diff --git a/conf/config.go b/conf/config.go
index fa1c9ae..ea1bb1a 100644
--- a/conf/config.go
+++ b/conf/config.go
@@ -3,6 +3,7 @@ package conf
 import "sync"
 
 type Config struct {
+	Demo           bool
 	PublicKeyPath  string
 	PrivateKeyPath string
 
diff --git a/controllers/permission.go b/controllers/permission.go
index 9ebafdc..a51d763 100644
--- a/controllers/permission.go
+++ b/controllers/permission.go
@@ -66,7 +66,7 @@ func (o *PermissionController) GetByRole() {
 // @router /user/:id [get]
 func (o *PermissionController) GetByUser() {
 	id := o.Ctx.Input.Param(":id")
-	role, err := infrastructure.GetPermissionConnector().GetPermissionByUser(id)
+	role, err := infrastructure.GetPermissionConnector().GetPermissionByUser(id, true)
 	if err != nil {
 		o.Data["json"] = map[string]interface{}{
 			"data":  nil,
@@ -88,7 +88,7 @@ func (o *PermissionController) GetByUser() {
 // @Description find auth by permission
 // @Param	id		path 	string	true		"the permission you want to get"
 // @Success 200 {auth} models.auth
-// @router /:id/:relation[get]
+// @router /:id/:relation [get]
 func (o *PermissionController) Get() {
 	id := o.Ctx.Input.Param(":id")
 	rel := o.Ctx.Input.Param(":relation")
diff --git a/docker_auth.json b/docker_auth.json
index 1072fdf..4c83f19 100644
--- a/docker_auth.json
+++ b/docker_auth.json
@@ -5,5 +5,6 @@
     "PORT" : 8080,
     "AUTH_CONNECTOR_HOST": "hydra",
     "PRIVATE_KEY_PATH": "/etc/oc/pem/private.pem",
-    "PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem"
+    "PUBLIC_KEY_PATH": "/etc/oc/pem/public.pem",
+    "DEMO": true
 }
\ No newline at end of file
diff --git a/infrastructure/auth_connector/hydra_connector.go b/infrastructure/auth_connector/hydra_connector.go
index 158f568..0723c38 100644
--- a/infrastructure/auth_connector/hydra_connector.go
+++ b/infrastructure/auth_connector/hydra_connector.go
@@ -146,7 +146,6 @@ func (a HydraConnector) Login(username string, cookies ...*http.Cookie) (t *Toke
 	// problem with consent THERE we need to accept the consent challenge && get the token
 	_, err = a.Caller.CallRaw(http.MethodGet, a.urlFormat(redirect.RedirectTo, a.getPath(false, true)), "", map[string]interface{}{},
 		"application/json", true, cookies...)
-	fmt.Println(err)
 	if err != nil {
 		s := strings.Split(err.Error(), "\"")
 		if len(s) > 1 && strings.Contains(s[1], "access_token") {
@@ -242,15 +241,12 @@ func (a HydraConnector) getPath(isAdmin bool, isOauth bool) string {
 	if isOauth {
 		oauth = "/oauth2"
 	}
-	fmt.Println("http://" + host + ":" + port + oauth)
 	return "http://" + host + ":" + port + oauth
 
 }
 
 func (a HydraConnector) CheckAuthForward(reqToken string, publicKey string, host string, method string, forward string) bool {
-	fmt.Println("CheckAuthForward", reqToken, publicKey, host, method, forward)
 	if forward == "" || method == "" {
-		fmt.Println("Forwarded headers are missing")
 		return false
 	}
 	var c claims.Claims
diff --git a/infrastructure/auth_connector/ldap.go b/infrastructure/auth_connector/ldap.go
index 69db72f..aa3e823 100644
--- a/infrastructure/auth_connector/ldap.go
+++ b/infrastructure/auth_connector/ldap.go
@@ -254,7 +254,6 @@ func (cli *Client) connect(ctx context.Context) <-chan conn {
 	)
 	wg.Add(len(cli.Endpoints))
 	for _, addr := range cli.Endpoints {
-		fmt.Println("addr", addr)
 		go func(addr string) {
 			defer wg.Done()
 
