diff --git a/app/api/routers/issues.py b/app/api/routers/issues.py
index 1db850e..0162ffe 100644
--- a/app/api/routers/issues.py
+++ b/app/api/routers/issues.py
@@ -11,6 +11,8 @@ from app.models import models
 from app.schemas import schemas
 from app.services.webhook import fire_webhooks_sync
 from app.models.notification import Notification as NotificationModel
+from app.api.deps import get_current_user_or_apikey
+from app.api.rbac import check_project_role
 
 router = APIRouter(tags=["Issues"])
 
@@ -26,7 +28,8 @@ def _notify_user(db, user_id, ntype, title, message=None, entity_type=None, enti
 # ---- CRUD ----
 
 @router.post("/issues", response_model=schemas.IssueResponse, status_code=status.HTTP_201_CREATED)
-def create_issue(issue: schemas.IssueCreate, bg: BackgroundTasks, db: Session = Depends(get_db)):
+def create_issue(issue: schemas.IssueCreate, bg: BackgroundTasks, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
+    db.add(issue); check_project_role(db, current_user.id, issue.project_id, min_role="dev")
     db_issue = models.Issue(**issue.model_dump())
     db.add(db_issue)
     db.commit()
@@ -97,7 +100,7 @@ def get_issue(issue_id: int, db: Session = Depends(get_db)):
 
 
 @router.patch("/issues/{issue_id}", response_model=schemas.IssueResponse)
-def update_issue(issue_id: int, issue_update: schemas.IssueUpdate, db: Session = Depends(get_db)):
+def update_issue(issue_id: int, issue_update: schemas.IssueUpdate, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
     issue = db.query(models.Issue).filter(models.Issue.id == issue_id).first()
     if not issue:
         raise HTTPException(status_code=404, detail="Issue not found")
@@ -109,7 +112,7 @@ def update_issue(issue_id: int, issue_update: schemas.IssueUpdate, db: Session =
 
 
 @router.delete("/issues/{issue_id}", status_code=status.HTTP_204_NO_CONTENT)
-def delete_issue(issue_id: int, db: Session = Depends(get_db)):
+def delete_issue(issue_id: int, db: Session = Depends(get_db), current_user: models.User = Depends(get_current_user_or_apikey)):
     issue = db.query(models.Issue).filter(models.Issue.id == issue_id).first()
     if not issue:
         raise HTTPException(status_code=404, detail="Issue not found")