExpiredToken(UUID uid, UUID spouseId, Date currentTime);
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/repository/UserAdditionsRepository.java b/secure-use-api/src/main/java/org/tzi/use/api_security/repository/UserAdditionsRepository.java
new file mode 100644
index 0000000..56e4463
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/repository/UserAdditionsRepository.java
@@ -0,0 +1,25 @@
+package org.tzi.use.api_security.repository;
+
+import java.sql.Timestamp;
+import java.util.UUID;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Modifying;
+import org.springframework.data.jpa.repository.Query;
+import org.springframework.stereotype.Repository;
+
+import jakarta.transaction.Transactional;
+import org.tzi.use.api_security.model.UserAdditionsModel;
+
+@Repository
+public interface UserAdditionsRepository extends JpaRepository<UserAdditionsModel, UUID> {
+    @Transactional
+    @Query(value = "SELECT * FROM USER_ADDITIONS u WHERE u.user_id=?1 AND u.resource_time_used_last_changed_at BETWEEN ?2 AND ?3", nativeQuery = true)
+    UserAdditionsModel findByUidAndToday(UUID uid, Timestamp todayStart, Timestamp todayEnd);
+
+    @Transactional
+    @Modifying
+    @Query(value = "UPDATE USER_ADDITIONS u SET u.resource_time_used=?2, u.resource_time_used_last_changed_at=?3 WHERE u.user_id=?1", nativeQuery = true)
+    int UpdateResourceTimeUsedAndLastChangedAtByUid(UUID uid, long resourceTimeUsed,
+            Timestamp resourceTimeUsedLTimestamp);
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/repository/UserMetaRepository.java b/secure-use-api/src/main/java/org/tzi/use/api_security/repository/UserMetaRepository.java
new file mode 100644
index 0000000..d739c83
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/repository/UserMetaRepository.java
@@ -0,0 +1,14 @@
+package org.tzi.use.api_security.repository;
+
+import java.util.Optional;
+import java.util.UUID;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+import org.tzi.use.api_security.model.UserMetaModel;
+
+@Repository
+public interface UserMetaRepository extends JpaRepository<UserMetaModel, UUID> {
+    Optional<UserMetaModel> findByEmail(String email);
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/repository/UserSecurityRepository.java b/secure-use-api/src/main/java/org/tzi/use/api_security/repository/UserSecurityRepository.java
new file mode 100644
index 0000000..b6244e8
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/repository/UserSecurityRepository.java
@@ -0,0 +1,12 @@
+package org.tzi.use.api_security.repository;
+
+import java.util.UUID;
+
+import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.stereotype.Repository;
+
+import org.tzi.use.api_security.model.UserSecurityModel;
+
+@Repository
+public interface UserSecurityRepository extends JpaRepository<UserSecurityModel, UUID> {
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/controller/ApiTokenController.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/controller/ApiTokenController.java
new file mode 100644
index 0000000..955db25
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/controller/ApiTokenController.java
@@ -0,0 +1,73 @@
+package org.tzi.use.api_security.rest.controller;
+
+import java.util.List;
+import java.util.UUID;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.server.ResponseStatusException;
+
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import org.tzi.use.api_security.exceptions.Exceptions;
+import org.tzi.use.api_security.rest.dto.IdActionDto;
+import org.tzi.use.api_security.rest.dto.TokensDto;
+import org.tzi.use.api_security.rest.service.ApiTokenService;
+import org.tzi.use.api_security.security.RequireScope;
+import org.tzi.use.api_security.security.UserAuthentication;
+import org.tzi.use.api_security.token.ApiToken;
+
+@RestController
+@RequestMapping("api")
+public class ApiTokenController {
+
+    @Autowired
+    private ApiTokenService service;
+
+    @GetMapping(path = "getAll")
+    @RequireScope({ "authenticated", "token:read" })
+    public ResponseEntity<List<String>> getAll() {
+        UserAuthentication user = (UserAuthentication) SecurityContextHolder.getContext().getAuthentication();
+
+        try {
+            List<String> apiTokenList = this.service.getAllAsStrings(user.getUserId());
+
+            return ResponseEntity.ok(apiTokenList);
+        } catch (Exceptions.UserAlreadyExists err) {
+            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, err.getMessage());
+        }
+    }
+
+    @PostMapping(path = "create", produces = MediaType.APPLICATION_JSON_VALUE)
+    @RequireScope({ "authenticated", "token:create" })
+    public ResponseEntity<TokensDto> create() {
+        UserAuthentication user = (UserAuthentication) SecurityContextHolder.getContext().getAuthentication();
+
+        try {
+            ApiToken apiToken = this.service.create(user.getUserId(), user.getName());
+
+            return ResponseEntity.ok(new TokensDto(apiToken.toTokenString(), null));
+        } catch (Exceptions.UserAlreadyExists err) {
+            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, err.getMessage());
+        }
+    }
+
+    @DeleteMapping(path = "delete/{apiTokenId}")
+    @RequireScope({ "authenticated", "token:delete" })
+    public ResponseEntity<IdActionDto> delete(@PathVariable UUID apiTokenId) {
+        UserAuthentication user = (UserAuthentication) SecurityContextHolder.getContext().getAuthentication();
+
+        int deleteCount = this.service.delete(apiTokenId, user.getUserId());
+
+        if (deleteCount != 0) {
+            return ResponseEntity.ok(new IdActionDto(apiTokenId, "TokenDeleted"));
+        }
+
+        // This can be happen when there is not token with the given id or it is not
+        // owned by the user
+        throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "No Token deleted");
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/controller/AuthenticationController.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/controller/AuthenticationController.java
new file mode 100644
index 0000000..8626ccd
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/controller/AuthenticationController.java
@@ -0,0 +1,127 @@
+package org.tzi.use.api_security.rest.controller;
+
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.stream.Collectors;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+import org.springframework.web.server.ResponseStatusException;
+
+import com.auth0.jwt.exceptions.JWTVerificationException;
+
+import jakarta.transaction.Transactional;
+import jakarta.validation.Valid;
+
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import org.tzi.use.api_security.exceptions.Exceptions;
+import org.tzi.use.api_security.rest.service.AuthenticationService;
+import org.tzi.use.api_security.rest.service.RefreshTokenService;
+import org.tzi.use.api_security.rest.service.UserService;
+import org.tzi.use.api_security.security.RequireScope;
+import org.tzi.use.api_security.security.Role;
+import org.tzi.use.api_security.security.UserAuthentication;
+import org.tzi.use.api_security.token.AccessToken;
+import org.tzi.use.api_security.token.RefreshToken;
+import org.tzi.use.api_security.rest.dto.TokensDto;
+import org.tzi.use.api_security.rest.dto.IdActionDto;
+import org.tzi.use.api_security.rest.dto.RefreshTokenDto;
+import org.tzi.use.api_security.rest.dto.UserLoginDto;
+import org.tzi.use.api_security.rest.dto.UserRegistrationDto;
+
+@RestController
+@RequestMapping("auth")
+public class AuthenticationController {
+
+    @Autowired
+    private AuthenticationService authService;
+
+    @Autowired
+    private UserService userService;
+
+    @Autowired
+    private RefreshTokenService refreshTokenService;
+
+    @GetMapping({ "", "/" })
+    @RequireScope({ "authenticated", "account:read" })
+    String home() {
+        UserAuthentication user = (UserAuthentication) SecurityContextHolder.getContext().getAuthentication();
+        List<Role> roles = user.getAuthorities().stream()
+                .filter(authority -> authority instanceof Role) // Filter to ensure it's a Role
+                .map(authority -> (Role) authority) // Cast to Role
+                .collect(Collectors.toList()); // Collect to List<Role>
+
+        return "Hello World! with " + roles.toString();
+    }
+
+    @Transactional
+    @PostMapping(path = "register", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
+    public ResponseEntity<IdActionDto> register(@RequestBody @Valid UserRegistrationDto registrationDto) {
+
+        try {
+            UUID userId = this.authService.register(registrationDto.getEmail(), registrationDto.getPassword());
+
+            this.userService.createUserAdditions(userId);
+
+            return ResponseEntity.ok(new IdActionDto(userId, "UserCreated"));
+        } catch (Exceptions.UserAlreadyExists err) {
+            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, err.getMessage());
+        }
+    }
+
+    @PostMapping(path = "login", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
+    public ResponseEntity<TokensDto> login(@RequestBody @Valid UserLoginDto loginRequest) {
+        try {
+            AccessToken accessToken = this.authService.login(loginRequest.getEmail(), loginRequest.getPassword());
+            RefreshToken refreshToken = refreshTokenService.create(accessToken);
+
+            return ResponseEntity.ok(new TokensDto(accessToken.toTokenString(), refreshToken.toTokenString()));
+        } catch (AuthenticationException err) {
+            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, err.getMessage());
+        }
+    }
+
+    @PutMapping(path = "login", consumes = MediaType.APPLICATION_JSON_VALUE, produces = MediaType.APPLICATION_JSON_VALUE)
+    public ResponseEntity<TokensDto> refresh(
+            @RequestHeader(value = "Authorization", required = false) String authorizationHeader,
+            @RequestBody @Valid RefreshTokenDto refreshTokenRequest) {
+        try {
+            if (authorizationHeader == null || !authorizationHeader.startsWith("Bearer ")) {
+                throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "Missing Authorization Bearer Token");
+            }
+
+            Optional<AccessToken> accessToken = AccessToken.fromTokenString(authorizationHeader.substring(7));
+            Optional<RefreshToken> refreshToken = RefreshToken.fromTokenString(refreshTokenRequest.getRefreshToken());
+
+            if (!accessToken.isPresent()) {
+                throw new Exceptions.InvalidException("Authorization Header does not contain a Valid AccessToken");
+            } else if (!refreshToken.isPresent()) {
+                throw new Exceptions.InvalidException("RefreshToken is not a Valid Token");
+            }
+
+            AccessToken newAccessToken = refreshTokenService.devaluate(refreshToken.get(), accessToken.get());
+            RefreshToken newRefreshToken = refreshTokenService.create(newAccessToken);
+
+            return ResponseEntity.ok(new TokensDto(newAccessToken.toTokenString(), newRefreshToken.toTokenString()));
+        } catch (JWTVerificationException | Exceptions.ExpiredException | Exceptions.InvalidException | IllegalArgumentException
+                 | AuthenticationException err) {
+            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, err.getMessage());
+        }
+    }
+
+    @DeleteMapping(path = "delete")
+    @RequireScope({ "authenticated", "account:delete" })
+    public ResponseEntity<IdActionDto> delete() {
+        UserAuthentication user = (UserAuthentication) SecurityContextHolder.getContext().getAuthentication();
+
+        this.authService.delete(user.getUserId());
+
+        return ResponseEntity.ok(new IdActionDto(user.getUserId(), "UserDeleted"));
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/controller/UserController.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/controller/UserController.java
new file mode 100644
index 0000000..2d53a50
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/controller/UserController.java
@@ -0,0 +1,48 @@
+package org.tzi.use.api_security.rest.controller;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.*;
+
+import jakarta.transaction.Transactional;
+
+import org.springframework.security.core.context.SecurityContextHolder;
+
+import org.tzi.use.api_security.rest.dto.ResourceLimitLeftDto;
+import org.tzi.use.api_security.rest.middleware.ResourceLimitMiddleware;
+import org.tzi.use.api_security.rest.service.UserService;
+import org.tzi.use.api_security.security.RequireScope;
+import org.tzi.use.api_security.security.UserAuthentication;
+
+@RestController
+@RequestMapping("user")
+public class UserController {
+
+    @Autowired
+    private UserService userService;
+
+    @GetMapping(path = "longRun")
+    @ResourceLimitMiddleware.ResourceLimited
+    public ResponseEntity<String> longRunningTask() {
+        try {
+            // Simulate a long-running task (e.g., 20 seconds)
+            Thread.sleep(20000);
+        } catch (InterruptedException e) {
+            Thread.currentThread().interrupt();
+            // Handle the interruption
+        }
+
+        return ResponseEntity.ok("Finished");
+    }
+
+    @Transactional
+    @GetMapping(path = "resourceLimit")
+    @RequireScope({ "authenticated", "account:read" })
+    public ResponseEntity<ResourceLimitLeftDto> getResourceLimitLeft() {
+        UserAuthentication user = (UserAuthentication) SecurityContextHolder.getContext().getAuthentication();
+
+        long resourceLimit = userService.getResourceLimitLeft(user.getUserId());
+
+        return ResponseEntity.ok(new ResourceLimitLeftDto(resourceLimit, "seconds"));
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/IdActionDto.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/IdActionDto.java
new file mode 100644
index 0000000..167d112
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/IdActionDto.java
@@ -0,0 +1,28 @@
+package org.tzi.use.api_security.rest.dto;
+
+import java.util.UUID;
+
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Size;
+
+public class IdActionDto {
+
+    @Size(min = 1, max = 32)
+    private String actionType;
+
+    @NotNull
+    private UUID id;
+
+    public IdActionDto(UUID id, String actionType) {
+        this.id = id;
+        this.actionType = actionType;
+    }
+
+    public UUID getId() {
+        return this.id;
+    }
+
+    public String getActionType() {
+        return this.actionType;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/RefreshTokenDto.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/RefreshTokenDto.java
new file mode 100644
index 0000000..f5e48db
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/RefreshTokenDto.java
@@ -0,0 +1,21 @@
+package org.tzi.use.api_security.rest.dto;
+
+import jakarta.validation.constraints.NotEmpty;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Size;
+
+public class RefreshTokenDto {
+
+    @NotNull(message = "RefreshToken cannot be null")
+    @NotEmpty(message = "RefreshToken cannot be empty")
+    @Size(min = 8, max = 4096)
+    private String refreshToken;
+
+    public RefreshTokenDto() {
+        this.refreshToken = "";
+    }
+
+    public String getRefreshToken() {
+        return this.refreshToken;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/ResourceLimitLeftDto.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/ResourceLimitLeftDto.java
new file mode 100644
index 0000000..0bb251b
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/ResourceLimitLeftDto.java
@@ -0,0 +1,30 @@
+package org.tzi.use.api_security.rest.dto;
+
+import jakarta.validation.constraints.Max;
+import jakarta.validation.constraints.Min;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Size;
+
+public class ResourceLimitLeftDto {
+
+    @NotNull
+    @Min(-999999999)
+    @Max(999999999)
+    private final long time;
+
+    @Size(min = 1, max = 32)
+    private final String unitType;
+
+    public ResourceLimitLeftDto(long time, String unitType) {
+        this.time = time;
+        this.unitType = unitType;
+    }
+
+    public long getTime() {
+        return this.time;
+    }
+
+    public String getUnitType() {
+        return this.unitType;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/TokensDto.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/TokensDto.java
new file mode 100644
index 0000000..6d7eb42
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/TokensDto.java
@@ -0,0 +1,26 @@
+package org.tzi.use.api_security.rest.dto;
+
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Size;
+
+public class TokensDto {
+    @NotNull
+    @Size(min = 8, max = 4096)
+    private final String token;
+
+    @Size(min = 8, max = 4096)
+    private final String refreshToken;
+
+    public TokensDto(String token, String refreshToken) {
+        this.token = token;
+        this.refreshToken = refreshToken;
+    }
+
+    public String getToken() {
+        return this.token;
+    }
+
+    public String getRefreshToken() {
+        return this.refreshToken;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/UserLoginDto.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/UserLoginDto.java
new file mode 100644
index 0000000..ea44a5c
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/UserLoginDto.java
@@ -0,0 +1,33 @@
+package org.tzi.use.api_security.rest.dto;
+
+import jakarta.validation.constraints.Email;
+import jakarta.validation.constraints.NotEmpty;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Size;
+
+public class UserLoginDto {
+
+    @NotNull(message = "Email cannot be null")
+    @NotEmpty(message = "Email cannot be empty")
+    @Size(min = 4, max = 56)
+    @Email
+    private String email;
+
+    @NotNull(message = "Password cannot be null")
+    @NotEmpty(message = "Password cannot be empty")
+    @Size(min = 8, max = 56)
+    private String password;
+
+    public UserLoginDto() {
+        this.email = "";
+        this.password = "";
+    }
+
+    public String getEmail() {
+        return this.email;
+    }
+
+    public String getPassword() {
+        return this.password;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/UserRegistrationDto.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/UserRegistrationDto.java
new file mode 100644
index 0000000..8ceb51c
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/dto/UserRegistrationDto.java
@@ -0,0 +1,28 @@
+package org.tzi.use.api_security.rest.dto;
+
+import jakarta.validation.constraints.Email;
+import jakarta.validation.constraints.NotEmpty;
+import jakarta.validation.constraints.NotNull;
+import jakarta.validation.constraints.Size;
+
+public class UserRegistrationDto {
+
+    @NotNull(message = "Email cannot be null")
+    @NotEmpty(message = "Email cannot be empty")
+    @Size(min = 4, max = 56)
+    @Email
+    private String email;
+
+    @NotNull(message = "Password cannot be null")
+    @NotEmpty(message = "Password cannot be empty")
+    @Size(min = 8, max = 56)
+    private String password;
+
+    public String getEmail() {
+        return this.email;
+    }
+
+    public String getPassword() {
+        return this.password;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/AuditLogMiddleware.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/AuditLogMiddleware.java
new file mode 100644
index 0000000..676977a
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/AuditLogMiddleware.java
@@ -0,0 +1,81 @@
+package org.tzi.use.api_security.rest.middleware;
+
+import java.io.IOException;
+import java.time.OffsetDateTime;
+import java.time.format.DateTimeFormatter;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+import org.springframework.web.util.ContentCachingResponseWrapper;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.tzi.use.api_security.security.UserAuthentication;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+@Component
+public class AuditLogMiddleware extends OncePerRequestFilter {
+    private static final DateTimeFormatter dateTimeFormatter = DateTimeFormatter.ofPattern("dd/MMM/yyyy:HH:mm:ss Z");
+
+    private final Logger logger = LoggerFactory.getLogger(AuditLogMiddleware.class);
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+
+        System.out.println("AuditLogMiddleware start");
+
+        // Needing cachedResponse for getting Body which is a one time readable stream.
+        // With not doing it that way but reading the body here, result in an empty body
+        // for the client.
+        ContentCachingResponseWrapper cachedResponse = new ContentCachingResponseWrapper(response);
+
+        String requestTime = OffsetDateTime.now().format(dateTimeFormatter);
+        String host = request.getRemoteAddr();
+        String method = request.getMethod();
+        String requestURI = request.getRequestURI();
+        String protocol = request.getProtocol();
+        String referer = request.getHeader("Referer");
+        String userAgent = request.getHeader("User-Agent");
+
+        // Continue the filter chain
+        filterChain.doFilter(request, cachedResponse);
+
+        Authentication anonymousUser = SecurityContextHolder.getContext().getAuthentication();
+        UserAuthentication user = null;
+
+        // If user is know and of instance UserAuthentication and not
+        // org.springframework.security.authentication.AnonymousAuthenticationToken
+        if (anonymousUser != null && anonymousUser instanceof UserAuthentication) {
+            user = (UserAuthentication) anonymousUser;
+        }
+
+        // Log the response details
+        int status = cachedResponse.getStatus();
+        byte[] responseBody = cachedResponse.getContentAsByteArray();
+
+        String logEntry = String.format("%s - %s [%s] \"%s %s %s\" %d %d %s %s",
+                host,
+                user != null ? user.getUserId() : "-",
+                requestTime,
+                method,
+                requestURI,
+                protocol,
+                status,
+                responseBody.length,
+                referer != null ? "\"" + referer + "\"" : "-",
+                userAgent != null ? "\"" + userAgent + "\"" : "-");
+
+        logger.info(logEntry);
+
+        cachedResponse.copyBodyToResponse();
+
+        System.out.println("AuditLogMiddleware end");
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/AuthenticationMiddleware.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/AuthenticationMiddleware.java
new file mode 100644
index 0000000..9a47e88
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/AuthenticationMiddleware.java
@@ -0,0 +1,79 @@
+package org.tzi.use.api_security.rest.middleware;
+
+import java.io.IOException;
+import java.util.Optional;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.tzi.use.api_security.exceptions.ExceptionResponse;
+import org.tzi.use.api_security.exceptions.Exceptions;
+import org.tzi.use.api_security.rest.service.ApiTokenService;
+import org.tzi.use.api_security.security.UserAuthentication;
+import org.tzi.use.api_security.token.AccessToken;
+import org.tzi.use.api_security.token.ApiToken;
+
+@Component
+public class AuthenticationMiddleware extends OncePerRequestFilter {
+    @Autowired
+    private ApiTokenService service;
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+
+        System.out.println("AuthenticationMiddleware start");
+
+        String authorizationHeader = request.getHeader("Authorization");
+
+        if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
+            try {
+                // Extract the token by removing the "Bearer " prefix
+                String jwtString = authorizationHeader.substring(7);
+                Optional<AccessToken> accessTokenOptional = ApiToken.fromTokenString(jwtString);
+                AccessToken accessToken;
+                Optional<ApiToken> apiToken;
+
+                if (!accessTokenOptional.isPresent()) {
+                    throw new Exceptions.InvalidException("Authorization Header does not contain a Valid AccessToken");
+                }
+
+                accessToken = accessTokenOptional.get();
+                apiToken = ApiToken.fromAccessToken(accessToken);
+
+                // If the accessToken is an apiToken (accessToken without expireTime)
+                if (apiToken.isPresent()) {
+                    // Since ApiTokens don't have an expire time, we check presents in db to make
+                    // them manually revokable by removing
+                    if (this.service.get(accessToken.getUid(), accessToken.getUserId()).isEmpty()) {
+                        throw new Exceptions.ExpiredException("Token has expire");
+                    }
+                }
+
+                UserAuthentication user = new UserAuthentication(accessToken.getUserId(), accessToken.getEmail(),
+                        accessToken.getRoles());
+
+                SecurityContextHolder.getContext().setAuthentication(user);
+            } catch (Exceptions.InvalidException | Exceptions.ExpiredException e) {
+                ExceptionResponse exRes = new ExceptionResponse(HttpStatus.UNAUTHORIZED, "Authentication Token wrong",
+                        request.getRequestURI());
+
+                exRes.writeToResponse(response, request);
+
+                return;
+            }
+        }
+
+        filterChain.doFilter(request, response);
+
+        System.out.println("AuthenticationMiddleware end");
+    }
+
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/AuthorizationMiddleware.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/AuthorizationMiddleware.java
new file mode 100644
index 0000000..550f1bf
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/AuthorizationMiddleware.java
@@ -0,0 +1,73 @@
+package org.tzi.use.api_security.rest.middleware;
+
+import java.io.IOException;
