diff --git a/back_end/src/main/java/hackathon/FrisbYEE/config/WebSecurityConfig.java b/back_end/src/main/java/hackathon/FrisbYEE/config/WebSecurityConfig.java
index 5c028d5..bc80105 100644
--- a/back_end/src/main/java/hackathon/FrisbYEE/config/WebSecurityConfig.java
+++ b/back_end/src/main/java/hackathon/FrisbYEE/config/WebSecurityConfig.java
@@ -30,11 +30,9 @@ public class WebSecurityConfig {
                         .requestMatchers(HttpMethod.OPTIONS, "/**").permitAll()
                         // 2. Allow public endpoints BEFORE any authenticated() calls
                         .requestMatchers("/athlete/create", "/", "/public").permitAll()
-                        .requestMatchers("/coach/**").permitAll()
-                        // 3. Authenticated endpoints
-                        .requestMatchers("/users/sync").authenticated()
+                        .requestMatchers("/coach/**").hasRole("coach")
                         .requestMatchers("/admin/**").hasRole("admin")
-                        .requestMatchers("/user/**").hasRole("user")
+                        .requestMatchers("/athlete/**").hasRole("athlete")
                         .anyRequest().authenticated())
                 .oauth2ResourceServer(oauth2 -> oauth2
                         .jwt(jwt -> jwt.jwtAuthenticationConverter(jwtToken -> {