diff --git a/issues/5.md b/issues/5.md
new file mode 100644
index 0000000..8c5bb8c
--- /dev/null
+++ b/issues/5.md
@@ -0,0 +1,33 @@
+# Issue #5: Implement Role-Based Access Control (RBAC) for API Endpoints
+
+## Description
+
+Implement role-based access control (RBAC) for all API endpoints to ensure that users can only perform actions permitted by their role (`user`, `moderator`, `admin`).
+
+This includes:
+- Middleware to check user roles for each endpoint
+- Integration with existing JWT authentication
+- Audit logging for sensitive actions
+- Unit tests for role checks
+
+## Acceptance Criteria
+
+- [ ] All API endpoints properly validate user roles
+- [ ] JWT middleware extracts and validates the `role` claim
+- [ ] Role-checking middleware (`requireRole`) is implemented and used
+- [ ] Sensitive actions are logged with audit events
+- [ ] Unit tests cover role-based access for all endpoints
+- [ ] Documentation updated to reflect new RBAC implementation
+
+## Tasks
+
+1. Implement JWT middleware to extract `role` claim
+2. Create `requireRole` middleware
+3. Apply role checks to existing API endpoints
+4. Add audit logging for sensitive actions
+5. Write unit tests
+6. Update documentation
+
+## Notes
+
+This is a follow-up to the roles and permissions documentation in `docs/roles-and-permissions.md`.
\ No newline at end of file