+import java.lang.reflect.Method;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.method.HandlerMethod;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.tzi.use.api_security.exceptions.ExceptionResponse;
+import org.tzi.use.api_security.security.RequireScope;
+import org.tzi.use.api_security.security.Role;
+import org.tzi.use.api_security.security.UserAuthentication;
+
+import org.springframework.web.servlet.HandlerInterceptor;
+
+@Component
+public class AuthorizationMiddleware implements HandlerInterceptor {
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
+            throws ServletException, IOException {
+
+        System.out.println("AuthorizationMiddleware start");
+
+        // Checking for handler to get the target controller method and associated
+        // Annotations (Reason why this is an implementation from HandlerInterceptor and
+        // not Filter)
+
+        if (handler != null && handler instanceof HandlerMethod) {
+            HandlerMethod handlerMethod = (HandlerMethod) handler;
+            Method method = handlerMethod.getMethod();
+            RequireScope requireScope = method.getAnnotation(RequireScope.class);
+
+            if (requireScope != null) {
+                String[] requiredScopes = requireScope.value();
+                UserAuthentication user = (UserAuthentication) SecurityContextHolder.getContext()
+                        .getAuthentication();
+
+                // If no user is present, but the method has at leas an empty @RequireScope,
+                // access is permitted
+                if (user == null) {
+                    ExceptionResponse exRes = new ExceptionResponse(HttpStatus.UNAUTHORIZED,
+                            HttpStatus.UNAUTHORIZED.getReasonPhrase(),
+                            request.getRequestURI());
+
+                    exRes.writeToResponse(response, request);
+
+                    return false;
+                }
+
+                // Check if the user has the required Scopes
+                if (!Role.checkScope(user.getRoles(), requiredScopes)) {
+                    ExceptionResponse exRes = new ExceptionResponse(HttpStatus.FORBIDDEN,
+                            HttpStatus.FORBIDDEN.getReasonPhrase(),
+                            request.getRequestURI());
+
+                    exRes.writeToResponse(response, request);
+
+                    return false;
+                }
+            }
+        }
+
+        System.out.println("AuthorizationMiddleware end");
+
+        return true; // Continue the request
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/ExceptionHandlerMiddleware.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/ExceptionHandlerMiddleware.java
new file mode 100644
index 0000000..780403c
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/ExceptionHandlerMiddleware.java
@@ -0,0 +1,26 @@
+package org.tzi.use.api_security.rest.middleware;
+
+import java.io.IOException;
+
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.tzi.use.api_security.exceptions.ExceptionResponse;
+
+// Allows Filters to throw the custom ExceptionResponse which is written to the response and is made to be read by the client
+@Component
+public class ExceptionHandlerMiddleware extends OncePerRequestFilter {
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+        try {
+            filterChain.doFilter(request, response);
+        } catch (ExceptionResponse e) {
+            e.writeToResponse(response, request);
+        }
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/RateLimitMiddleware.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/RateLimitMiddleware.java
new file mode 100644
index 0000000..c4b36fa
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/RateLimitMiddleware.java
@@ -0,0 +1,45 @@
+package org.tzi.use.api_security.rest.middleware;
+
+import java.io.IOException;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import com.google.common.util.concurrent.RateLimiter;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.tzi.use.api_security.exceptions.ExceptionResponse;
+import org.tzi.use.api_security.util.Config;
+
+@Component
+public class RateLimitMiddleware extends OncePerRequestFilter {
+
+    // Create a rate limiter allowing 1000 requests per second
+    private RateLimiter rateLimiter = RateLimiter.create(Config.getInstance().getRateLimitPerSecond());
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain)
+            throws ServletException, IOException {
+
+        System.out.println("RateLimitMiddleware start");
+
+        // Acquire a permit or return 429 Too Many Requests
+        if (!rateLimiter.tryAcquire()) {
+            ExceptionResponse exRes = new ExceptionResponse(HttpStatus.TOO_MANY_REQUESTS, new String("Try again later"),
+                    request.getRequestURI());
+
+            exRes.writeToResponse(response, request);
+
+            return;
+        }
+
+        filterChain.doFilter(request, response);
+
+        System.out.println("RateLimitMiddleware end");
+    }
+
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/ResourceLimitMiddleware.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/ResourceLimitMiddleware.java
new file mode 100644
index 0000000..2aa7d0f
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/middleware/ResourceLimitMiddleware.java
@@ -0,0 +1,92 @@
+package org.tzi.use.api_security.rest.middleware;
+
+import java.io.IOException;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+import java.lang.reflect.Method;
+import java.time.Instant;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.http.HttpStatus;
+import org.springframework.lang.Nullable;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.stereotype.Component;
+import org.springframework.web.method.HandlerMethod;
+import org.springframework.web.servlet.HandlerInterceptor;
+import org.springframework.web.servlet.ModelAndView;
+
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.tzi.use.api_security.exceptions.ExceptionResponse;
+import org.tzi.use.api_security.rest.service.UserService;
+import org.tzi.use.api_security.security.UserAuthentication;
+
+@Component
+public class ResourceLimitMiddleware implements HandlerInterceptor {
+
+    // Is used to resource limit controller methods with this annotation
+    @Retention(RetentionPolicy.RUNTIME)
+    @Target(ElementType.METHOD)
+    public @interface ResourceLimited {}
+
+    @Autowired
+    private UserService userService;
+
+    @Override
+    public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler)
+            throws ServletException, IOException {
+
+        System.out.println("ResourceLimitMiddleware start");
+
+        if (handler != null && handler instanceof HandlerMethod) {
+            HandlerMethod handlerMethod = (HandlerMethod) handler;
+            Method method = handlerMethod.getMethod();
+            ResourceLimited performResourceLimit = method.getAnnotation(ResourceLimited.class);
+
+            if (performResourceLimit != null) {
+                UserAuthentication user = (UserAuthentication) SecurityContextHolder.getContext()
+                        .getAuthentication();
+
+                long resourceLimitLeft = userService.getResourceLimitLeft(user.getUserId());
+
+                if (resourceLimitLeft <= 0) {
+                    ExceptionResponse exRes = new ExceptionResponse(HttpStatus.FORBIDDEN,
+                            "Daily ResourceLimit reached",
+                            request.getRequestURI());
+
+                    exRes.writeToResponse(response, request);
+
+                    return false;
+                }
+
+                long preTimestampInSeconds = Instant.now().getEpochSecond();
+
+                request.setAttribute("ResourceLimitMiddleware__resourceLimitLeft", resourceLimitLeft);
+                request.setAttribute("ResourceLimitMiddleware__preTimestampInSeconds", preTimestampInSeconds);
+            }
+        }
+
+        return true;
+    }
+
+    @Override
+    public void postHandle(HttpServletRequest request, HttpServletResponse response, Object handler,
+            @Nullable ModelAndView modelAndView) throws Exception {
+        UserAuthentication user = (UserAuthentication) SecurityContextHolder.getContext()
+                .getAuthentication();
+        Long resourceLimitLeft = (Long) request.getAttribute("ResourceLimitMiddleware__resourceLimitLeft");
+        Long preTimestampInSeconds = (Long) request.getAttribute("ResourceLimitMiddleware__preTimestampInSeconds");
+
+        if (resourceLimitLeft != null && preTimestampInSeconds != null) {
+            long postTimestampInSeconds = Instant.now().getEpochSecond();
+
+            userService.setResourceLimitLeft(user.getUserId(),
+                    resourceLimitLeft - (postTimestampInSeconds - preTimestampInSeconds));
+        }
+
+        System.out.println("ResourceLimitMiddleware end");
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/ApiTokenService.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/ApiTokenService.java
new file mode 100644
index 0000000..6c4495a
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/ApiTokenService.java
@@ -0,0 +1,68 @@
+package org.tzi.use.api_security.rest.service;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import jakarta.transaction.Transactional;
+import org.tzi.use.api_security.model.ApiTokenModel;
+import org.tzi.use.api_security.repository.ApiTokenRepository;
+import org.tzi.use.api_security.security.Role;
+import org.tzi.use.api_security.token.ApiToken;
+
+@Service
+public class ApiTokenService {
+    @Autowired
+    private ApiTokenRepository apiTokenRepo;
+
+    @Transactional
+    public ApiToken create(UUID userId, String email) {
+        ArrayList<Role> roles = new ArrayList<>();
+        ApiToken apiToken;
+
+        roles.add(new Role(Role.Roles.API_TOKEN));
+
+        apiToken = new ApiToken(userId, email, roles);
+
+        ApiTokenModel apiTokenModel = new ApiTokenModel();
+        apiTokenModel.setUid(apiToken.getUid());
+        apiTokenModel.setToken(apiToken.toTokenString());
+        apiTokenModel.setOwner(userId);
+
+        apiTokenRepo.save(apiTokenModel);
+
+        return apiToken;
+    }
+
+    @Transactional
+    public Optional<ApiToken> get(UUID tokenId, UUID ownerId) {
+        ApiTokenModel apiTokenModel = this.apiTokenRepo.findByUidAndOwner(tokenId, ownerId);
+
+        if (apiTokenModel != null) {
+            return ApiToken.fromString(apiTokenModel.getToken());
+        }
+
+        return Optional.empty();
+    }
+
+    @Transactional
+    public List<String> getAllAsStrings(UUID userId) {
+        List<ApiTokenModel> apiTokenModelList = this.apiTokenRepo.findByOwner(userId);
+        List<String> apiTokenList = new ArrayList<>();
+
+        for (ApiTokenModel apiTokenModel : apiTokenModelList) {
+            apiTokenList.add(apiTokenModel.getToken());
+        }
+
+        return apiTokenList;
+    }
+
+    @Transactional
+    public int delete(UUID tokenId, UUID ownerId) {
+        return this.apiTokenRepo.deleteByUidAndOwner(tokenId, ownerId);
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/AuthenticationService.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/AuthenticationService.java
new file mode 100644
index 0000000..a8fbac4
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/AuthenticationService.java
@@ -0,0 +1,87 @@
+package org.tzi.use.api_security.rest.service;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.stereotype.Service;
+
+import de.mkammerer.argon2.Argon2;
+import de.mkammerer.argon2.Argon2Factory;
+import jakarta.transaction.Transactional;
+import org.tzi.use.api_security.repository.UserSecurityRepository;
+import org.tzi.use.api_security.exceptions.Exceptions.UserAlreadyExists;
+import org.tzi.use.api_security.model.UserMetaModel;
+import org.tzi.use.api_security.model.UserSecurityModel;
+import org.tzi.use.api_security.repository.UserMetaRepository;
+import org.tzi.use.api_security.security.Role;
+import org.tzi.use.api_security.security.UserDetailsImpl;
+import org.tzi.use.api_security.token.AccessToken;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.UUID;
+
+@Service
+public class AuthenticationService {
+    @Autowired
+    private UserMetaRepository userMetaRepo;
+
+    @Autowired
+    private UserSecurityRepository userSecurityRepo;
+
+    @Autowired
+    private AuthenticationManager authManager;
+
+    // * Must be the same as in the CustomAuthProvider.java
+    private final Argon2 passwordEncoder = Argon2Factory.create();
+
+    @Transactional
+    public UUID register(String username, String password) throws UserAlreadyExists {
+
+        // Check if user already exists
+        if (userMetaRepo.findByEmail(username).isPresent()) {
+            throw new UserAlreadyExists("Username is already taken.");
+        }
+
+        // Create new user
+        ArrayList<String> roles = new ArrayList<>();
+        UserMetaModel userMeta;
+
+        roles.add(new Role(Role.Roles.USER).toString());
+
+        userMeta = new UserMetaModel();
+
+        userMeta.setEmail(username);
+        userMeta.setRoles(roles);
+        userMetaRepo.save(userMeta);
+
+        UserSecurityModel userSecurity = new UserSecurityModel();
+        String passwordHash = passwordEncoder.hash(22, 65536, 1, password.toCharArray());
+
+        userSecurity.setUserMeta(userMeta);
+        userSecurity.setPassword(passwordHash);
+        userSecurityRepo.save(userSecurity);
+
+        return userMeta.getUserId();
+    }
+
+    @Transactional(dontRollbackOn = AuthenticationException.class)
+    public AccessToken login(String username, String password) throws AuthenticationException {
+        Authentication authentication = authManager.authenticate(
+                new UsernamePasswordAuthenticationToken(username, password));
+
+        UserDetailsImpl user = (UserDetailsImpl) authentication.getPrincipal();
+
+        Collection<Role> roles = user.getAuthorities();
+
+        AccessToken accessToken = new AccessToken(user.getUserId(), user.getUsername(), new ArrayList<>(roles));
+
+        return accessToken;
+    }
+
+    public void delete(UUID userId) {
+        userMetaRepo.deleteById(userId);
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/RefreshTokenService.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/RefreshTokenService.java
new file mode 100644
index 0000000..05badf4
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/RefreshTokenService.java
@@ -0,0 +1,59 @@
+package org.tzi.use.api_security.rest.service;
+
+import java.sql.Timestamp;
+import java.util.Date;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import jakarta.transaction.Transactional;
+import org.tzi.use.api_security.exceptions.Exceptions.ExpiredException;
+import org.tzi.use.api_security.exceptions.Exceptions.InvalidException;
+import org.tzi.use.api_security.model.RefreshTokenModel;
+import org.tzi.use.api_security.repository.RefreshTokenRepository;
+import org.tzi.use.api_security.token.AccessToken;
+import org.tzi.use.api_security.token.RefreshToken;
+
+@Service
+public class RefreshTokenService {
+
+    @Autowired
+    private RefreshTokenRepository refreshTokenRepo;
+
+    @Transactional
+    public RefreshToken create(AccessToken accessToken) {
+        RefreshToken refreshToken = new RefreshToken(accessToken.getUid());
+
+        RefreshTokenModel refreshTokenModel = new RefreshTokenModel();
+        refreshTokenModel.setUid(refreshToken.getUid());
+        refreshTokenModel.setSpouse(refreshToken.getSpouseId());
+        refreshTokenModel.setExpireAt(new Timestamp(refreshToken.getExpiresAt().getTime()));
+
+        refreshTokenRepo.save(refreshTokenModel);
+
+        return refreshToken;
+    }
+
+    @Transactional
+    public AccessToken devaluate(RefreshToken refreshToken, AccessToken spouseToken)
+            throws ExpiredException, InvalidException {
+        Date currentTime = new Date();
+
+        // Check if expiredAt Date is in the past
+        if (refreshToken.getExpiresAt().before(currentTime)) {
+            throw new ExpiredException("RefreshToken is expired");
+        }
+
+        int deletedCount = refreshTokenRepo.deleteExpiredToken(refreshToken.getUid(), spouseToken.getUid(),
+                currentTime);
+
+        if (deletedCount == 0) {
+            throw new InvalidException("RefreshToken is not valid");
+        }
+
+        AccessToken accessToken = new AccessToken(spouseToken.getUserId(), spouseToken.getEmail(),
+                spouseToken.getRoles());
+
+        return accessToken;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/UserService.java b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/UserService.java
new file mode 100644
index 0000000..7bb3651
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/rest/service/UserService.java
@@ -0,0 +1,92 @@
+package org.tzi.use.api_security.rest.service;
+
+import java.sql.Timestamp;
+import java.time.Instant;
+import java.util.Calendar;
+import java.util.Date;
+import java.util.UUID;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+import jakarta.transaction.Transactional;
+import org.tzi.use.api_security.model.UserAdditionsModel;
+import org.tzi.use.api_security.model.UserMetaModel;
+import org.tzi.use.api_security.repository.UserAdditionsRepository;
+import org.tzi.use.api_security.repository.UserMetaRepository;
+import org.tzi.use.api_security.util.Config;
+
+@Service
+public class UserService {
+
+    public static int timeLimitPerDayInSeconds = Config.getInstance().getResourceLimitPerDay();
+
+    @Autowired
+    private UserMetaRepository userMetaRepo;
+
+    @Autowired
+    private UserAdditionsRepository userAdditionsRepo;
+
+    @Transactional
+    public void createUserAdditions(UUID userId) {
+        // This is a db call which is needed to get the userMeta.
+        // Other approaches are getting it as parameter which require returning
+        // the Entity by the other service function (exposing the Model)
+        // The other would be using a single Service doing all stuff
+        // which creates a tighter coupling causing less flexible and separation of
+        // concerns
+        UserMetaModel userMeta = userMetaRepo.findById(userId).get();
+
+        UserAdditionsModel userAdditionsModel = new UserAdditionsModel();
+        userAdditionsModel.setUserMeta(userMeta);
+        userAdditionsModel.setResourceLimitUsed(0);
+
+        userAdditionsRepo.save(userAdditionsModel);
+    }
+
+    @Transactional
+    private long getResourceTimeUsed(UUID userId) {
+        // SELECT used WHERE uid = 1? AND lastUpdated = today;
+        // if used == 0 null = 0
+        // Get today's date without time
+        Calendar calendar = Calendar.getInstance();
+        calendar.set(Calendar.HOUR_OF_DAY, 0);
+        calendar.set(Calendar.MINUTE, 0);
+        calendar.set(Calendar.SECOND, 0);
+        calendar.set(Calendar.MILLISECOND, 0);
+        Date todayStart = calendar.getTime();
+
+        calendar.set(Calendar.HOUR_OF_DAY, 23);
+        calendar.set(Calendar.MINUTE, 59);
+        calendar.set(Calendar.SECOND, 59);
+        Date todayEnd = calendar.getTime();
+
+        UserAdditionsModel userAdditionsModel = userAdditionsRepo.findByUidAndToday(userId,
+                new Timestamp(todayStart.getTime()), new Timestamp(todayEnd.getTime()));
+
+        // If not userAdditionsModel was found, it may hint that the last update was not
+        // done today, so the user has currently used 0 resources (or the user is not
+        // present in db)
+        if (userAdditionsModel == null) {
+            return 0;
+        } else {
+            return userAdditionsModel.getResourceLimitUsed();
+        }
+    }
+
+    public long getResourceLimitLeft(UUID userId) {
+        long resourceTimeUsed = getResourceTimeUsed(userId);
+
+        return timeLimitPerDayInSeconds - resourceTimeUsed;
+    }
+
+    @Transactional
+    public int setResourceLimitLeft(UUID userId, long resourceLimitLeft) {
+        // Recalculating the OverallResourceTimeUsed, depending on the resourceLimitLeft
+        long resourceTimeUsed = (resourceLimitLeft - timeLimitPerDayInSeconds) * -1;
+        int updateCount = userAdditionsRepo.UpdateResourceTimeUsedAndLastChangedAtByUid(userId, resourceTimeUsed,
+                Timestamp.from(Instant.now()));
+
+        return updateCount;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/security/CustomAuthProvider.java b/secure-use-api/src/main/java/org/tzi/use/api_security/security/CustomAuthProvider.java
new file mode 100644
index 0000000..8641789
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/security/CustomAuthProvider.java
@@ -0,0 +1,71 @@
+package org.tzi.use.api_security.security;
+
+import java.sql.Timestamp;
+import java.util.Date;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.stereotype.Component;
+
+import de.mkammerer.argon2.Argon2;
+import de.mkammerer.argon2.Argon2Factory;
+import org.tzi.use.api_security.repository.UserSecurityRepository;
+import org.tzi.use.api_security.model.UserComposite;
+import org.tzi.use.api_security.model.UserMetaModel;
+import org.tzi.use.api_security.model.UserSecurityModel;
+import org.tzi.use.api_security.repository.UserMetaRepository;
+
+@Component
+public class CustomAuthProvider implements AuthenticationProvider {
+
+    @Autowired
+    private UserMetaRepository userMetaRepository;
+
+    @Autowired
+    private UserSecurityRepository userSecurityRepository;
+
+    private final Argon2 passwordEncoder = Argon2Factory.create();
+
+    @Override
+    public Authentication authenticate(Authentication authentication) throws AuthenticationException {
+        String email = authentication.getName();
+        String password = authentication.getCredentials().toString();
+
+        UserComposite user = loadUserByUsername(email);
+        UserDetailsImpl userDetails = UserDetailsImpl.build(user);
+
+        if (!passwordEncoder.verify(userDetails.getPassword(), password.toCharArray())) {
+            int failedLogInAttempts = user.getUserSecurity().getFailedLogInAttempts() + 1;
+
+            user.getUserSecurity().setFailedLogInAttempts(failedLogInAttempts);
+            this.userSecurityRepository.save(user.getUserSecurity());
+
+            throw new BadCredentialsException("Invalid password");
+        }
+
+        user.getUserSecurity().setFailedLogInAttempts(0);
+        user.getUserSecurity().setLastLogInAt(new Timestamp(new Date().getTime()));
+        this.userSecurityRepository.save(user.getUserSecurity());
+
+        return new UsernamePasswordAuthenticationToken(userDetails, password, userDetails.getAuthorities());
+    }
+
+    @Override
+    public boolean supports(Class<?> authentication) {
+        return UsernamePasswordAuthenticationToken.class.isAssignableFrom(authentication);
+    }
+
+    private UserComposite loadUserByUsername(String email) throws UsernameNotFoundException {
+        UserMetaModel userMeta = userMetaRepository.findByEmail(email) //
+                .orElseThrow(() -> new UsernameNotFoundException("User Not Found with email: " + email));
+
+        UserSecurityModel userSecurity = userSecurityRepository.findById(userMeta.getUserId()).get();
+
+        return new UserComposite(userMeta, userSecurity);
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/security/RequireScope.java b/secure-use-api/src/main/java/org/tzi/use/api_security/security/RequireScope.java
new file mode 100644
index 0000000..348f0e7
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/security/RequireScope.java
@@ -0,0 +1,12 @@
+package org.tzi.use.api_security.security;
+
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.RetentionPolicy;
+
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.METHOD)
+public @interface RequireScope {
+    String[] value(); // Define the scopes required for the method
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/security/Role.java b/secure-use-api/src/main/java/org/tzi/use/api_security/security/Role.java
new file mode 100644
index 0000000..f48c9aa
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/security/Role.java
@@ -0,0 +1,73 @@
+package org.tzi.use.api_security.security;
+
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import org.springframework.security.core.GrantedAuthority;
+
+public class Role implements GrantedAuthority {
+
+    public static enum Roles {
+        API_TOKEN,
+        USER,
+    }
+
+    private static final Map<Roles, List<String>> roleScopesMap = new HashMap<>();
+
+    static {
+        // Initialize the map with roles and their corresponding scopes
+        roleScopesMap.put(Roles.USER, List.of("authenticated", "account:read", "account:delete", "token:create",
+                "token:read", "token:delete"));
+        roleScopesMap.put(Roles.API_TOKEN, List.of("authenticated", "account:read", "token:read"));
+    }
+
+    private final Roles role;
+
+    private Collection<String> scopes;
+
+    public static boolean checkScope(Collection<Role> roles, String[] requiredScopes) {
+        List<String> requiredScopesList = new ArrayList<>(Arrays.asList(requiredScopes));
+
+        for (Role role : roles) {
+            if (requiredScopesList.isEmpty()) {
+                break;
+            }
+
+            requiredScopesList.removeAll(role.getScopes());
+        }
+
+        // If all requiredScopes where removed by being present in roles, the check is
+        // successful
+        return requiredScopesList.isEmpty();
+    }
+
+    public Role(Roles role) {
+        this.role = role;
+
+        Collection<String> scopes = roleScopesMap.get(role);
+
+        this.scopes = scopes != null ? scopes : List.of();
+    }
+
+    @Override
+    public String getAuthority() {
+        return this.role.toString();
+    }
+
+    public Collection<String> getScopes() {
