diff --git a/backend/src/main/java/org/raddatz/familienarchiv/relationship/RelationshipController.java b/backend/src/main/java/org/raddatz/familienarchiv/relationship/RelationshipController.java
index 210ad41e..80f2faaa 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/relationship/RelationshipController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/relationship/RelationshipController.java
@@ -34,6 +34,9 @@ public class RelationshipController {
 
     private final RelationshipService relationshipService;
 
+    // READ endpoints carry no @RequirePermission: all authenticated users may read the family graph.
+    // Unauthenticated requests are rejected by Spring Security's anyRequest().authenticated() rule.
+
     @GetMapping("/api/network")
     public NetworkDTO getNetwork() {
         return relationshipService.getFamilyNetwork();