diff --git a/infrastructure/claims/hydra_claims.go b/infrastructure/claims/hydra_claims.go
index 7b55781..d6977fc 100644
--- a/infrastructure/claims/hydra_claims.go
+++ b/infrastructure/claims/hydra_claims.go
@@ -4,7 +4,6 @@ import (
 	"crypto/sha256"
 	"encoding/pem"
 	"errors"
-	"fmt"
 	"oc-auth/conf"
 	"oc-auth/infrastructure/perms_connectors"
 	"oc-auth/infrastructure/utils"
@@ -40,7 +39,6 @@ func (h HydraClaims) decodeKey(key string) (tools.METHOD, string, error) {
 }
 
 func (h HydraClaims) DecodeSignature(host string, signature string, publicKey string) (bool, error) {
-	fmt.Println("DecodeSignature", host)
 	hashed := sha256.Sum256([]byte(host))
 	spkiBlock, _ := pem.Decode([]byte(publicKey)) // get public key into a variable
 	err := VerifyDefault(hashed[:], spkiBlock.Bytes, signature)
@@ -51,7 +49,6 @@ func (h HydraClaims) DecodeSignature(host string, signature string, publicKey st
 }
 
 func (h HydraClaims) encodeSignature(host string) (string, error) {
-	fmt.Println("encodeSignature", host)
 	hashed := sha256.Sum256([]byte(host))
 	// READ FILE TO GET PRIVATE KEY FROM PVK PEM PATH
 	content, err := os.ReadFile(conf.GetConfig().PrivateKeyPath)
@@ -102,7 +99,7 @@ func (h HydraClaims) DecodeClaimsInToken(host string, method string, forward str
 // add claims to token method of HydraTokenizer
 func (h HydraClaims) AddClaimsToToken(userId string, host string) Claims {
 	claims := Claims{}
-	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId)
+	perms, err := perms_connectors.KetoConnector{}.GetPermissionByUser(userId, false)
 	if err != nil {
 		return claims
 	}
diff --git a/infrastructure/perms_connectors/keto_connector.go b/infrastructure/perms_connectors/keto_connector.go
index 3b0685c..747ab3d 100644
--- a/infrastructure/perms_connectors/keto_connector.go
+++ b/infrastructure/perms_connectors/keto_connector.go
@@ -124,6 +124,8 @@ func (k KetoConnector) CreatePermission(permID string, relation string, internal
 	if err != nil {
 		return "", 422, err
 	}
+
+	k.BindPermission("admin", permID, "permits"+meth.String())
 	p, code, err := k.createRelationShip(permID, "permits"+meth.String(), k.scope(), nil)
 	if err != nil {
 		return "", code, err
@@ -145,7 +147,7 @@ func (k KetoConnector) GetRole(roleID string) ([]string, error) {
 
 func (k KetoConnector) GetRoleByUser(userID string) ([]string, error) {
 	arr := []string{}
-	roles, err := k.get("", "is", userID)
+	roles, err := k.get("", "member", userID)
 	if err != nil {
 		return arr, err
 	}
@@ -159,10 +161,9 @@ func (k KetoConnector) GetPermission(permID string, relation string) ([]Permissi
 	meth, err := utils.ExtractMethod(relation, true)
 	if err != nil {
 		p := []Permission{}
-		for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE} {
-			fmt.Println("blblbl", permID, "permits"+method.String(), k.scope())
+		for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE,
+			tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT} {
 			perms, err := k.get(permID, "permits"+method.String(), k.scope())
-			fmt.Println("blblbl2", perms, err)
 			if err == nil && len(perms) > 0 {
 				p = append(p, perms...)
 			}
@@ -173,24 +174,35 @@ func (k KetoConnector) GetPermission(permID string, relation string) ([]Permissi
 }
 