+        return this.scopes;
+    }
+
+    @Override
+    public String toString() {
+        return this.role.toString();
+    }
+
+    public static Role fromString(String roleString) {
+        return new Role(Roles.valueOf(roleString));
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/security/SecurityConfig.java b/secure-use-api/src/main/java/org/tzi/use/api_security/security/SecurityConfig.java
new file mode 100644
index 0000000..05cee34
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/security/SecurityConfig.java
@@ -0,0 +1,73 @@
+package org.tzi.use.api_security.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.context.SecurityContextHolderFilter;
+import org.springframework.security.web.session.DisableEncodeUrlFilter;
+
+import org.tzi.use.api_security.exceptions.CustomAuthenticationEntryPoint;
+import org.tzi.use.api_security.rest.middleware.AuditLogMiddleware;
+import org.tzi.use.api_security.rest.middleware.AuthenticationMiddleware;
+import org.tzi.use.api_security.rest.middleware.ExceptionHandlerMiddleware;
+import org.tzi.use.api_security.rest.middleware.RateLimitMiddleware;
+
+@Configuration
+@EnableWebSecurity
+public class SecurityConfig {
+	@Autowired
+	private ExceptionHandlerMiddleware exceptionHandlerMiddleware;
+
+	@Autowired
+	private RateLimitMiddleware rateLimitMiddleware;
+
+	@Autowired
+	private AuthenticationMiddleware authenticationMiddleware;
+
+	@Autowired
+	private AuditLogMiddleware auditLogMiddleware;
+
+	@Bean
+	public AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration)
+			throws Exception {
+		// Since CustomAuthProvider is annotated with @Component, spring detects it as
+		// Bean and use it for dependency injection in the automatically created default
+		// AuthenticationManager because it is implementing the AuthenticationProvider
+		return authenticationConfiguration.getAuthenticationManager();
+	}
+
+	@Bean
+	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		http.csrf(csrf -> csrf.disable()) // disable crsf because we are stateless (no cookies for authentication)
+			.authorizeHttpRequests((request) -> request
+					// .requestMatchers(HttpMethod.GET, "/h2-console/**").permitAll()
+					// .requestMatchers(HttpMethod.POST, "/h2-console/**").permitAll()
+					.requestMatchers(HttpMethod.POST, "/auth/register", "/auth/login").permitAll()
+					.requestMatchers(HttpMethod.PUT, "/auth/login").permitAll()
+					.requestMatchers("/error").permitAll()
+					.anyRequest().authenticated()) // Require all request except the above to be authenticated
+			.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
+			.addFilterBefore(exceptionHandlerMiddleware, DisableEncodeUrlFilter.class) // The very first filter
+			.addFilterAfter(rateLimitMiddleware, ExceptionHandlerMiddleware.class)
+			.addFilterAfter(auditLogMiddleware, SecurityContextHolderFilter.class)
+			.addFilterAfter(authenticationMiddleware, AuditLogMiddleware.class)
+			.exceptionHandling((exception) -> exception
+					.authenticationEntryPoint(new CustomAuthenticationEntryPoint()));
+
+		// Need to set the AuditLog before AuthenticationMiddleware (and after
+		// SecurityContextHolderFilter to access it), because we also
+		// want to log errors happening in the AuthenticationMiddleware which would not
+		// be possible if being executed after it. We can still get the user if it
+		// exists after the request was processed (so getting it on the way out and not
+		// in)
+
+		return http.build();
+	}
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/security/UserAuthentication.java b/secure-use-api/src/main/java/org/tzi/use/api_security/security/UserAuthentication.java
new file mode 100644
index 0000000..2348113
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/security/UserAuthentication.java
@@ -0,0 +1,76 @@
+package org.tzi.use.api_security.security;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.UUID;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.GrantedAuthority;
+
+public class UserAuthentication implements Authentication {
+
+    private final UUID userId; // Custom field for user ID
+    private final String email; // Username
+    private Object credentials;
+    private Object details;
+    private final Collection<Role> roles; // User roles
+    private boolean authenticated; // Authentication status
+
+    public UserAuthentication(UUID userId, String email, Collection<Role> authorities) {
+        this.userId = userId;
+        this.email = email;
+        this.roles = authorities != null ? authorities : new ArrayList<>();
+        this.authenticated = true; // Set to true upon successful authentication
+    }
+
+    @Override
+    public String getName() {
+        return this.email;
+    }
+
+    @Override
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return this.roles;
+    }
+
+    @Override
+    public Object getCredentials() {
+        return this.credentials;
+    }
+
+    @Override
+    public Object getDetails() {
+        return this.details;
+    }
+
+    @Override
+    public Object getPrincipal() {
+        return this.email;
+    }
+
+    @Override
+    public boolean isAuthenticated() {
+        return this.authenticated;
+    }
+
+    @Override
+    public void setAuthenticated(boolean isAuthenticated) {
+        this.authenticated = isAuthenticated;
+    }
+
+    public UUID getUserId() {
+        return this.userId;
+    }
+
+    public Collection<Role> getRoles() {
+        return this.roles;
+    }
+
+    public void setCredentials(Object credentials) {
+        this.credentials = credentials;
+    }
+
+    public void setDetails(Object details) {
+        this.details = details;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/security/UserDetailsImpl.java b/secure-use-api/src/main/java/org/tzi/use/api_security/security/UserDetailsImpl.java
new file mode 100644
index 0000000..3574914
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/security/UserDetailsImpl.java
@@ -0,0 +1,64 @@
+package org.tzi.use.api_security.security;
+
+import java.util.Collection;
+import java.util.List;
+import java.util.UUID;
+import java.util.stream.Collectors;
+
+import org.springframework.security.core.userdetails.UserDetails;
+
+import com.fasterxml.jackson.annotation.JsonIgnore;
+
+import org.tzi.use.api_security.model.UserComposite;
+
+public class UserDetailsImpl implements UserDetails {
+
+    private final UUID userId; // Custom field for user ID
+
+    private final String email; // Email
+
+    @JsonIgnore
+    private String password;
+
+    private final Collection<Role> authorities; // User roles
+
+    public UserDetailsImpl(UUID userId, String email, String password,
+            Collection<Role> authorities) {
+        this.userId = userId;
+        this.email = email;
+        this.password = password;
+        this.authorities = authorities;
+    }
+
+    public static UserDetailsImpl build(UserComposite user) {
+
+        List<Role> roles = user.getUserMeta().getRoles().stream()
+                .map(Role::fromString)
+                .collect(Collectors.toList());
+
+        return new UserDetailsImpl(
+                user.getUserMeta().getUserId(),
+                user.getUserMeta().getEmail(),
+                user.getUserSecurity().getPassword(),
+                roles);
+    }
+
+    public UUID getUserId() {
+        return this.userId;
+    }
+
+    @Override
+    public String getPassword() {
+        return this.password;
+    }
+
+    @Override
+    public String getUsername() {
+        return this.email;
+    }
+
+    @Override
+    public Collection<Role> getAuthorities() {
+        return this.authorities;
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/security/WebConfig.java b/secure-use-api/src/main/java/org/tzi/use/api_security/security/WebConfig.java
new file mode 100644
index 0000000..0424f57
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/security/WebConfig.java
@@ -0,0 +1,43 @@
+package org.tzi.use.api_security.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.servlet.config.annotation.CorsRegistry;
+import org.springframework.web.servlet.config.annotation.InterceptorRegistry;
+import org.springframework.web.servlet.config.annotation.WebMvcConfigurer;
+
+import org.tzi.use.api_security.rest.middleware.AuthorizationMiddleware;
+import org.tzi.use.api_security.rest.middleware.ResourceLimitMiddleware;
+
+@Configuration
+public class WebConfig implements WebMvcConfigurer {
+
+    @Autowired
+    private AuthorizationMiddleware authorizationMiddleware;
+
+    @Autowired
+    private ResourceLimitMiddleware resourceLimitMiddleware;
+
+    @Override
+    public void addInterceptors(InterceptorRegistry registry) {
+        registry.addInterceptor(authorizationMiddleware);
+
+        registry.addInterceptor(resourceLimitMiddleware)
+                .addPathPatterns("/user/**");
+
+        // Register the ResourceLimitMiddleware
+        // registry.addInterceptor(resourceLimitMiddleware)
+        // .addPathPatterns("/api/**") // Specify URL patterns for resource limit
+        // .order(1); // Ensure it runs after AuthorizationMiddleware
+    }
+
+    @Override
+    public void addCorsMappings(CorsRegistry registry) {
+        // Simply setting Access-Control Headers
+        registry.addMapping("/**")
+                // .allowedOrigins("https://example.com")
+                .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
+                .allowedHeaders("Content-Type", "Authorization")
+                .allowCredentials(false);
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/token/AbstractToken.java b/secure-use-api/src/main/java/org/tzi/use/api_security/token/AbstractToken.java
new file mode 100644
index 0000000..e8feed2
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/token/AbstractToken.java
@@ -0,0 +1,12 @@
+package org.tzi.use.api_security.token;
+
+import java.lang.reflect.Type;
+import java.util.Map;
+
+import com.google.gson.reflect.TypeToken;
+
+public abstract class AbstractToken {
+    protected static Type payloadType = new TypeToken<Map<String, Object>>() {}.getType();
+
+    protected static SimpleTokenStringHandler tokenStringHandler;
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/token/AccessToken.java b/secure-use-api/src/main/java/org/tzi/use/api_security/token/AccessToken.java
new file mode 100644
index 0000000..8c6ffdf
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/token/AccessToken.java
@@ -0,0 +1,133 @@
+package org.tzi.use.api_security.token;
+
+import java.util.Date;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.UUID;
+import java.util.stream.Collectors;
+
+import com.google.gson.Gson;
+import org.tzi.use.api_security.security.Role;
+import org.tzi.use.api_security.util.Config;
+
+public class AccessToken extends AbstractToken {
+    static long expirationTime = 720000;
+    protected static SimpleTokenStringHandler tokenStringHandler = new JwtHandler(
+            Config.getInstance().getSecretAccessTokenKey());
+
+    protected final UUID uid;
+    protected final UUID userId;
+    protected final String email;
+    protected final List<Role> roles;
+    protected final Optional<Date> expiresAt;
+
+    public class InnerAccessToken {
+        public String jti;
+        public String sub;
+        public String userId;
+        public Long exp;
+        public List<String> roles;
+    }
+
+    public AccessToken(UUID userId, String email, List<Role> roles) {
+        this.uid = UUID.randomUUID();
+        this.userId = userId;
+        this.email = email;
+        this.roles = roles;
+        this.expiresAt = Optional.of(new Date(System.currentTimeMillis() + expirationTime));
+    }
+
+    protected AccessToken(UUID uid, UUID userId, String email, List<Role> roles, Optional<Date> expiresAt) {
+        this.uid = uid;
+        this.userId = userId;
+        this.email = email;
+        this.roles = roles;
+        this.expiresAt = expiresAt;
+    }
+
+    static public Optional<AccessToken> fromTokenString(String tokeString) throws IllegalArgumentException {
+        Optional<String> payloadString = tokenStringHandler.payloadFromTokenString(tokeString);
+
+        if (payloadString.isPresent()) {
+            Gson json = new Gson();
+            InnerAccessToken payload = json.fromJson(payloadString.get(), InnerAccessToken.class);
+
+            String uidString = payload.jti;
+            String email = payload.sub;
+            Long expiresAtLong = payload.exp;
+            String userIdString = payload.userId;
+            List<String> rolesAStrings = payload.roles;
+            List<Role> roles;
+
+            if (uidString == null || uidString.isEmpty()) {
+                throw new IllegalArgumentException("Missing uid");
+            }
+
+            if (userIdString == null || userIdString.isEmpty()) {
+                throw new IllegalArgumentException("Missing userId");
+            }
+
+            if (email == null || email.isEmpty()) {
+                throw new IllegalArgumentException("Missing email");
+            }
+
+            if (rolesAStrings == null) {
+                throw new IllegalArgumentException("No roles present");
+            } else {
+                roles = rolesAStrings.stream()
+                        .map(Role::fromString)
+                        .collect(Collectors.toList());
+            }
+
+            UUID uid = UUID.fromString(uidString);
+            UUID userId = UUID.fromString(userIdString);
+            Optional<Date> expiresAtDate = expiresAtLong != null ? Optional.of(new Date(expiresAtLong * 1000))
+                    : Optional.empty();
+
+            return Optional.of(new AccessToken(uid, userId, email, roles, expiresAtDate));
+        }
+
+        return Optional.empty();
+    }
+
+    public String toTokenString() {
+        Map<String, Object> payload = new HashMap<>();
+        List<String> rolesAsStrings = this.roles.stream()
+                .map(Role::toString)
+                .collect(Collectors.toList());
+
+        payload.put("jti", this.uid.toString());
+        payload.put("sub", this.email);
+        payload.put("iat", new Date().getTime() / 1000);
+        payload.put("userId", this.userId.toString());
+        payload.put("roles", rolesAsStrings);
+
+        if (this.expiresAt.isPresent()) {
+            payload.put("exp", this.expiresAt.get().getTime() / 1000);
+        }
+
+        return tokenStringHandler.payloadToTokenString(payload);
+    }
+
+    public UUID getUid() {
+        return this.uid;
+    }
+
+    public UUID getUserId() {
+        return this.userId;
+    }
+
+    public String getEmail() {
+        return this.email;
+    }
+
+    public List<Role> getRoles() {
+        return this.roles;
+    }
+
+    public boolean isLongLife() {
+        return !this.expiresAt.isPresent();
+    }
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/token/ApiToken.java b/secure-use-api/src/main/java/org/tzi/use/api_security/token/ApiToken.java
new file mode 100644
index 0000000..20f9fbd
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/token/ApiToken.java
@@ -0,0 +1,37 @@
+package org.tzi.use.api_security.token;
+
+import java.util.List;
+import java.util.Optional;
+import java.util.UUID;
+
+import org.tzi.use.api_security.security.Role;
+
+public class ApiToken extends AccessToken {
+    public static Optional<ApiToken> fromAccessToken(AccessToken accessToken) {
+        if (accessToken.isLongLife()) {
+            return Optional.of(new ApiToken(accessToken.getUid(), accessToken.getUserId(), accessToken.getEmail(),
+                    accessToken.getRoles()));
+        }
+
+        return Optional.empty();
+    }
+
+    public static Optional<ApiToken> fromString(String tokenString) {
+        Optional<AccessToken> accessTokenOptional = AccessToken.fromTokenString(tokenString);
+
+        if (accessTokenOptional.isPresent()) {
+            return ApiToken.fromAccessToken(accessTokenOptional.get());
+        }
+
+        return Optional.empty();
+    }
+
+    public ApiToken(UUID userId, String email, List<Role> roles) {
+        super(UUID.randomUUID(), userId, email, roles, Optional.empty());
+    }
+
+    private ApiToken(UUID uid, UUID userId, String email, List<Role> roles) {
+        super(uid, userId, email, roles, Optional.empty());
+    }
+
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/token/JwtHandler.java b/secure-use-api/src/main/java/org/tzi/use/api_security/token/JwtHandler.java
new file mode 100644
index 0000000..56d9625
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/token/JwtHandler.java
@@ -0,0 +1,47 @@
+package org.tzi.use.api_security.token;
+
+import java.lang.reflect.Type;
+import java.util.Base64;
+import java.util.Map;
+import java.util.Optional;
+
+import com.auth0.jwt.JWT;
+import com.auth0.jwt.JWTVerifier;
+import com.auth0.jwt.algorithms.Algorithm;
+import com.auth0.jwt.interfaces.DecodedJWT;
+import com.google.gson.reflect.TypeToken;
+
+public class JwtHandler implements SimpleTokenStringHandler {
+    public static Type payloadType = new TypeToken<Map<String, Object>>() {}.getType();
+
+    private Algorithm algorithm;
+    private JWTVerifier verifier;
+
+    public JwtHandler(String secretKey) {
+        this.algorithm = Algorithm.HMAC256(secretKey);
+        this.verifier = JWT.require(algorithm)
+            // .withIssuer("HAW-Hamburg")
+            .build();
+    }
+
+    @Override
+    public Optional<String> payloadFromTokenString(String tokeString) {
+
+        try {
+            DecodedJWT jwt = this.verifier.verify(tokeString);
+            byte[] decodedBytes = Base64.getDecoder().decode(jwt.getPayload());
+            String decodedString = new String(decodedBytes);
+
+            return Optional.of(decodedString);
+        } catch(Exception _e) {
+            System.out.println(_e);
+            return Optional.empty();
+        }
+    }
+
+    @Override
+    public String payloadToTokenString(Map<String, Object> payload) {
+        return JWT.create().withPayload(payload).sign(this.algorithm);
+    }
+
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/token/PasetoHandler.java b/secure-use-api/src/main/java/org/tzi/use/api_security/token/PasetoHandler.java
new file mode 100644
index 0000000..3d2bf1b
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/token/PasetoHandler.java
@@ -0,0 +1,19 @@
+package org.tzi.use.api_security.token;
+
+import java.util.Map;
+import java.util.Optional;
+
+public class PasetoHandler implements SimpleTokenStringHandler {
+    @Override
+    public Optional<String> payloadFromTokenString(String tokeString) {
+        // TODO Auto-generated method stub
+        throw new UnsupportedOperationException("Unimplemented method 'payloadFromTokenString'");
+    }
+
+    @Override
+    public String payloadToTokenString(Map<String,Object> payload) {
+        // TODO Auto-generated method stub
+        throw new UnsupportedOperationException("Unimplemented method 'payloadToTokenString'");
+    }
+    
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/token/RefreshToken.java b/secure-use-api/src/main/java/org/tzi/use/api_security/token/RefreshToken.java
new file mode 100644
index 0000000..b76ba98
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/token/RefreshToken.java
@@ -0,0 +1,95 @@
+package org.tzi.use.api_security.token;
+
+import java.util.Date;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Optional;
+import java.util.UUID;
+
+import com.google.gson.Gson;
+import org.tzi.use.api_security.util.Config;
+
+public class RefreshToken extends AbstractToken {
+    static long expirationTime = 2592000000L; // 30 day
+    protected static SimpleTokenStringHandler tokenStringHandler = new JwtHandler(
+            Config.getInstance().getSecretRefreshTokenKey());
+
+    protected final UUID uid;
+    protected final UUID spouseId;
+    protected final Date expiresAt;
+
+    public class InnerAccessToken {
+        public String jti;
+        public String spouseId;
+        public Long exp;
+    }
+
+    public RefreshToken(UUID spouseId) {
+        this.uid = UUID.randomUUID();
+        this.spouseId = spouseId;
+        this.expiresAt = new Date(System.currentTimeMillis() + expirationTime);
+    }
+
+    protected RefreshToken(UUID uid, UUID spouseId, Date expiresAt) {
+        this.uid = uid;
+        this.spouseId = spouseId;
+        this.expiresAt = expiresAt;
+    }
+
+    static public Optional<RefreshToken> fromTokenString(String tokeString) throws IllegalArgumentException {
+        Optional<String> payloadString = tokenStringHandler.payloadFromTokenString(tokeString);
+
+        if (payloadString.isPresent()) {
+            Gson json = new Gson();
+            InnerAccessToken payload = json.fromJson(payloadString.get(), InnerAccessToken.class);
+
+            String uidString = payload.jti;
+            String spouseIdString = payload.spouseId;
+            Long expiresAtLong = payload.exp;
+
+            if (uidString == null || uidString.isEmpty()) {
+                throw new IllegalArgumentException("Missing uid");
+            }
+
+            if (spouseIdString == null || spouseIdString.isEmpty()) {
+                throw new IllegalArgumentException("Missing userId");
+            }
+
+            if (expiresAtLong == null) {
+                throw new IllegalArgumentException("expires date is null");
+            }
+
+            UUID uid = UUID.fromString(uidString);
+            UUID spouseId = UUID.fromString(spouseIdString);
+            Date expiresAtDate = new Date(expiresAtLong * 1000);
+
+            return Optional.of(new RefreshToken(uid, spouseId, expiresAtDate));
+        }
+
+        return Optional.empty();
+    }
+
+    public String toTokenString() {
+        Map<String, Object> payload = new HashMap<>();
+
+        payload.put("jti", this.uid.toString());
+        payload.put("spouseId", this.spouseId.toString());
+        payload.put("iat", new Date().getTime() / 1000);
+        payload.put("exp", this.expiresAt.getTime() / 1000);
+
+        return tokenStringHandler.payloadToTokenString(payload);
+    }
+
+    public UUID getUid() {
+        return this.uid;
+    }
+
+    public UUID getSpouseId() {
+        return this.spouseId;
+    }
+
+    public Date getExpiresAt() {
+        return this.expiresAt;
+    }
+
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/token/SimpleTokenStringHandler.java b/secure-use-api/src/main/java/org/tzi/use/api_security/token/SimpleTokenStringHandler.java
new file mode 100644
index 0000000..cbc38bd
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/token/SimpleTokenStringHandler.java
@@ -0,0 +1,9 @@
+package org.tzi.use.api_security.token;
+
+import java.util.Map;
+import java.util.Optional;
+
+public interface SimpleTokenStringHandler {
+    Optional<String> payloadFromTokenString(String tokeString);
+    String payloadToTokenString(Map<String,Object> payload);
+}
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/util/Config.java b/secure-use-api/src/main/java/org/tzi/use/api_security/util/Config.java
new file mode 100644
index 0000000..caba5f4
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/util/Config.java
@@ -0,0 +1,36 @@
+package org.tzi.use.api_security.util;
+
+import io.github.cdimascio.dotenv.Dotenv;
+
+public class Config {
+    // Singleton instance
+    private static Config instance;
+    private final Dotenv dotenv;
+
+    private Config() {
+        dotenv = Dotenv.load(); // Load the .env file
+    }
+
+    public static Config getInstance() {
+        if (instance == null) {
+            instance = new Config();
+        }
+        return instance;
+    }
+
+    public String getSecretAccessTokenKey() {
+        return dotenv.get("SECRET_ACCESS_TOKEN_KEY");
+    }
+
+    public String getSecretRefreshTokenKey() {
+        return dotenv.get("SECRET_REFRESH_TOKEN_KEY");
+    }
+
+    public double getRateLimitPerSecond() {
+        return Double.parseDouble(dotenv.get("RATE_LIMIT_PER_SECOND"));
+    }
+
+    public int getResourceLimitPerDay() {
+        return Integer.parseInt(dotenv.get("RESOURCE_LIMIT_PER_DAY"));
+    }
+}
\ No newline at end of file
diff --git a/secure-use-api/src/main/java/org/tzi/use/api_security/util/HibernateUtil.java b/secure-use-api/src/main/java/org/tzi/use/api_security/util/HibernateUtil.java
new file mode 100644
index 0000000..61cb724
--- /dev/null
+++ b/secure-use-api/src/main/java/org/tzi/use/api_security/util/HibernateUtil.java
@@ -0,0 +1,25 @@
+package org.tzi.use.api_security.util;
+
+import org.hibernate.Session;
+import org.hibernate.SessionFactory;
+import org.hibernate.cfg.Configuration;
+
+public class HibernateUtil {
+    private static final SessionFactory sessionFactory = buildSessionFactory();
+
+    private static SessionFactory buildSessionFactory() {
+        try {
+            return new Configuration().configure().buildSessionFactory();
+        } catch (Throwable ex) {
+            throw new ExceptionInInitializerError(ex);
+        }
+    }
+
+    public static SessionFactory getSessionFactory() {
+        return sessionFactory;
+    }
+
+    public static Session getCurrentSession() {
+        return getSessionFactory().getCurrentSession();
+    }
+}
\ No newline at end of file
diff --git a/use-api/src/main/java/org/tzi/use/DTO/AggregationTypeDTO.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/AggregationTypeDTO.java
similarity index 90%
rename from use-api/src/main/java/org/tzi/use/DTO/AggregationTypeDTO.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/AggregationTypeDTO.java
index 43f8e7a..4cd2a27 100644
--- a/use-api/src/main/java/org/tzi/use/DTO/AggregationTypeDTO.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/AggregationTypeDTO.java
@@ -1,4 +1,4 @@
-package org.tzi.use.DTO;
+package org.tzi.use.use_logic.DTO;
 
