diff --git a/docker-compose.yml b/docker-compose.yml
index 3e8a175b..1966e7e6 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -11,7 +11,6 @@ services:
       - "3306:3306"
     volumes:
       - db_data:/var/lib/mysql
-      - ./sql:/docker-entrypoint-initdb.d
     healthcheck:
       test: ["CMD", "mysqladmin", "ping", "-h", "127.0.0.1", "-uroot", "-proot"]
       interval: 5s
diff --git a/petshop-api.postman_collection.json b/petshop-api.postman_collection.json
index 7777a8ac..1a5eca4e 100644
--- a/petshop-api.postman_collection.json
+++ b/petshop-api.postman_collection.json
@@ -137,6 +137,42 @@
             }
           ]
         },
+        {
+          "name": "Login (Staff) -> sets staffToken",
+          "request": {
+            "method": "POST",
+            "url": "{{baseUrl}}/api/v1/auth/login",
+            "header": [
+              {
+                "key": "Content-Type",
+                "value": "application/json"
+              }
+            ],
+            "body": {
+              "mode": "raw",
+              "raw": "{\n  \"username\": \"staff\",\n  \"password\": \"staff123\"\n}",
+              "options": {
+                "raw": {
+                  "language": "json"
+                }
+              }
+            }
+          },
+          "event": [
+            {
+              "listen": "test",
+              "script": {
+                "type": "text/javascript",
+                "exec": [
+                  "try {",
+                  "  const json = pm.response.json();",
+                  "  if (json && json.token) pm.collectionVariables.set('staffToken', json.token);",
+                  "} catch (e) {}"
+                ]
+              }
+            }
+          ]
+        },
         {
           "name": "Login (Customer) -> sets customerToken",
           "request": {
diff --git a/src/main/java/com/petshop/backend/controller/PetController.java b/src/main/java/com/petshop/backend/controller/PetController.java
index 07532b93..259b0f89 100644
--- a/src/main/java/com/petshop/backend/controller/PetController.java
+++ b/src/main/java/com/petshop/backend/controller/PetController.java
@@ -14,7 +14,6 @@ import org.springframework.web.bind.annotation.*;
 
 @RestController
 @RequestMapping("/api/v1/pets")
-@PreAuthorize("hasAnyRole('STAFF', 'ADMIN')")
 public class PetController {
 
     private final PetService petService;
@@ -36,11 +35,13 @@ public class PetController {
     }
 
     @PostMapping
+    @PreAuthorize("hasAnyRole('STAFF', 'ADMIN')")
     public ResponseEntity<PetResponse> createPet(@Valid @RequestBody PetRequest request) {
         return ResponseEntity.status(HttpStatus.CREATED).body(petService.createPet(request));
     }
 
     @PutMapping("/{id}")
+    @PreAuthorize("hasAnyRole('STAFF', 'ADMIN')")
     public ResponseEntity<PetResponse> updatePet(
             @PathVariable Long id,
             @Valid @RequestBody PetRequest request) {
@@ -48,12 +49,14 @@ public class PetController {
     }
 
     @DeleteMapping("/{id}")
+    @PreAuthorize("hasAnyRole('STAFF', 'ADMIN')")
     public ResponseEntity<Void> deletePet(@PathVariable Long id) {
         petService.deletePet(id);
         return ResponseEntity.noContent().build();
     }
 
     @DeleteMapping
+    @PreAuthorize("hasAnyRole('STAFF', 'ADMIN')")
     public ResponseEntity<Void> bulkDeletePets(@Valid @RequestBody BulkDeleteRequest request) {
         petService.bulkDeletePets(request);
         return ResponseEntity.noContent().build();
diff --git a/src/main/java/com/petshop/backend/controller/SaleController.java b/src/main/java/com/petshop/backend/controller/SaleController.java
index 2426bb19..d7e165fe 100644
--- a/src/main/java/com/petshop/backend/controller/SaleController.java
+++ b/src/main/java/com/petshop/backend/controller/SaleController.java
@@ -13,7 +13,6 @@ import org.springframework.web.bind.annotation.*;
 
 @RestController
 @RequestMapping("/api/v1/sales")
-@PreAuthorize("hasAnyRole('STAFF', 'ADMIN')")
 public class SaleController {
 
     private final SaleService saleService;
@@ -35,6 +34,7 @@ public class SaleController {
     }
 
     @PostMapping
+    @PreAuthorize("hasAnyRole('STAFF', 'ADMIN')")
     public ResponseEntity<SaleResponse> createSale(@Valid @RequestBody SaleRequest request) {
         return ResponseEntity.status(HttpStatus.CREATED).body(saleService.createSale(request));
     }
diff --git a/src/main/java/com/petshop/backend/security/SecurityConfig.java b/src/main/java/com/petshop/backend/security/SecurityConfig.java
index 4f5ecb51..1e96882c 100644
--- a/src/main/java/com/petshop/backend/security/SecurityConfig.java
+++ b/src/main/java/com/petshop/backend/security/SecurityConfig.java
@@ -39,6 +39,8 @@ public class SecurityConfig {
                         .requestMatchers("/api/v1/auth/login").permitAll()
                         .requestMatchers("/api/v1/health").permitAll()
                         .requestMatchers("/swagger-ui/**", "/v3/api-docs/**", "/swagger-ui.html").permitAll()
+                        .requestMatchers(HttpMethod.GET, "/api/v1/pets/**").permitAll()
+                        .requestMatchers(HttpMethod.GET, "/api/v1/sales/**").permitAll()
                         .requestMatchers(HttpMethod.GET, "/api/v1/dropdowns/suppliers").hasRole("ADMIN")
                         .requestMatchers("/api/v1/inventory/**").hasRole("ADMIN")
                         .requestMatchers("/api/v1/suppliers/**").hasRole("ADMIN")