 func (k KetoConnector) GetPermissionByRole(roleID string) ([]Permission, error) {
-	return k.get("", "", roleID)
+	p := []Permission{}
+	for _, method := range []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE,
+		tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT} {
+		perms, err := k.get(roleID, "permits"+method.String(), "")
+		if err == nil && len(perms) > 0 {
+			p = append(p, perms...)
+		}
+	}
+	return p, nil
 }
-func (k KetoConnector) GetPermissionByUser(userID string) ([]Permission, error) {
-	roles, err := k.get("", "is", userID)
-	perms := []Permission{}
+func (k KetoConnector) GetPermissionByUser(userID string, internal bool) ([]Permission, error) {
+	roles, err := k.get("", "member", userID)
 	if err != nil {
-		return perms, err
+		return nil, err
+	}
+	p := []Permission{}
+	meths := []tools.METHOD{tools.GET, tools.PUT, tools.POST, tools.DELETE}
+	if internal {
+		meths = append(meths, []tools.METHOD{tools.STRICT_INTERNAL_DELETE, tools.STRICT_INTERNAL_GET, tools.STRICT_INTERNAL_POST, tools.STRICT_INTERNAL_PUT}...)
 	}
 	for _, role := range roles {
-		p, err := k.get(role.Object, "", k.scope())
-		if err != nil {
-			log := oclib.GetLogger()
-			log.Error().Msg(err.Error())
-			continue
+		for _, method := range meths {
+			perms, err := k.get(role.Object, "permits"+method.String(), "")
+			if err == nil && len(perms) > 0 {
+				p = append(p, perms...)
+			}
 		}
-		perms = append(perms, p...)
 	}
-	return perms, nil
+	return p, nil
 }
 
 func (k KetoConnector) get(object string, relation string, subject string) ([]Permission, error) {
@@ -229,11 +241,7 @@ func (k KetoConnector) BindRole(userID string, roleID string) (string, int, erro
 }
 
 func (k KetoConnector) BindPermission(roleID string, permID string, relation string) (*Permission, int, error) {
-	meth, err := utils.ExtractMethod(relation, false)
-	if err != nil {
-		return nil, 422, err
-	}
-	perms, err := k.GetPermission(permID, meth.String())
+	perms, err := k.GetPermission(permID, relation)
 	if err != nil || len(perms) != 1 {
 		if len(perms) == 0 {
 			return nil, 404, errors.New("Permission not found")
@@ -338,9 +346,7 @@ func (k KetoConnector) deleteRelationShip(object string, relation string, subjec
 	n := k.permToQuery(Permission{Object: object, Relation: relation, Subject: subject}, subPerm)
 	host := conf.GetConfig().PermissionConnectorHost
 	port := fmt.Sprintf("%v", conf.GetConfig().PermissionConnectorAdminPort)
-	fmt.Println(host, port, n)
 	b, err := caller.CallDelete("http://"+host+":"+port, "/relation-tuples"+n)
-	fmt.Println(b, err)
 	if err != nil {
 		log := oclib.GetLogger()
 		log.Error().Msg(err.Error())
diff --git a/infrastructure/perms_connectors/perms_connector.go b/infrastructure/perms_connectors/perms_connector.go
index feaab67..e9c3d8a 100644
--- a/infrastructure/perms_connectors/perms_connector.go
+++ b/infrastructure/perms_connectors/perms_connector.go
@@ -37,7 +37,7 @@ type PermConnector interface {
 
 	GetRoleByUser(userID string) ([]string, error)
 	GetPermissionByRole(roleID string) ([]Permission, error)
-	GetPermissionByUser(userID string) ([]Permission, error)
+	GetPermissionByUser(userID string, internal bool) ([]Permission, error)
 
 	GetRole(roleID string) ([]string, error)
 	GetPermission(permID string, relation string) ([]Permission, error)
diff --git a/ldap-hydra/ldap.ldif b/ldap-hydra/ldap.ldif
index 0d50fc0..135cb79 100644
--- a/ldap-hydra/ldap.ldif
+++ b/ldap-hydra/ldap.ldif
@@ -1,10 +1,10 @@
-dn: uid=momo,ou=Users,dc=example,dc=com
+dn: uid=admin,ou=Users,dc=example,dc=com
 objectClass: inetOrgPerson
-cn: Kolya Gerasyimov
-sn: Gerasyimov
-uid: momo
-userPassword: 123
-mail: momo@example.com
+cn: Admin
+sn: Istrator
+uid: admin
+userPassword: admin
+mail: admin@example.com
 ou: Users
 