 public enum AggregationTypeDTO {
     NONE("association"),
diff --git a/use-api/src/main/java/org/tzi/use/DTO/AssociationDTO.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/AssociationDTO.java
similarity index 93%
rename from use-api/src/main/java/org/tzi/use/DTO/AssociationDTO.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/AssociationDTO.java
index f6e96e9..3a79f01 100644
--- a/use-api/src/main/java/org/tzi/use/DTO/AssociationDTO.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/AssociationDTO.java
@@ -1,4 +1,4 @@
-package org.tzi.use.DTO;
+package org.tzi.use.use_logic.DTO;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
diff --git a/use-api/src/main/java/org/tzi/use/DTO/AttributeDTO.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/AttributeDTO.java
similarity index 86%
rename from use-api/src/main/java/org/tzi/use/DTO/AttributeDTO.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/AttributeDTO.java
index 8640f9a..23d6ffc 100644
--- a/use-api/src/main/java/org/tzi/use/DTO/AttributeDTO.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/AttributeDTO.java
@@ -1,4 +1,4 @@
-package org.tzi.use.DTO;
+package org.tzi.use.use_logic.DTO;
 
 import lombok.Data;
 import lombok.NoArgsConstructor;
diff --git a/use-api/src/main/java/org/tzi/use/DTO/ClassDTO.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/ClassDTO.java
similarity index 91%
rename from use-api/src/main/java/org/tzi/use/DTO/ClassDTO.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/ClassDTO.java
index e9d194f..23900eb 100644
--- a/use-api/src/main/java/org/tzi/use/DTO/ClassDTO.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/ClassDTO.java
@@ -1,4 +1,4 @@
-package org.tzi.use.DTO;
+package org.tzi.use.use_logic.DTO;
 
