diff --git a/Merge/back_wzy/utils/auth.py b/Merge/back_wzy/utils/auth.py
new file mode 100644
index 0000000..24704d1
--- /dev/null
+++ b/Merge/back_wzy/utils/auth.py
@@ -0,0 +1,38 @@
+# utils/auth.py
+import os
+import jwt
+from functools import wraps
+from flask import request, jsonify, current_app
+from models.user import User
+from app import db
+
+def generate_token(user_id):
+    payload = {
+        'user_id': user_id,
+        # you can add exp, iat here
+    }
+    token = jwt.encode(payload, current_app.config['SECRET_KEY'], algorithm='HS256')
+    return token
+
+def verify_token(token):
+    try:
+        payload = jwt.decode(token, current_app.config['SECRET_KEY'], algorithms=['HS256'])
+        user = User.query.get(payload['user_id'])
+        return user
+    except Exception:
+        return None
+
+def login_required(f):
+    @wraps(f)
+    def decorated(*args, **kwargs):
+        auth_header = request.headers.get('Authorization', None)
+        if not auth_header or not auth_header.startswith('Bearer '):
+            return jsonify({'error': 'Authorization header missing or invalid'}), 401
+        token = auth_header.split()[1]
+        user = verify_token(token)
+        if not user or user.status != 'active':
+            return jsonify({'error': 'Invalid or expired token'}), 401
+        # attach user to request context if needed
+        request.current_user = user
+        return f(*args, **kwargs)
+    return decorated
diff --git a/Merge/back_wzy/utils/serializers.py b/Merge/back_wzy/utils/serializers.py
new file mode 100644
index 0000000..1ed5445
--- /dev/null
+++ b/Merge/back_wzy/utils/serializers.py
@@ -0,0 +1,16 @@
+# utils/serializers.py
+from marshmallow import Schema, fields, validate, ValidationError
+
+class PostSchema(Schema):
+    user_id = fields.Int(required=True)
+    topic_id = fields.Int(required=False, allow_none=True)
+    type = fields.Str(validate=validate.OneOf(['text','image','video','document']), missing='text')
+    title = fields.Str(required=True, validate=validate.Length(min=1, max=255))
+    content = fields.Str(required=True)
+    media_urls = fields.List(fields.Url(), required=False)
+    status = fields.Str(validate=validate.OneOf(['draft','pending','published','deleted','rejected']), missing='draft')
+
+class CommentSchema(Schema):
+    user_id = fields.Int(required=True)
+    content = fields.Str(required=True, validate=validate.Length(min=1))
+    parent_id = fields.Int(required=False, allow_none=True)