 dn: ou=AppRoles,dc=example,dc=com
@@ -21,4 +21,4 @@ dn: cn=traveler,ou=App1,ou=AppRoles,dc=example,dc=com
 objectClass: groupofnames
 cn: traveler
 description: traveler
-member: uid=momo,ou=Users,dc=example,dc=com
\ No newline at end of file
+member: uid=admin,ou=Users,dc=example,dc=com
\ No newline at end of file
diff --git a/main.go b/main.go
index dcfe5b4..bd9b600 100644
--- a/main.go
+++ b/main.go
@@ -73,13 +73,11 @@ func generateSelfPeer() error {
 			return err
 		}
 		// compare the public key from file with the one in the database
-		fmt.Println(string(f), p.Data[0].(*peer.Peer).PublicKey)
 		if !strings.Contains(string(f), p.Data[0].(*peer.Peer).PublicKey) {
 			return errors.New("public key is different from the one in the database")
 		}
 		return nil
 	}
-	fmt.Println("Creating new peer", strconv.Itoa(peer.SELF.EnumIndex()))
 	// create a new peer
 	o := oclib.GetConfLoader()
 	peer := &peer.Peer{
@@ -100,8 +98,10 @@ func generateSelfPeer() error {
 func discovery() {
 	fmt.Println("Discovered")
 	api := tools.API{}
+	conn := infrastructure.GetPermissionConnector()
+	conn.CreateRole("admin")
+	conn.BindRole("admin", "admin")
 	addPermissions := func(m map[string]interface{}) {
-		conn := infrastructure.GetPermissionConnector()
 		for k, v := range m {
 			for _, p := range v.([]interface{}) {
 				conn.CreatePermission(k, p.(string), true)
diff --git a/oc-auth b/oc-auth
index 4d8e325..4eed7fa 100755
Binary files a/oc-auth and b/oc-auth differ
diff --git a/routers/commentsRouter.go b/routers/commentsRouter.go
index b3ba5a0..fb8433c 100644
--- a/routers/commentsRouter.go
+++ b/routers/commentsRouter.go
@@ -64,7 +64,7 @@ func init() {
     beego.GlobalControllerRouter["oc-auth/controllers:PermissionController"] = append(beego.GlobalControllerRouter["oc-auth/controllers:PermissionController"],
         beego.ControllerComments{
             Method: "Get",
-            Router: `/:id/:relation[get]`,
+            Router: `/:id/:relation`,
             AllowHTTPMethods: []string{"get"},
             MethodParams: param.Make(),
             Filters: nil,
diff --git a/routers/router.go b/routers/router.go
index c7c68d4..db044b0 100644
--- a/routers/router.go
+++ b/routers/router.go
@@ -14,7 +14,7 @@ import (
 )
 
 func init() {
-	ns := beego.NewNamespace("/oc",
+	ns := beego.NewNamespace("/oc/",
 		beego.NSInclude(
 			&controllers.OAuthController{},
 		),
diff --git a/swagger/swagger.json b/swagger/swagger.json
index 6176e37..2a43cf9 100644
--- a/swagger/swagger.json
+++ b/swagger/swagger.json
@@ -13,7 +13,7 @@
             "url": "https://www.gnu.org/licenses/agpl-3.0.html"
         }
     },
-    "basePath": "/oc",
+    "basePath": "/oc/",
     "paths": {
         "/forward": {
             "get": {
@@ -180,7 +180,7 @@
                 }
             }
         },
-        "/permission/{id}/{relation[get]}": {
+        "/permission/{id}/{relation}": {
             "get": {
                 "tags": [
                     "permission"
diff --git a/swagger/swagger.yml b/swagger/swagger.yml
index a0f2333..fd5ac6f 100644
--- a/swagger/swagger.yml
+++ b/swagger/swagger.yml
@@ -10,7 +10,7 @@ info:
   license:
     name: AGPL
     url: https://www.gnu.org/licenses/agpl-3.0.html
-basePath: /oc
+basePath: /oc/
 paths:
   /forward:
     get:
@@ -89,7 +89,7 @@ paths:
       responses:
         "200":
           description: '{permission} string'
-  /permission/{id}/{relation[get]}:
+  /permission/{id}/{relation}:
     get:
       tags:
       - permission