 import lombok.*;
 
diff --git a/use-api/src/main/java/org/tzi/use/DTO/InvariantDTO.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/InvariantDTO.java
similarity index 88%
rename from use-api/src/main/java/org/tzi/use/DTO/InvariantDTO.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/InvariantDTO.java
index 5a4d51a..0e64936 100644
--- a/use-api/src/main/java/org/tzi/use/DTO/InvariantDTO.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/InvariantDTO.java
@@ -1,4 +1,4 @@
-package org.tzi.use.DTO;
+package org.tzi.use.use_logic.DTO;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
diff --git a/use-api/src/main/java/org/tzi/use/DTO/ModelDTO.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/ModelDTO.java
similarity index 73%
rename from use-api/src/main/java/org/tzi/use/DTO/ModelDTO.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/ModelDTO.java
index 9e61a79..d060eb0 100644
--- a/use-api/src/main/java/org/tzi/use/DTO/ModelDTO.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/ModelDTO.java
@@ -1,9 +1,9 @@
-package org.tzi.use.DTO;
+package org.tzi.use.use_logic.DTO;
 
 import lombok.*;
-import org.tzi.use.entities.AssociationNTT;
-import org.tzi.use.entities.InvariantNTT;
-import org.tzi.use.entities.PrePostConditionNTT;
+import org.tzi.use.use_logic.entities.AssociationNTT;
+import org.tzi.use.use_logic.entities.InvariantNTT;
+import org.tzi.use.use_logic.entities.PrePostConditionNTT;
 
 import java.util.ArrayList;
 import java.util.List;
diff --git a/use-api/src/main/java/org/tzi/use/DTO/OperationDTO.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/OperationDTO.java
similarity index 88%
rename from use-api/src/main/java/org/tzi/use/DTO/OperationDTO.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/OperationDTO.java
index e7d59c0..7221a6b 100644
--- a/use-api/src/main/java/org/tzi/use/DTO/OperationDTO.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/OperationDTO.java
@@ -1,4 +1,4 @@
-package org.tzi.use.DTO;
+package org.tzi.use.use_logic.DTO;
 
 import lombok.Data;
 import lombok.NoArgsConstructor;
diff --git a/use-api/src/main/java/org/tzi/use/DTO/PrePostConditionDTO.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/PrePostConditionDTO.java
similarity index 89%
rename from use-api/src/main/java/org/tzi/use/DTO/PrePostConditionDTO.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/PrePostConditionDTO.java
index ce81034..d0434ae 100644
--- a/use-api/src/main/java/org/tzi/use/DTO/PrePostConditionDTO.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/DTO/PrePostConditionDTO.java
@@ -1,4 +1,4 @@
-package org.tzi.use.DTO;
+package org.tzi.use.use_logic.DTO;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
diff --git a/use-api/src/main/java/org/tzi/use/GlobalExceptionHandler.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/GlobalExceptionHandler.java
similarity index 99%
rename from use-api/src/main/java/org/tzi/use/GlobalExceptionHandler.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/GlobalExceptionHandler.java
index 0d47155..82378df 100644
--- a/use-api/src/main/java/org/tzi/use/GlobalExceptionHandler.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/GlobalExceptionHandler.java
@@ -1,4 +1,4 @@
-package org.tzi.use;
+package org.tzi.use.use_logic;
 
 import org.springframework.dao.DuplicateKeyException;
 import org.springframework.http.HttpStatus;
diff --git a/use-api/src/main/java/org/tzi/use/OpenApiConfig.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/OpenApiConfig.java
similarity index 96%
rename from use-api/src/main/java/org/tzi/use/OpenApiConfig.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/OpenApiConfig.java
index ce8f2cf..1153347 100644
--- a/use-api/src/main/java/org/tzi/use/OpenApiConfig.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/OpenApiConfig.java
@@ -1,4 +1,4 @@
-package org.tzi.use;
+package org.tzi.use.use_logic;
 
 import io.swagger.v3.oas.annotations.OpenAPIDefinition;
 import io.swagger.v3.oas.annotations.info.Contact;
diff --git a/use-api/src/main/java/org/tzi/use/UseModelFacade.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/UseModelFacade.java
similarity index 98%
rename from use-api/src/main/java/org/tzi/use/UseModelFacade.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/UseModelFacade.java
index 627753c..faf1784 100644
--- a/use-api/src/main/java/org/tzi/use/UseModelFacade.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/UseModelFacade.java
@@ -1,9 +1,9 @@
-package org.tzi.use;
+package org.tzi.use.use_logic;
 
 import org.springframework.stereotype.Component;
 import org.tzi.use.api.UseApiException;
 import org.tzi.use.api.UseModelApi;
-import org.tzi.use.entities.*;
+import org.tzi.use.use_logic.entities.*;
 
 import java.util.HashMap;
 import java.util.Map;
diff --git a/use-api/src/main/java/org/tzi/use/entities/AggregationTypeNTT.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/AggregationTypeNTT.java
similarity index 89%
rename from use-api/src/main/java/org/tzi/use/entities/AggregationTypeNTT.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/entities/AggregationTypeNTT.java
index 283875f..367f947 100644
--- a/use-api/src/main/java/org/tzi/use/entities/AggregationTypeNTT.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/AggregationTypeNTT.java
@@ -1,4 +1,4 @@
-package org.tzi.use.entities;
+package org.tzi.use.use_logic.entities;
 
 public enum AggregationTypeNTT {
     NONE("association"),
diff --git a/use-api/src/main/java/org/tzi/use/entities/AssociationNTT.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/AssociationNTT.java
similarity index 92%
rename from use-api/src/main/java/org/tzi/use/entities/AssociationNTT.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/entities/AssociationNTT.java
index ae7956d..ca017dc 100644
--- a/use-api/src/main/java/org/tzi/use/entities/AssociationNTT.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/AssociationNTT.java
@@ -1,4 +1,4 @@
-package org.tzi.use.entities;
+package org.tzi.use.use_logic.entities;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
diff --git a/use-api/src/main/java/org/tzi/use/entities/AttributeNTT.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/AttributeNTT.java
similarity index 84%
rename from use-api/src/main/java/org/tzi/use/entities/AttributeNTT.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/entities/AttributeNTT.java
index 16bf702..6a16f00 100644
--- a/use-api/src/main/java/org/tzi/use/entities/AttributeNTT.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/AttributeNTT.java
@@ -1,4 +1,4 @@
-package org.tzi.use.entities;
+package org.tzi.use.use_logic.entities;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
diff --git a/use-api/src/main/java/org/tzi/use/entities/ClassNTT.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/ClassNTT.java
similarity index 91%
rename from use-api/src/main/java/org/tzi/use/entities/ClassNTT.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/entities/ClassNTT.java
index 75b7349..0555d98 100644
--- a/use-api/src/main/java/org/tzi/use/entities/ClassNTT.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/ClassNTT.java
@@ -1,4 +1,4 @@
-package org.tzi.use.entities;
+package org.tzi.use.use_logic.entities;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
diff --git a/use-api/src/main/java/org/tzi/use/entities/InvariantNTT.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/InvariantNTT.java
similarity index 86%
rename from use-api/src/main/java/org/tzi/use/entities/InvariantNTT.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/entities/InvariantNTT.java
index 8b0ef79..5fc09ad 100644
--- a/use-api/src/main/java/org/tzi/use/entities/InvariantNTT.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/InvariantNTT.java
@@ -1,4 +1,4 @@
-package org.tzi.use.entities;
+package org.tzi.use.use_logic.entities;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
diff --git a/use-api/src/main/java/org/tzi/use/entities/ModelNTT.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/ModelNTT.java
similarity index 90%
rename from use-api/src/main/java/org/tzi/use/entities/ModelNTT.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/entities/ModelNTT.java
index a59bc39..49da57d 100644
--- a/use-api/src/main/java/org/tzi/use/entities/ModelNTT.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/ModelNTT.java
@@ -1,11 +1,11 @@
-package org.tzi.use.entities;
+package org.tzi.use.use_logic.entities;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
 import lombok.NoArgsConstructor;
 import org.springframework.data.annotation.Id;
 import org.springframework.data.mongodb.core.mapping.Document;
-import org.tzi.use.DTO.ClassDTO;
+import org.tzi.use.use_logic.DTO.ClassDTO;
 
 import java.util.ArrayList;
 import java.util.List;
diff --git a/use-api/src/main/java/org/tzi/use/entities/OperationNTT.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/OperationNTT.java
similarity index 86%
rename from use-api/src/main/java/org/tzi/use/entities/OperationNTT.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/entities/OperationNTT.java
index bc9c3db..fcf8a8d 100644
--- a/use-api/src/main/java/org/tzi/use/entities/OperationNTT.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/OperationNTT.java
@@ -1,4 +1,4 @@
-package org.tzi.use.entities;
+package org.tzi.use.use_logic.entities;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
diff --git a/use-api/src/main/java/org/tzi/use/entities/PrePostConditionNTT.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/PrePostConditionNTT.java
similarity index 87%
rename from use-api/src/main/java/org/tzi/use/entities/PrePostConditionNTT.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/entities/PrePostConditionNTT.java
index f307844..d7f172b 100644
--- a/use-api/src/main/java/org/tzi/use/entities/PrePostConditionNTT.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/entities/PrePostConditionNTT.java
@@ -1,4 +1,4 @@
-package org.tzi.use.entities;
+package org.tzi.use.use_logic.entities;
 
 import lombok.AllArgsConstructor;
 import lombok.Data;
diff --git a/use-api/src/main/java/org/tzi/use/mapper/AssociationMapper.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/AssociationMapper.java
similarity index 65%
rename from use-api/src/main/java/org/tzi/use/mapper/AssociationMapper.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/AssociationMapper.java
index 7dd6e92..bab8eef 100644
--- a/use-api/src/main/java/org/tzi/use/mapper/AssociationMapper.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/AssociationMapper.java
@@ -1,9 +1,9 @@
-package org.tzi.use.mapper;
+package org.tzi.use.use_logic.mapper;
 
 import org.mapstruct.Mapper;
 import org.mapstruct.MappingConstants;
-import org.tzi.use.DTO.AssociationDTO;
-import org.tzi.use.entities.AssociationNTT;
+import org.tzi.use.use_logic.DTO.AssociationDTO;
+import org.tzi.use.use_logic.entities.AssociationNTT;
 
 @Mapper(componentModel = MappingConstants.ComponentModel.SPRING)
 public interface AssociationMapper {
diff --git a/use-api/src/main/java/org/tzi/use/mapper/AttributeMapper.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/AttributeMapper.java
similarity index 65%
rename from use-api/src/main/java/org/tzi/use/mapper/AttributeMapper.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/AttributeMapper.java
index 6fc5a3b..aea6543 100644
--- a/use-api/src/main/java/org/tzi/use/mapper/AttributeMapper.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/AttributeMapper.java
@@ -1,9 +1,9 @@
-package org.tzi.use.mapper;
+package org.tzi.use.use_logic.mapper;
 
 import org.mapstruct.Mapper;
 import org.mapstruct.MappingConstants;
-import org.tzi.use.DTO.AttributeDTO;
-import org.tzi.use.entities.AttributeNTT;
+import org.tzi.use.use_logic.DTO.AttributeDTO;
+import org.tzi.use.use_logic.entities.AttributeNTT;
 
 @Mapper(componentModel = MappingConstants.ComponentModel.SPRING)
 public interface AttributeMapper {
diff --git a/use-api/src/main/java/org/tzi/use/mapper/ClassMapper.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/ClassMapper.java
similarity index 65%
rename from use-api/src/main/java/org/tzi/use/mapper/ClassMapper.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/ClassMapper.java
index bdd6640..d4a7fff 100644
--- a/use-api/src/main/java/org/tzi/use/mapper/ClassMapper.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/ClassMapper.java
@@ -1,10 +1,10 @@
-package org.tzi.use.mapper;
+package org.tzi.use.use_logic.mapper;
 
 
 import org.mapstruct.Mapper;
 import org.mapstruct.MappingConstants;
-import org.tzi.use.DTO.ClassDTO;
-import org.tzi.use.entities.ClassNTT;
+import org.tzi.use.use_logic.DTO.ClassDTO;
+import org.tzi.use.use_logic.entities.ClassNTT;
 
 @Mapper(componentModel = MappingConstants.ComponentModel.SPRING)
 public interface ClassMapper {
diff --git a/use-api/src/main/java/org/tzi/use/mapper/InvariantMapper.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/InvariantMapper.java
similarity index 65%
rename from use-api/src/main/java/org/tzi/use/mapper/InvariantMapper.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/InvariantMapper.java
index ec9931c..911c060 100644
--- a/use-api/src/main/java/org/tzi/use/mapper/InvariantMapper.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/InvariantMapper.java
@@ -1,9 +1,9 @@
-package org.tzi.use.mapper;
+package org.tzi.use.use_logic.mapper;
 
 import org.mapstruct.Mapper;
 import org.mapstruct.MappingConstants;
-import org.tzi.use.DTO.InvariantDTO;
-import org.tzi.use.entities.InvariantNTT;
+import org.tzi.use.use_logic.DTO.InvariantDTO;
+import org.tzi.use.use_logic.entities.InvariantNTT;
 
 @Mapper(componentModel = MappingConstants.ComponentModel.SPRING)
 
diff --git a/use-api/src/main/java/org/tzi/use/mapper/ModelMapper.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/ModelMapper.java
similarity index 77%
rename from use-api/src/main/java/org/tzi/use/mapper/ModelMapper.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/ModelMapper.java
index ae90f23..0d9ccc9 100644
--- a/use-api/src/main/java/org/tzi/use/mapper/ModelMapper.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/ModelMapper.java
@@ -1,9 +1,9 @@
-package org.tzi.use.mapper;
+package org.tzi.use.use_logic.mapper;
 
 import org.mapstruct.Mapper;
 import org.mapstruct.MappingConstants;
-import org.tzi.use.DTO.ModelDTO;
-import org.tzi.use.entities.ModelNTT;
+import org.tzi.use.use_logic.DTO.ModelDTO;
+import org.tzi.use.use_logic.entities.ModelNTT;
 
 /**
  * MapStruct mapper to convert between ModelNTT (entity) and ModelDTO (data transfer object).
diff --git a/use-api/src/main/java/org/tzi/use/mapper/OperationMapper.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/OperationMapper.java
similarity index 65%
rename from use-api/src/main/java/org/tzi/use/mapper/OperationMapper.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/OperationMapper.java
index ba73ba3..49f26d8 100644
--- a/use-api/src/main/java/org/tzi/use/mapper/OperationMapper.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/OperationMapper.java
@@ -1,9 +1,9 @@
-package org.tzi.use.mapper;
+package org.tzi.use.use_logic.mapper;
 
 import org.mapstruct.Mapper;
 import org.mapstruct.MappingConstants;
-import org.tzi.use.DTO.OperationDTO;
-import org.tzi.use.entities.OperationNTT;
+import org.tzi.use.use_logic.DTO.OperationDTO;
+import org.tzi.use.use_logic.entities.OperationNTT;
 
 @Mapper(componentModel = MappingConstants.ComponentModel.SPRING)
 public interface OperationMapper {
diff --git a/use-api/src/main/java/org/tzi/use/mapper/PrePostConditionMapper.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/PrePostConditionMapper.java
similarity index 66%
rename from use-api/src/main/java/org/tzi/use/mapper/PrePostConditionMapper.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/PrePostConditionMapper.java
index ca571ac..2334dcd 100644
--- a/use-api/src/main/java/org/tzi/use/mapper/PrePostConditionMapper.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/mapper/PrePostConditionMapper.java
@@ -1,9 +1,9 @@
-package org.tzi.use.mapper;
+package org.tzi.use.use_logic.mapper;
 
 import org.mapstruct.Mapper;
 import org.mapstruct.MappingConstants;
-import org.tzi.use.DTO.PrePostConditionDTO;
-import org.tzi.use.entities.PrePostConditionNTT;
+import org.tzi.use.use_logic.DTO.PrePostConditionDTO;
+import org.tzi.use.use_logic.entities.PrePostConditionNTT;
 
 @Mapper(componentModel = MappingConstants.ComponentModel.SPRING)
 public interface PrePostConditionMapper {
diff --git a/use-api/src/main/java/org/tzi/use/repository/ModelRepo.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/repository/ModelRepo.java
similarity index 71%
rename from use-api/src/main/java/org/tzi/use/repository/ModelRepo.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/repository/ModelRepo.java
index 0ded7ac..5c2942e 100644
--- a/use-api/src/main/java/org/tzi/use/repository/ModelRepo.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/repository/ModelRepo.java
@@ -1,7 +1,7 @@
-package org.tzi.use.repository;
+package org.tzi.use.use_logic.repository;
 
 import org.springframework.data.mongodb.repository.MongoRepository;
-import org.tzi.use.entities.ModelNTT;
+import org.tzi.use.use_logic.entities.ModelNTT;
 
 import java.util.Optional;
 
diff --git a/use-api/src/main/java/org/tzi/use/rest/controller/ClassController.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/rest/controller/ClassController.java
similarity index 96%
rename from use-api/src/main/java/org/tzi/use/rest/controller/ClassController.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/rest/controller/ClassController.java
index 5ca3a37..65c350c 100644
--- a/use-api/src/main/java/org/tzi/use/rest/controller/ClassController.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/rest/controller/ClassController.java
@@ -1,4 +1,4 @@
-package org.tzi.use.rest.controller;
+package org.tzi.use.use_logic.rest.controller;
 
 import lombok.RequiredArgsConstructor;
 import org.springframework.http.HttpStatus;
@@ -9,11 +9,11 @@
 import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
-import org.tzi.use.DTO.AttributeDTO;
-import org.tzi.use.DTO.ClassDTO;
-import org.tzi.use.DTO.OperationDTO;
+import org.tzi.use.use_logic.DTO.AttributeDTO;
+import org.tzi.use.use_logic.DTO.ClassDTO;
+import org.tzi.use.use_logic.DTO.OperationDTO;
 import org.tzi.use.api.UseApiException;
-import org.tzi.use.rest.services.ClassService;
+import org.tzi.use.use_logic.rest.services.ClassService;
 import org.springframework.hateoas.EntityModel;
 import org.springframework.hateoas.CollectionModel;
 
diff --git a/use-api/src/main/java/org/tzi/use/rest/controller/ModelController.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/rest/controller/ModelController.java
similarity index 99%
rename from use-api/src/main/java/org/tzi/use/rest/controller/ModelController.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/rest/controller/ModelController.java
index aa9fc26..4c3d8b2 100644
--- a/use-api/src/main/java/org/tzi/use/rest/controller/ModelController.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/rest/controller/ModelController.java
@@ -1,4 +1,4 @@
-package org.tzi.use.rest.controller;
+package org.tzi.use.use_logic.rest.controller;
 
 import lombok.RequiredArgsConstructor;
 import org.springframework.hateoas.CollectionModel;
@@ -6,9 +6,9 @@
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.*;
-import org.tzi.use.DTO.*;
+import org.tzi.use.use_logic.DTO.*;
 import org.tzi.use.api.UseApiException;
-import org.tzi.use.rest.services.ModelService;
+import org.tzi.use.use_logic.rest.services.ModelService;
 
 import java.util.List;
 import java.util.stream.Collectors;
@@ -37,6 +37,7 @@ public class ModelController {
      * @return The model with HATEOAS links
      */
     @GetMapping("/model/{modelName}")
+    // @ResourceLimited
     public ResponseEntity<EntityModel<ModelDTO>> getModelByName(@PathVariable String modelName) {
         ModelDTO modelDTO = modelService.getModelByName(modelName);
 
diff --git a/use-api/src/main/java/org/tzi/use/rest/services/ClassService.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/rest/services/ClassService.java
similarity index 87%
rename from use-api/src/main/java/org/tzi/use/rest/services/ClassService.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/rest/services/ClassService.java
index f4a9128..d8f1715 100644
--- a/use-api/src/main/java/org/tzi/use/rest/services/ClassService.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/rest/services/ClassService.java
@@ -1,18 +1,18 @@
-package org.tzi.use.rest.services;
+package org.tzi.use.use_logic.rest.services;
 
 import lombok.RequiredArgsConstructor;
 import org.springframework.stereotype.Service;
-import org.tzi.use.DTO.AttributeDTO;
-import org.tzi.use.DTO.ClassDTO;
-import org.tzi.use.DTO.OperationDTO;
-import org.tzi.use.UseModelFacade;
+import org.tzi.use.use_logic.DTO.AttributeDTO;
+import org.tzi.use.use_logic.DTO.ClassDTO;
+import org.tzi.use.use_logic.DTO.OperationDTO;
+import org.tzi.use.use_logic.UseModelFacade;
 import org.tzi.use.api.UseApiException;
-import org.tzi.use.entities.AttributeNTT;
-import org.tzi.use.entities.ClassNTT;
-import org.tzi.use.entities.ModelNTT;
-import org.tzi.use.entities.OperationNTT;
-import org.tzi.use.mapper.*;
-import org.tzi.use.repository.ModelRepo;
+import org.tzi.use.use_logic.entities.AttributeNTT;
+import org.tzi.use.use_logic.entities.ClassNTT;
+import org.tzi.use.use_logic.entities.ModelNTT;
+import org.tzi.use.use_logic.entities.OperationNTT;
+import org.tzi.use.use_logic.mapper.*;
+import org.tzi.use.use_logic.repository.ModelRepo;
 
 import java.util.List;
 
diff --git a/use-api/src/main/java/org/tzi/use/rest/services/ModelService.java b/secure-use-api/src/main/java/org/tzi/use/use_logic/rest/services/ModelService.java
similarity index 96%
rename from use-api/src/main/java/org/tzi/use/rest/services/ModelService.java
rename to secure-use-api/src/main/java/org/tzi/use/use_logic/rest/services/ModelService.java
index dc41215..d76d96d 100644
--- a/use-api/src/main/java/org/tzi/use/rest/services/ModelService.java
+++ b/secure-use-api/src/main/java/org/tzi/use/use_logic/rest/services/ModelService.java
@@ -1,14 +1,14 @@
-package org.tzi.use.rest.services;
+package org.tzi.use.use_logic.rest.services;
 
 import lombok.RequiredArgsConstructor;
 import org.springframework.dao.DuplicateKeyException;
 import org.springframework.stereotype.Service;
-import org.tzi.use.DTO.*;
-import org.tzi.use.UseModelFacade;
+import org.tzi.use.use_logic.DTO.*;
+import org.tzi.use.use_logic.UseModelFacade;
 import org.tzi.use.api.UseApiException;
-import org.tzi.use.entities.*;
-import org.tzi.use.mapper.*;
-import org.tzi.use.repository.ModelRepo;
+import org.tzi.use.use_logic.entities.*;
+import org.tzi.use.use_logic.mapper.*;
+import org.tzi.use.use_logic.repository.ModelRepo;
 
 import java.util.List;
 
diff --git a/secure-use-api/src/main/resources/.DS_Store b/secure-use-api/src/main/resources/.DS_Store
new file mode 100644
index 0000000..3ea226f
Binary files /dev/null and b/secure-use-api/src/main/resources/.DS_Store differ
diff --git a/use-api/src/main/resources/application.properties b/secure-use-api/src/main/resources/application.properties
similarity index 57%
rename from use-api/src/main/resources/application.properties
rename to secure-use-api/src/main/resources/application.properties
index 6c231f1..0894b9c 100644
--- a/use-api/src/main/resources/application.properties
+++ b/secure-use-api/src/main/resources/application.properties
@@ -1,3 +1,7 @@
+#---------------------------------
+# LOGIC PART
+#---------------------------------
+
 spring.application.name=usewebapi
 spring.jpa.hibernate.ddl-auto=create-drop
 spring.graphql.graphiql.enabled=true
@@ -18,3 +22,17 @@ spring.data.mongodb.password=rootpass
 spring.data.mongodb.database=use-database
 spring.data.mongodb.port=27017
 spring.data.mongodb.host=localhost
+
+#---------------------------------
+# SECURITY PART
+#---------------------------------
+
+# Database connection settings
+spring.datasource.url=jdbc:h2:mem:org.tzi.use
+spring.datasource.driver-class-name=org.h2.Driver
+spring.datasource.username=sa
+spring.datasource.password=
+spring.h2.console.enabled=true
+spring.jpa.hibernate.ddl-auto=update
+
+logging.level.org.springframework.security=TRACE
\ No newline at end of file
diff --git a/use-api/src/main/resources/docker-compose.yml b/secure-use-api/src/main/resources/docker-compose.yml
similarity index 100%
rename from use-api/src/main/resources/docker-compose.yml
rename to secure-use-api/src/main/resources/docker-compose.yml
diff --git a/secure-use-api/src/main/resources/logback-spring.xml b/secure-use-api/src/main/resources/logback-spring.xml
new file mode 100644
index 0000000..7b98335
--- /dev/null
+++ b/secure-use-api/src/main/resources/logback-spring.xml
@@ -0,0 +1,29 @@
+<configuration>
+    <!-- Include spring console-appendaer to make the rootLogger use this ones CONSOLE appender with nice coloring -->
+    <include resource="org/springframework/boot/logging/logback/defaults.xml" />
+    <include resource="org/springframework/boot/logging/logback/console-appender.xml" />
+
+    <!-- Rolling File Appender for filter logs -->
+    <appender name="AUDIT_LOGS" class="ch.qos.logback.core.rolling.RollingFileAppender">
+        <file>secure-use-api/logs/filter-logs.log</file>
+        <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy">
+            <fileNamePattern>secure-use-api/logs/requests.%d{yyyy-MM-dd}.log</fileNamePattern>
+            <maxHistory>15</maxHistory> <!-- Keep logs for 15 days -->
+            <totalSizeCap>1GB</totalSizeCap> <!-- Limit total size of log files -->
+        </rollingPolicy>
+        <encoder>
+            <pattern>%msg%n</pattern>
+        </encoder>
+    </appender>
+
+    <!-- Logger for the AuditLogMiddleware -->
+    <logger name="org.tzi.use.api_security.rest.middleware.AuditLogMiddleware" level="INFO"
+        additivity="false">
+        <appender-ref ref="AUDIT_LOGS" />
+    </logger>
+
+    <!-- Root logger for all other logs (including Spring logs) -->
+    <root level="INFO">
+        <appender-ref ref="CONSOLE" />
+    </root>
+</configuration>
\ No newline at end of file
diff --git a/secure-use-api/src/test/.DS_Store b/secure-use-api/src/test/.DS_Store
new file mode 100644
index 0000000..8077d8a
Binary files /dev/null and b/secure-use-api/src/test/.DS_Store differ
diff --git a/secure-use-api/src/test/java/.DS_Store b/secure-use-api/src/test/java/.DS_Store
new file mode 100644
index 0000000..2120347
Binary files /dev/null and b/secure-use-api/src/test/java/.DS_Store differ
diff --git a/use-api/src/test/java/org/tzi/use/RestApiControllerTest.java b/secure-use-api/src/test/java/org/tzi/use/RestApiControllerTest.java
similarity index 95%
rename from use-api/src/test/java/org/tzi/use/RestApiControllerTest.java
rename to secure-use-api/src/test/java/org/tzi/use/RestApiControllerTest.java
index 1d11e9b..be13f9a 100644
--- a/use-api/src/test/java/org/tzi/use/RestApiControllerTest.java
+++ b/secure-use-api/src/test/java/org/tzi/use/RestApiControllerTest.java
@@ -1,12 +1,12 @@
 package org.tzi.use;
 
-import io.restassured.RestAssured;
-import io.restassured.response.Response;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.Test;
+// import io.restassured.RestAssured;
+// import io.restassured.response.Response;
+// import org.junit.jupiter.api.BeforeAll;
+// import org.junit.jupiter.api.Test;
 
-import static io.restassured.RestAssured.*;
-import static org.hamcrest.Matchers.*;
+// import static io.restassured.RestAssured.*;
+// import static org.hamcrest.Matchers.*;
 
 @Deprecated
 public class RestApiControllerTest {
diff --git a/secure-use-api/src/test/postman/.DS_Store b/secure-use-api/src/test/postman/.DS_Store
new file mode 100644
index 0000000..bc42af5
Binary files /dev/null and b/secure-use-api/src/test/postman/.DS_Store differ
diff --git a/secure-use-api/src/test/postman/api_security/Uni.Ba.ApiSecurityTest.postman_collection.json b/secure-use-api/src/test/postman/api_security/Uni.Ba.ApiSecurityTest.postman_collection.json
new file mode 100644
index 0000000..fb6ef3d
--- /dev/null
+++ b/secure-use-api/src/test/postman/api_security/Uni.Ba.ApiSecurityTest.postman_collection.json
@@ -0,0 +1,1749 @@
+{
+	"info": {
+		"_postman_id": "53687375-8243-4fe8-98d1-543e1f899f2d",
+		"name": "Uni.Ba.ApiSecurityTest",
+		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
+		"_exporter_id": "17943160"
+	},
+	"item": [
+		{
+			"name": "RegisterUserInputValidationFail",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 400', function () {",
+							"    pm.expect(pm.response.code).to.equal(400);",
+							"})",
+							"",
+							"pm.test('Response content type is application/problem+json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/problem+json');",
+							"})",
+							"",
+							"pm.test('The password to short message must be present', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.message.password).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'Value should not be empty');",
+							"})",
+							"",
+							"pm.test('The email not well-formated message must be present', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.message.email).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'Value should not be empty');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"method": "POST",
+				"header": [
+					{
+						"key": "Authorization",
+						"value": "Bearer xyz",
+						"type": "text",
+						"disabled": true
+					}
+				],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"email\": \"noValidEmail\",\n    \"password\": \"short\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{Host}}/auth/register",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						"register"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "RegisterUserSuccess",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test(\"Response Content-Type is application/json\", function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"});",
+							"",
+							"pm.test('Response contains required fields: id and actionType', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData).to.have.all.keys('id', 'actionType');",
+							"})",
+							"",
+							"pm.test('The id must be a non-empty string', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.id).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'Value should not be empty');",
+							"})",
+							"",
+							"pm.test('ActionType must be a non-empty string', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.actionType).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'Value should not be empty');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"method": "POST",
+				"header": [
+					{
+						"key": "Authorization",
+						"value": "Bearer xyz",
+						"type": "text",
+						"disabled": true
+					}
+				],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"email\": \"{{UserEmail}}\",\n    \"password\": \"{{UserPassword}}\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{Host}}/auth/register",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						"register"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "RegisterUserFail",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.response.to.have.status(400)",
+							"pm.test('Response status code is 400', function () {",
+							"    pm.expect(pm.response.code).to.eql(400);",
+							"})",
+							"",
+							"pm.test('Response content type is application/problem+json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/problem+json');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"method": "POST",
+				"header": [
+					{
+						"key": "Authorization",
+						"value": "Bearer xyz",
+						"type": "text",
+						"disabled": true
+					}
+				],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"email\": \"{{UserEmail}}\",\n    \"password\": \"{{UserPassword}}\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{Host}}/auth/register",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						"register"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "HelloAuthenticatedFail",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 401', function () {",
+							"    pm.expect(pm.response.code).to.eql(401);",
+							"})",
+							"",
+							"pm.test('Response content type is application/problem+json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/problem+json');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "noauth"
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/auth",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "LoginUserFail",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.response.to.have.status(400)",
+							"pm.test('Response status code is 400', function () {",
+							"    pm.expect(pm.response.code).to.eql(400);",
+							"})",
+							"",
+							"pm.test('Response content type is application/problem+json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/problem+json');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"method": "POST",
+				"header": [],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"email\": \"{{UserEmail}}\",\n    \"password\": \"wrongPassword\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{Host}}/auth/login",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						"login"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "LoginUserSuccess",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test(\"Response Content-Type is application/json\", function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"});",
+							"",
+							"pm.test('Response has required fields', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData).to.have.all.keys('token', 'refreshToken');",
+							"})",
+							"",
+							"pm.test('Token must be a non-empty string', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.token).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'Token should not be empty');",
+							"})",
+							"",
+							"pm.test('The refreshToken must be a non-empty string', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.refreshToken).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'Value should not be empty');",
+							"})",
+							"",
+							"const accessToken = pm.response.json().token",
+							"const refreshToken = pm.response.json().refreshToken",
+							"",
+							"pm.collectionVariables.set(\"AccessToken\", accessToken)",
+							"pm.collectionVariables.set(\"RefreshToken\", refreshToken)"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"method": "POST",
+				"header": [],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"email\": \"{{UserEmail}}\",\n    \"password\": \"{{UserPassword}}\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{Host}}/auth/login",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						"login"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "HelloAuthenticatedSuccess",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/auth/",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						""
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "RefreshAccessToken",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test(\"Response status code is 200\", function () {",
+							"    pm.expect(pm.response.code).to.eql(200);",
+							"});",
+							"",
+							"pm.test(\"Response Content-Type is application/json\", function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"});",
+							"",
+							"pm.test(\"Response has required fields: token and refreshToken\", function () {",
+							"    const responseData = pm.response.json();",
+							"    ",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData).to.have.all.keys('token', 'refreshToken');",
+							"});",
+							"",
+							"pm.test(\"Token is a non-empty string\", function () {",
+							"    const responseData = pm.response.json();",
+							"    ",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.token).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, \"Token should not be empty\");",
+							"});",
+							"",
+							"pm.test(\"RefreshToken must be a non-empty string\", function () {",
+							"    const responseData = pm.response.json();",
+							"    ",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.refreshToken).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, \"Value should not be empty\");",
+							"});",
+							"",
+							"const accessToken = pm.response.json().token",
+							"const refreshToken = pm.response.json().refreshToken",
+							"",
+							"pm.collectionVariables.set(\"AccessToken\", accessToken)",
+							"pm.collectionVariables.set(\"RefreshToken\", refreshToken)"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "PUT",
+				"header": [],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"refreshToken\": \"{{RefreshToken}}\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{Host}}/auth/login",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						"login"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "HelloAuthenticatedRefreshedSuccess",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/auth/",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						""
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "GetAllApiTokensEmpty",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test('Response content type is application/json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"})",
+							"",
+							"pm.test('Response is an array', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('array');",
+							"})",
+							"",
+							"pm.test('The response array must be empty', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('array').that.is.empty;",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/api/getAll",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"api",
+						"getAll"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "CreateApiToken",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test(\"Response Content-Type is application/json\", function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"});",
+							"",
+							"pm.test('Response has required fields: token and refreshToken', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData).to.have.all.keys('token', 'refreshToken');",
+							"})",
+							"",
+							"pm.test('Token is a non-empty string', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.token).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'Token should not be empty');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "POST",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/api/create",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"api",
+						"create"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "GetAllApiTokensNotEmpty",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test(\"Response status code is 200\", function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"});",
+							"",
+							"pm.test(\"Response Content-Type is application/json\", function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"});",
+							"",
+							"pm.test(\"Response is an array\", function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('array');",
+							"});",
+							"",
+							"",
+							"pm.test(\"Response array is not empty\", function () {",
+							"    const responseData = pm.response.json();",
+							"    ",
+							"    pm.expect(responseData).to.be.an('array').that.is.not.empty;",
+							"});",
+							"",
+							"pm.test(\"Each item in the response array is a non-empty string\", function () {",
+							"    const responseData = pm.response.json();",
+							"    ",
+							"    pm.expect(responseData).to.be.an('array');",
+							"    responseData.forEach(item => {",
+							"        pm.expect(item).to.be.a('string').and.to.have.lengthOf.at.least(1, \"Value should not be empty\");",
+							"    });",
+							"});",
+							"",
+							"const apiToken = pm.response.json()[0]",
+							"",
+							"pm.environment.set(\"ApiToken\", apiToken)"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/api/getAll",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"api",
+						"getAll"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "HelloAuthenticatedApiTokenSuccess",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{ApiToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/auth/",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						""
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "DeleteUserFailPermission",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 403', function () {",
+							"    pm.expect(pm.response.code).to.eql(403);",
+							"})",
+							"",
+							"pm.test('Response content type is application/problem+json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/problem+json');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{ApiToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "DELETE",
+				"header": [
+					{
+						"key": "Authorization",
+						"value": "Bearer xyz",
+						"type": "text",
+						"disabled": true
+					}
+				],
+				"url": {
+					"raw": "{{Host}}/auth/delete",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						"delete"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "DeleteApiTokenFailPermission",
+			"event": [
+				{
+					"listen": "prerequest",
+					"script": {
+						"exec": [
+							"function parseJwt (token) {",
+							"    const base64Url = token.split('.')[1]; // get payload part",
+							"    const base64 = base64Url.replace(/-/g, '+').replace(/_/g, '/');",
+							"    const jsonPayload = decodeURIComponent(",
+							"        atob(base64)",
+							"            .split('')",
+							"            .map(c => `%${('00' + c.charCodeAt(0).toString(16)).slice(-2)}`)",
+							"            .join('')",
+							"    );",
+							"    return JSON.parse(jsonPayload);",
+							"}",
+							"",
+							"const apiToken = pm.environment.get(\"ApiToken\");",
+							"",
+							"const apiTokenId = parseJwt(apiToken).jti;",
+							"",
+							"pm.environment.set(\"ApiTokenId\", apiTokenId);"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				},
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 403', function () {",
+							"    pm.expect(pm.response.code).to.equal(403);",
+							"})",
+							"",
+							"pm.test('Response content type is application/problem+json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/problem+json');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{ApiToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "DELETE",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/api/delete/{{ApiTokenId}}",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"api",
+						"delete",
+						"{{ApiTokenId}}"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "DeleteApiTokenSuccess",
+			"event": [
+				{
+					"listen": "prerequest",
+					"script": {
+						"exec": [
+							""
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				},
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test('Content-Type is application/json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"})",
+							"",
+							"pm.test('Response contains the required fields', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData).to.have.all.keys('id', 'actionType');",
+							"})",
+							"",
+							"pm.test('ActionType must be a non-empty string', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.actionType).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'ActionType should not be empty');",
+							"})",
+							"",
+							"pm.environment.unset(\"ApiToken\")",
+							"pm.environment.unset(\"ApiTokenId\")",
+							""
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "DELETE",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/api/delete/{{ApiTokenId}}",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"api",
+						"delete",
+						"{{ApiTokenId}}"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "GetAllApiTokensEmpty",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test('Response content type is application/json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"})",
+							"",
+							"pm.test('Response is an array', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('array');",
+							"})",
+							"",
+							"pm.test('The response array must be empty', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('array').that.is.empty;",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/api/getAll",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"api",
+						"getAll"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "HelloAuthenticatedApiTokenFail",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 401', function () {",
+							"    pm.expect(pm.response.code).to.equal(401);",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{ApiToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/auth/",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						""
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "ResourceLimit",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test('Response content type is application/json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"})",
+							"",
+							"pm.test('Response has required fields: time and unitType', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData).to.have.all.keys('time', 'unitType');",
+							"})",
+							"",
+							"pm.test('Time is not zero and a non-negative integer', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.time).to.be.a('number').and.to.be.at.least(1);",
+							"})",
+							"",
+							"pm.test('UnitType must be a non-empty string', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.unitType).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'UnitType should not be empty');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/user/resourceLimit",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"user",
+						"resourceLimit"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "LongRunningTask",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test(`Request duration is at least 20 seconds`, function () {",
+							"    pm.expect(pm.response.responseTime).to.be.at.least(20000);",
+							"});"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/user/longRun",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"user",
+						"longRun"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "ResourceLimitReduced",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test('Response content type is application/json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"})",
+							"",
+							"pm.test('Response has required fields: time and unitType', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData).to.have.all.keys('time', 'unitType');",
+							"})",
+							"",
+							"pm.test('Time is not zero and a non-negative integer', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.time).to.be.a('number').and.to.be.at.least(1);",
+							"})",
+							"",
+							"pm.test('UnitType must be a non-empty string', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.unitType).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'UnitType should not be empty');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/user/resourceLimit",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"user",
+						"resourceLimit"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "LongRunningTaskSecond",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test(`Request duration is at least 20 seconds`, function () {",
+							"    pm.expect(pm.response.responseTime).to.be.at.least(20000);",
+							"});"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/user/longRun",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"user",
+						"longRun"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "LongRunningTaskThird",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test(`Request duration is at least 20 seconds`, function () {",
+							"    pm.expect(pm.response.responseTime).to.be.at.least(20000);",
+							"});"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/user/longRun",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"user",
+						"longRun"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "LongRunningTaskFailPermission",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 403', function () {",
+							"    pm.expect(pm.response.code).to.eql(403);",
+							"})",
+							"",
+							"pm.test('Response content type is application/problem+json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/problem+json');",
+							"})",
+							"",
+							"pm.test(`Request duration is less than 20 seconds`, function () {",
+							"    pm.expect(pm.response.responseTime).to.be.not.greaterThanOrEqual(20000);",
+							"});"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/user/longRun",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"user",
+						"longRun"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "ResourceLimitZero",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test(\"Response Content-Type is application/json\", function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"});",
+							"",
+							"pm.test('Response contains required fields: time and unitType', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData).to.have.all.keys('time', 'unitType');",
+							"})",
+							"",
+							"pm.test('Time is a zero or a negativ integer', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.time).to.be.a('number').and.to.be.lessThanOrEqual(0);",
+							"})",
+							"",
+							"pm.test('UnitType must be a non-empty string', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.unitType).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'Value should not be empty');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "{{Host}}/user/resourceLimit",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"user",
+						"resourceLimit"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "DeleteUser",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 200', function () {",
+							"    pm.expect(pm.response.code).to.equal(200);",
+							"})",
+							"",
+							"pm.test(\"Response Content-Type is application/json\", function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/json');",
+							"});",
+							"",
+							"pm.test('Response contains the required fields', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData).to.have.all.keys('id', 'actionType');",
+							"})",
+							"",
+							"pm.test('ActionType must be a non-empty string', function () {",
+							"    const responseData = pm.response.json();",
+							"    pm.expect(responseData).to.be.an('object');",
+							"    pm.expect(responseData.actionType).to.exist.and.to.be.a('string').and.to.have.lengthOf.at.least(1, 'ActionType should not be empty');",
+							"})",
+							"",
+							"pm.collectionVariables.unset(\"AccessToken\")",
+							"pm.collectionVariables.unset(\"RefreshToken\")"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "DELETE",
+				"header": [
+					{
+						"key": "Authorization",
+						"value": "Bearer xyz",
+						"type": "text",
+						"disabled": true
+					}
+				],
+				"url": {
+					"raw": "{{Host}}/auth/delete",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						"delete"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "LoginUserFailDeleted",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 400', function () {",
+							"    pm.expect(pm.response.code).to.equal(400);",
+							"})",
+							"",
+							"pm.test('Response content type is application/problem+json', function () {",
+							"    pm.expect(pm.response.headers.get('Content-Type')).to.equal('application/problem+json');",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"method": "POST",
+				"header": [],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"email\": \"{{UserEmail}}\",\n    \"password\": \"{{UserPassword}}\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{Host}}/auth/login",
+					"host": [
+						"{{Host}}"
+					],
+					"path": [
+						"auth",
+						"login"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "RateLimitFirst",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 401', function () {",
+							"    pm.expect(pm.response.code).to.equal(401);",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "127.0.0.1:8080/auth/",
+					"host": [
+						"127",
+						"0",
+						"0",
+						"1"
+					],
+					"port": "8080",
+					"path": [
+						"auth",
+						""
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "RateLimitSecond",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 401 or 429', function () {",
+							"    pm.expect(pm.response.code).to.be.oneOf([401, 429])",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "127.0.0.1:8080/user/resourceLimit",
+					"host": [
+						"127",
+						"0",
+						"0",
+						"1"
+					],
+					"port": "8080",
+					"path": [
+						"user",
+						"resourceLimit"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "RateLimitFailRequest",
+			"event": [
+				{
+					"listen": "test",
+					"script": {
+						"exec": [
+							"pm.test('Response status code is 429', function () {",
+							"    pm.expect(pm.response.code).to.equal(429);",
+							"})"
+						],
+						"type": "text/javascript",
+						"packages": {},
+						"requests": {}
+					}
+				}
+			],
+			"request": {
+				"auth": {
+					"type": "bearer",
+					"bearer": [
+						{
+							"key": "token",
+							"value": "{{AccessToken}}",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "127.0.0.1:8080/user/resourceLimit",
+					"host": [
+						"127",
+						"0",
+						"0",
+						"1"
+					],
+					"port": "8080",
+					"path": [
+						"user",
+						"resourceLimit"
+					]
+				}
+			},
+			"response": []
+		}
+	],
+	"event": [
+		{
+			"listen": "prerequest",
+			"script": {
+				"type": "text/javascript",
+				"packages": {},
+				"requests": {},
+				"exec": [
+					""
+				]
+			}
+		},
+		{
+			"listen": "test",
+			"script": {
+				"type": "text/javascript",
+				"packages": {},
+				"requests": {},
+				"exec": [
+					""
+				]
+			}
+		}
+	],
+	"variable": [
+		{
+			"key": "Host",
+			"value": "127.0.0.1:8080"
+		},
+		{
+			"key": "UserEmail",
+			"value": "apiUser@hello.com"
+		},
+		{
+			"key": "UserPassword",
+			"value": "SecurePassword"
+		},
+		{
+			"key": "ApiToken",
+			"value": ""
+		},
+		{
+			"key": "ApiTokenId",
+			"value": ""
+		}
+	]
+}
\ No newline at end of file
diff --git a/secure-use-api/src/test/postman/api_security/Uni.Ba.ApiSecurityTest.postman_test_run.json b/secure-use-api/src/test/postman/api_security/Uni.Ba.ApiSecurityTest.postman_test_run.json
new file mode 100644
index 0000000..e55dca1
--- /dev/null
+++ b/secure-use-api/src/test/postman/api_security/Uni.Ba.ApiSecurityTest.postman_test_run.json
@@ -0,0 +1,1294 @@
+{
+	"id": "92405825-09dd-4279-984c-9e0be2793380",
+	"name": "Uni.Ba.ApiSecurityTest",
+	"timestamp": "2025-12-15T14:43:28.502Z",
+	"collection_id": "17943160-53687375-8243-4fe8-98d1-543e1f899f2d",
+	"folder_id": 0,
+	"environment_id": "0",
+	"totalPass": 86,
+	"delay": 0,
+	"persist": true,
+	"status": "finished",
+	"startedAt": "2025-12-15T14:42:17.139Z",
+	"totalFail": 0,
+	"results": [
+		{
+			"id": "b9a5d7a6-b8dd-428c-9c1c-474fb3a2ad07",
+			"name": "RegisterUserInputValidationFail",
+			"url": "127.0.0.1:8080/auth/register",
+			"time": 1088,
+			"responseCode": {
+				"code": 400,
+				"name": "Bad Request"
+			},
+			"tests": {
+				"Response status code is 400": true,
+				"Response content type is application/problem+json": true,
+				"The password to short message must be present": true,
+				"The email not well-formated message must be present": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 400": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/problem+json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"The password to short message must be present": {
+					"pass": 1,
+					"fail": 0
+				},
+				"The email not well-formated message must be present": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				1088
+			],
+			"allTests": [
+				{
+					"Response status code is 400": true,
+					"Response content type is application/problem+json": true,
+					"The password to short message must be present": true,
+					"The email not well-formated message must be present": true
+				}
+			]
+		},
+		{
+			"id": "15986188-ab75-40be-8bdb-79f41bf87a1a",
+			"name": "RegisterUserSuccess",
+			"url": "127.0.0.1:8080/auth/register",
+			"time": 3252,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Response Content-Type is application/json": true,
+				"Response contains required fields: id and actionType": true,
+				"The id must be a non-empty string": true,
+				"ActionType must be a non-empty string": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response Content-Type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response contains required fields: id and actionType": {
+					"pass": 1,
+					"fail": 0
+				},
+				"The id must be a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				},
+				"ActionType must be a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				3252
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Response Content-Type is application/json": true,
+					"Response contains required fields: id and actionType": true,
+					"The id must be a non-empty string": true,
+					"ActionType must be a non-empty string": true
+				}
+			]
+		},
+		{
+			"id": "6e7bde1a-79e0-4ffe-8dea-8c91a902b1d5",
+			"name": "RegisterUserFail",
+			"url": "127.0.0.1:8080/auth/register",
+			"time": 73,
+			"responseCode": {
+				"code": 400,
+				"name": "Bad Request"
+			},
+			"tests": {
+				"Response status code is 400": true,
+				"Response content type is application/problem+json": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 400": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/problem+json": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				73
+			],
+			"allTests": [
+				{
+					"Response status code is 400": true,
+					"Response content type is application/problem+json": true
+				}
+			]
+		},
+		{
+			"id": "8a3bc1df-b648-438c-80a8-d06ef6a9a382",
+			"name": "HelloAuthenticatedFail",
+			"url": "127.0.0.1:8080/auth",
+			"time": 18,
+			"responseCode": {
+				"code": 401,
+				"name": "Unauthorized"
+			},
+			"tests": {
+				"Response status code is 401": true,
+				"Response content type is application/problem+json": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 401": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/problem+json": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				18
+			],
+			"allTests": [
+				{
+					"Response status code is 401": true,
+					"Response content type is application/problem+json": true
+				}
+			]
+		},
+		{
+			"id": "a28f4dde-4e32-43be-9914-b97c1058e54d",
+			"name": "LoginUserFail",
+			"url": "127.0.0.1:8080/auth/login",
+			"time": 2059,
+			"responseCode": {
+				"code": 400,
+				"name": "Bad Request"
+			},
+			"tests": {
+				"Response status code is 400": true,
+				"Response content type is application/problem+json": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 400": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/problem+json": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				2059
+			],
+			"allTests": [
+				{
+					"Response status code is 400": true,
+					"Response content type is application/problem+json": true
+				}
+			]
+		},
+		{
+			"id": "fbd12ddf-939c-4266-aa77-2442fe55c2df",
+			"name": "LoginUserSuccess",
+			"url": "127.0.0.1:8080/auth/login",
+			"time": 1915,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Response Content-Type is application/json": true,
+				"Response has required fields": true,
+				"Token must be a non-empty string": true,
+				"The refreshToken must be a non-empty string": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response Content-Type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response has required fields": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Token must be a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				},
+				"The refreshToken must be a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				1915
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Response Content-Type is application/json": true,
+					"Response has required fields": true,
+					"Token must be a non-empty string": true,
+					"The refreshToken must be a non-empty string": true
+				}
+			]
+		},
+		{
+			"id": "ecb38d56-b671-47a9-9adf-886211b4b5a0",
+			"name": "HelloAuthenticatedSuccess",
+			"url": "127.0.0.1:8080/auth/",
+			"time": 66,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				66
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true
+				}
+			]
+		},
+		{
+			"id": "7fdf3024-02e5-43e3-89a6-12e0f0474377",
+			"name": "RefreshAccessToken",
+			"url": "127.0.0.1:8080/auth/login",
+			"time": 99,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Response Content-Type is application/json": true,
+				"Response has required fields: token and refreshToken": true,
+				"Token is a non-empty string": true,
+				"RefreshToken must be a non-empty string": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response Content-Type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response has required fields: token and refreshToken": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Token is a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				},
+				"RefreshToken must be a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				99
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Response Content-Type is application/json": true,
+					"Response has required fields: token and refreshToken": true,
+					"Token is a non-empty string": true,
+					"RefreshToken must be a non-empty string": true
+				}
+			]
+		},
+		{
+			"id": "72d7b0c0-7c32-4c81-9210-576734e41136",
+			"name": "HelloAuthenticatedRefreshedSuccess",
+			"url": "127.0.0.1:8080/auth/",
+			"time": 35,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				35
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true
+				}
+			]
+		},
+		{
+			"id": "e609169d-9e3a-4867-8aaa-1edb98a2ce7c",
+			"name": "GetAllApiTokensEmpty",
+			"url": "127.0.0.1:8080/api/getAll",
+			"time": 52,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Response content type is application/json": true,
+				"Response is an array": true,
+				"The response array must be empty": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response is an array": {
+					"pass": 1,
+					"fail": 0
+				},
+				"The response array must be empty": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				52
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Response content type is application/json": true,
+					"Response is an array": true,
+					"The response array must be empty": true
+				}
+			]
+		},
+		{
+			"id": "9c133ae9-c512-49bd-b34b-472f2d7898de",
+			"name": "CreateApiToken",
+			"url": "127.0.0.1:8080/api/create",
+			"time": 34,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Response Content-Type is application/json": true,
+				"Response has required fields: token and refreshToken": true,
+				"Token is a non-empty string": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response Content-Type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response has required fields: token and refreshToken": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Token is a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				34
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Response Content-Type is application/json": true,
+					"Response has required fields: token and refreshToken": true,
+					"Token is a non-empty string": true
+				}
+			]
+		},
+		{
+			"id": "031eeba4-d034-4cb1-8616-f6c96824e98d",
+			"name": "GetAllApiTokensNotEmpty",
+			"url": "127.0.0.1:8080/api/getAll",
+			"time": 25,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Response Content-Type is application/json": true,
+				"Response is an array": true,
+				"Response array is not empty": true,
+				"Each item in the response array is a non-empty string": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response Content-Type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response is an array": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response array is not empty": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Each item in the response array is a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				25
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Response Content-Type is application/json": true,
+					"Response is an array": true,
+					"Response array is not empty": true,
+					"Each item in the response array is a non-empty string": true
+				}
+			]
+		},
+		{
+			"id": "b7a045b5-29a4-4bea-bf91-2c12cc2cba86",
+			"name": "HelloAuthenticatedApiTokenSuccess",
+			"url": "127.0.0.1:8080/auth/",
+			"time": 25,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				25
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true
+				}
+			]
+		},
+		{
+			"id": "ff1f6e83-0c74-4652-9c50-eb981a014315",
+			"name": "DeleteUserFailPermission",
+			"url": "127.0.0.1:8080/auth/delete",
+			"time": 29,
+			"responseCode": {
+				"code": 403,
+				"name": "Forbidden"
+			},
+			"tests": {
+				"Response status code is 403": true,
+				"Response content type is application/problem+json": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 403": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/problem+json": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				29
+			],
+			"allTests": [
+				{
+					"Response status code is 403": true,
+					"Response content type is application/problem+json": true
+				}
+			]
+		},
+		{
+			"id": "3c71f887-7c04-44c5-80f0-beedaaca8aae",
+			"name": "DeleteApiTokenFailPermission",
+			"url": "127.0.0.1:8080/api/delete/e3f005b2-ae4e-4a36-b789-03f6436246bc",
+			"time": 21,
+			"responseCode": {
+				"code": 403,
+				"name": "Forbidden"
+			},
+			"tests": {
+				"Response status code is 403": true,
+				"Response content type is application/problem+json": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 403": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/problem+json": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				21
+			],
+			"allTests": [
+				{
+					"Response status code is 403": true,
+					"Response content type is application/problem+json": true
+				}
+			]
+		},
+		{
+			"id": "673dd18c-8143-4423-9734-71dcc4e76425",
+			"name": "DeleteApiTokenSuccess",
+			"url": "127.0.0.1:8080/api/delete/e3f005b2-ae4e-4a36-b789-03f6436246bc",
+			"time": 53,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Content-Type is application/json": true,
+				"Response contains the required fields": true,
+				"ActionType must be a non-empty string": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Content-Type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response contains the required fields": {
+					"pass": 1,
+					"fail": 0
+				},
+				"ActionType must be a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				53
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Content-Type is application/json": true,
+					"Response contains the required fields": true,
+					"ActionType must be a non-empty string": true
+				}
+			]
+		},
+		{
+			"id": "4a4a3c7e-38a6-46cd-ae02-6161f6cd99b9",
+			"name": "GetAllApiTokensEmpty",
+			"url": "127.0.0.1:8080/api/getAll",
+			"time": 37,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Response content type is application/json": true,
+				"Response is an array": true,
+				"The response array must be empty": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response is an array": {
+					"pass": 1,
+					"fail": 0
+				},
+				"The response array must be empty": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				37
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Response content type is application/json": true,
+					"Response is an array": true,
+					"The response array must be empty": true
+				}
+			]
+		},
+		{
+			"id": "e507a9a5-2232-4d6d-9cd8-8d17b92eda67",
+			"name": "HelloAuthenticatedApiTokenFail",
+			"url": "127.0.0.1:8080/auth/",
+			"time": 33,
+			"responseCode": {
+				"code": 401,
+				"name": "Unauthorized"
+			},
+			"tests": {
+				"Response status code is 401": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 401": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				33
+			],
+			"allTests": [
+				{
+					"Response status code is 401": true
+				}
+			]
+		},
+		{
+			"id": "6e232a81-8191-43b7-b9a2-84742b7fd851",
+			"name": "ResourceLimit",
+			"url": "127.0.0.1:8080/user/resourceLimit",
+			"time": 72,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Response content type is application/json": true,
+				"Response has required fields: time and unitType": true,
+				"Time is not zero and a non-negative integer": true,
+				"UnitType must be a non-empty string": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response has required fields: time and unitType": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Time is not zero and a non-negative integer": {
+					"pass": 1,
+					"fail": 0
+				},
+				"UnitType must be a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				72
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Response content type is application/json": true,
+					"Response has required fields: time and unitType": true,
+					"Time is not zero and a non-negative integer": true,
+					"UnitType must be a non-empty string": true
+				}
+			]
+		},
+		{
+			"id": "59381005-fa78-4884-a913-2dd7eb478179",
+			"name": "LongRunningTask",
+			"url": "127.0.0.1:8080/user/longRun",
+			"time": 20027,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Request duration is at least 20 seconds": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Request duration is at least 20 seconds": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				20027
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Request duration is at least 20 seconds": true
+				}
+			]
+		},
+		{
+			"id": "6e7756d0-501e-4aa6-addd-58e621113dbc",
+			"name": "ResourceLimitReduced",
+			"url": "127.0.0.1:8080/user/resourceLimit",
+			"time": 43,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Response content type is application/json": true,
+				"Response has required fields: time and unitType": true,
+				"Time is not zero and a non-negative integer": true,
+				"UnitType must be a non-empty string": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response has required fields: time and unitType": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Time is not zero and a non-negative integer": {
+					"pass": 1,
+					"fail": 0
+				},
+				"UnitType must be a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				43
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Response content type is application/json": true,
+					"Response has required fields: time and unitType": true,
+					"Time is not zero and a non-negative integer": true,
+					"UnitType must be a non-empty string": true
+				}
+			]
+		},
+		{
+			"id": "c4310c60-8b5d-453f-8393-a5aa5ad70648",
+			"name": "LongRunningTaskSecond",
+			"url": "127.0.0.1:8080/user/longRun",
+			"time": 20038,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Request duration is at least 20 seconds": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Request duration is at least 20 seconds": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				20038
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Request duration is at least 20 seconds": true
+				}
+			]
+		},
+		{
+			"id": "c2812d37-ceeb-48be-bb04-256ca59993b4",
+			"name": "LongRunningTaskThird",
+			"url": "127.0.0.1:8080/user/longRun",
+			"time": 20031,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Request duration is at least 20 seconds": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Request duration is at least 20 seconds": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				20031
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Request duration is at least 20 seconds": true
+				}
+			]
+		},
+		{
+			"id": "1443c123-d96e-4559-86d6-0a5cf76c5abf",
+			"name": "LongRunningTaskFailPermission",
+			"url": "127.0.0.1:8080/user/longRun",
+			"time": 20,
+			"responseCode": {
+				"code": 403,
+				"name": "Forbidden"
+			},
+			"tests": {
+				"Response status code is 403": true,
+				"Response content type is application/problem+json": true,
+				"Request duration is less than 20 seconds": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 403": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/problem+json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Request duration is less than 20 seconds": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				20
+			],
+			"allTests": [
+				{
+					"Response status code is 403": true,
+					"Response content type is application/problem+json": true,
+					"Request duration is less than 20 seconds": true
+				}
+			]
+		},
+		{
+			"id": "7630449b-537e-4c0b-912e-57cbbef7c341",
+			"name": "ResourceLimitZero",
+			"url": "127.0.0.1:8080/user/resourceLimit",
+			"time": 29,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Response Content-Type is application/json": true,
+				"Response contains required fields: time and unitType": true,
+				"Time is a zero or a negativ integer": true,
+				"UnitType must be a non-empty string": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response Content-Type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response contains required fields: time and unitType": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Time is a zero or a negativ integer": {
+					"pass": 1,
+					"fail": 0
+				},
+				"UnitType must be a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				29
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Response Content-Type is application/json": true,
+					"Response contains required fields: time and unitType": true,
+					"Time is a zero or a negativ integer": true,
+					"UnitType must be a non-empty string": true
+				}
+			]
+		},
+		{
+			"id": "a8c1bd51-d747-47ae-971a-3910ade260ab",
+			"name": "DeleteUser",
+			"url": "127.0.0.1:8080/auth/delete",
+			"time": 37,
+			"responseCode": {
+				"code": 200,
+				"name": "OK"
+			},
+			"tests": {
+				"Response status code is 200": true,
+				"Response Content-Type is application/json": true,
+				"Response contains the required fields": true,
+				"ActionType must be a non-empty string": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 200": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response Content-Type is application/json": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response contains the required fields": {
+					"pass": 1,
+					"fail": 0
+				},
+				"ActionType must be a non-empty string": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				37
+			],
+			"allTests": [
+				{
+					"Response status code is 200": true,
+					"Response Content-Type is application/json": true,
+					"Response contains the required fields": true,
+					"ActionType must be a non-empty string": true
+				}
+			]
+		},
+		{
+			"id": "0055c096-c7af-41f7-857c-5c764624e06a",
+			"name": "LoginUserFailDeleted",
+			"url": "127.0.0.1:8080/auth/login",
+			"time": 25,
+			"responseCode": {
+				"code": 400,
+				"name": "Bad Request"
+			},
+			"tests": {
+				"Response status code is 400": true,
+				"Response content type is application/problem+json": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 400": {
+					"pass": 1,
+					"fail": 0
+				},
+				"Response content type is application/problem+json": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				25
+			],
+			"allTests": [
+				{
+					"Response status code is 400": true,
+					"Response content type is application/problem+json": true
+				}
+			]
+		},
+		{
+			"id": "92d0c076-1116-40ff-bdca-f941dbdf37b8",
+			"name": "RateLimitFirst",
+			"url": "127.0.0.1:8080/auth/",
+			"time": 18,
+			"responseCode": {
+				"code": 401,
+				"name": "Unauthorized"
+			},
+			"tests": {
+				"Response status code is 401": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 401": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				18
+			],
+			"allTests": [
+				{
+					"Response status code is 401": true
+				}
+			]
+		},
+		{
+			"id": "d7fed56a-5b32-43e0-be01-600e62d541be",
+			"name": "RateLimitSecond",
+			"url": "127.0.0.1:8080/user/resourceLimit",
+			"time": 6,
+			"responseCode": {
+				"code": 401,
+				"name": "Unauthorized"
+			},
+			"tests": {
+				"Response status code is 401 or 429": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 401 or 429": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				6
+			],
+			"allTests": [
+				{
+					"Response status code is 401 or 429": true
+				}
+			]
+		},
+		{
+			"id": "82005ed8-b279-4879-920f-31dd0c586a90",
+			"name": "RateLimitFailRequest",
+			"url": "127.0.0.1:8080/user/resourceLimit",
+			"time": 5,
+			"responseCode": {
+				"code": 429,
+				"name": "Unauthorized"
+			},
+			"tests": {
+				"Response status code is 429": true
+			},
+			"testPassFailCounts": {
+				"Response status code is 429": {
+					"pass": 1,
+					"fail": 0
+				}
+			},
+			"times": [
+				5
+			],
+			"allTests": [
+				{
+					"Response status code is 429": true
+				}
+			]
+		}
+	],
+	"count": 1,
+	"totalTime": 69265,
+	"collection": {
+		"requests": [
+			{
+				"id": "b9a5d7a6-b8dd-428c-9c1c-474fb3a2ad07",
+				"method": "POST"
+			},
+			{
+				"id": "15986188-ab75-40be-8bdb-79f41bf87a1a",
+				"method": "POST"
+			},
+			{
+				"id": "6e7bde1a-79e0-4ffe-8dea-8c91a902b1d5",
+				"method": "POST"
+			},
+			{
+				"id": "8a3bc1df-b648-438c-80a8-d06ef6a9a382",
+				"method": "GET"
+			},
+			{
+				"id": "a28f4dde-4e32-43be-9914-b97c1058e54d",
+				"method": "POST"
+			},
+			{
+				"id": "fbd12ddf-939c-4266-aa77-2442fe55c2df",
+				"method": "POST"
+			},
+			{
+				"id": "ecb38d56-b671-47a9-9adf-886211b4b5a0",
+				"method": "GET"
+			},
+			{
+				"id": "7fdf3024-02e5-43e3-89a6-12e0f0474377",
+				"method": "PUT"
+			},
+			{
+				"id": "72d7b0c0-7c32-4c81-9210-576734e41136",
+				"method": "GET"
+			},
+			{
+				"id": "e609169d-9e3a-4867-8aaa-1edb98a2ce7c",
+				"method": "GET"
+			},
+			{
+				"id": "9c133ae9-c512-49bd-b34b-472f2d7898de",
+				"method": "POST"
+			},
+			{
+				"id": "031eeba4-d034-4cb1-8616-f6c96824e98d",
+				"method": "GET"
+			},
+			{
+				"id": "b7a045b5-29a4-4bea-bf91-2c12cc2cba86",
+				"method": "GET"
+			},
+			{
+				"id": "ff1f6e83-0c74-4652-9c50-eb981a014315",
+				"method": "DELETE"
+			},
+			{
+				"id": "3c71f887-7c04-44c5-80f0-beedaaca8aae",
+				"method": "DELETE"
+			},
+			{
+				"id": "673dd18c-8143-4423-9734-71dcc4e76425",
+				"method": "DELETE"
+			},
+			{
+				"id": "4a4a3c7e-38a6-46cd-ae02-6161f6cd99b9",
+				"method": "GET"
+			},
+			{
+				"id": "e507a9a5-2232-4d6d-9cd8-8d17b92eda67",
+				"method": "GET"
+			},
+			{
+				"id": "6e232a81-8191-43b7-b9a2-84742b7fd851",
+				"method": "GET"
+			},
+			{
+				"id": "59381005-fa78-4884-a913-2dd7eb478179",
+				"method": "GET"
+			},
+			{
+				"id": "6e7756d0-501e-4aa6-addd-58e621113dbc",
+				"method": "GET"
+			},
+			{
+				"id": "c4310c60-8b5d-453f-8393-a5aa5ad70648",
+				"method": "GET"
+			},
+			{
+				"id": "c2812d37-ceeb-48be-bb04-256ca59993b4",
+				"method": "GET"
+			},
+			{
+				"id": "1443c123-d96e-4559-86d6-0a5cf76c5abf",
+				"method": "GET"
+			},
+			{
+				"id": "7630449b-537e-4c0b-912e-57cbbef7c341",
+				"method": "GET"
+			},
+			{
+				"id": "a8c1bd51-d747-47ae-971a-3910ade260ab",
+				"method": "DELETE"
+			},
+			{
+				"id": "0055c096-c7af-41f7-857c-5c764624e06a",
+				"method": "POST"
+			},
+			{
+				"id": "92d0c076-1116-40ff-bdca-f941dbdf37b8",
+				"method": "GET"
+			},
+			{
+				"id": "d7fed56a-5b32-43e0-be01-600e62d541be",
+				"method": "GET"
+			},
+			{
+				"id": "82005ed8-b279-4879-920f-31dd0c586a90",
+				"method": "GET"
+			}
+		]
+	}
+}
\ No newline at end of file
diff --git a/use-api/src/it/java/org.tzi.use/postman_collection/use-webapi-extended.postman_collection.json b/secure-use-api/src/test/postman/use_logic/use-webapi-extended.postman_collection.json
similarity index 100%
rename from use-api/src/it/java/org.tzi.use/postman_collection/use-webapi-extended.postman_collection.json
rename to secure-use-api/src/test/postman/use_logic/use-webapi-extended.postman_collection.json
diff --git a/use-api/src/it/java/org.tzi.use/postman_collection/use-webapi.postman_collection.json b/secure-use-api/src/test/postman/use_logic/use-webapi.postman_collection.json
similarity index 100%
rename from use-api/src/it/java/org.tzi.use/postman_collection/use-webapi.postman_collection.json
rename to secure-use-api/src/test/postman/use_logic/use-webapi.postman_collection.json
diff --git a/secure-use-api/src/test/resources/.gitkeep b/secure-use-api/src/test/resources/.gitkeep
new file mode 100644
index 0000000..e69de29