diff --git a/Aspnet/Controllers/AccionesController.cs b/Aspnet/Controllers/AccionesController.cs
index e69516d..240f30c 100644
--- a/Aspnet/Controllers/AccionesController.cs
+++ b/Aspnet/Controllers/AccionesController.cs
@@ -1,3 +1,4 @@
+using Entidades.Dto;
 using Microsoft.AspNetCore.Mvc;
 using Modelo;
 
@@ -7,14 +8,17 @@ namespace AlquilaFacil.Controllers;
 public class AccionesController: ControllerBase {
     
     [HttpPost("api/acciones")]
-    public IActionResult ListarAccionesPorUsuario([FromBody] string email) {
-        Request.Cookies.TryGetValue("token", out var token);
-        if (token == null) return Unauthorized(new { esValido = false});
+    public IActionResult ListarAccionesPorUsuario([FromBody] LoginDto email, [FromHeader(Name = "Auth")] string Auth) {
+        if (email.Email == "" || email.Email == null) return BadRequest();
 
-        bool esValido = RepositorioUsuarios.Singleton.CheckToken(email, token);
+        
+        if (Auth == "") return Unauthorized(new { esValido = false});
+
+        bool esValido = RepositorioUsuarios.Singleton.CheckToken(email.Email, Auth);
         if (!esValido) return Unauthorized();
 
-        var Permisos = RepositorioPermisos.Singleton.ListarPermisos(email);
+        var Permisos = RepositorioPermisos.Singleton.ListarPermisos(email.Email);
+        Response.Headers["Content-Type"] = "application/json";
         return Ok(Permisos);
     }
 }
\ No newline at end of file
diff --git a/Aspnet/Controllers/GruposController.cs b/Aspnet/Controllers/GruposController.cs
new file mode 100644
index 0000000..df3d5ee
--- /dev/null
+++ b/Aspnet/Controllers/GruposController.cs
@@ -0,0 +1,18 @@
+#if DEBUG
+using Microsoft.AspNetCore.Mvc;
+using Modelo;
+namespace AlquilaFacil.Controllers;
+
+[ApiController]
+public class GruposController: ControllerBase {
+    [HttpPost("api/admin/grupos")]
+    public IActionResult CrearPermisos([FromBody] AdminGrupo grupo) {
+        if (String.IsNullOrEmpty(grupo.descripcion)) return BadRequest();
+
+        bool ret = RepositorioGrupos.Singleton.CrearGrupo(grupo.descripcion);
+        return (ret) ? Ok(ret) : BadRequest();
+    }
+}
+
+public record AdminGrupo(string descripcion);
+#endif
\ No newline at end of file
diff --git a/Aspnet/Controllers/InquilinoController.cs b/Aspnet/Controllers/InquilinoController.cs
index 72b136b..b2c6764 100644
--- a/Aspnet/Controllers/InquilinoController.cs
+++ b/Aspnet/Controllers/InquilinoController.cs
@@ -12,8 +12,16 @@ public class InquilinoController: ControllerBase
 {
     
     [HttpGet("api/inquilino")]
-    public IActionResult Get() {
-        return Ok();
+    public IActionResult Get([FromHeader(Name = "Auth")] string Auth) {
+        if (!string.IsNullOrEmpty(Auth)) return BadRequest();
+        string path = Request.Path;
+
+        var ret = RepositorioPermisos.Singleton.CheckPermisos(Auth, path);
+        if (ret == false) return BadRequest(ret);
+
+        var list = RepositorioInquilinos.Singleton.GetInquilinos();
+
+        return Ok(list);
     }
 
     [HttpPost("api/inquilino")]
diff --git a/Aspnet/Controllers/LoginController.cs b/Aspnet/Controllers/LoginController.cs
index 706d6cd..2667370 100644
--- a/Aspnet/Controllers/LoginController.cs
+++ b/Aspnet/Controllers/LoginController.cs
@@ -24,19 +24,19 @@ public class LoginController: ControllerBase
         var cookieOptions = new CookieOptions
         {
             HttpOnly = true,         
-            Secure = true,           
-            //SameSite = SameSiteMode.Strict,
-            Expires = DateTimeOffset.UtcNow.AddHours(1)   
+            Secure = true,
+            SameSite = SameSiteMode.None,
+            Path = "/Menu",
+            
+            Expires = DateTimeOffset.UtcNow.AddHours(1)
         };
 
         Response.Cookies.Append("token", tokenString, cookieOptions);
-        return Ok( new {Email = loginDto.Email, Redirect = "/Menu"});  
+        return Ok( new {Email = loginDto.Email, Token = tokenString,  Redirect = "/Menu"});  
     }
 
     [HttpPost("api/login/validar")]   
-    public IActionResult Verificar([FromBody] AccessDto request){
-
-        Request.Cookies.TryGetValue("token", out var token);
+    public IActionResult Verificar([FromBody] AccessDto request, [FromHeader(Name = "Auth")] string token){
 
         if (request.Email == String.Empty || token == null ||request.Redirect == string.Empty)
         {
@@ -44,8 +44,13 @@ public class LoginController: ControllerBase
         }
 
         bool esValido = RepositorioUsuarios.Singleton.CheckToken(request.Email, token);
-        return (esValido) ?
-        Ok( new { esValido = true}) : Unauthorized( new {esValido = false});
+        if (esValido) {
+            return Ok(new {esValido = esValido});
+        } else {
+
+            return Unauthorized(new {esValido = "el token no es valido"});
+        }
+        
     }
     
 
diff --git a/Aspnet/Controllers/PermisosController.cs b/Aspnet/Controllers/PermisosController.cs
new file mode 100644
index 0000000..0cdf113
--- /dev/null
+++ b/Aspnet/Controllers/PermisosController.cs
@@ -0,0 +1,18 @@
+#if DEBUG
+using Microsoft.AspNetCore.Mvc;
+using Modelo;
+namespace AlquilaFacil.Controllers;
+
+[ApiController]
+public class PermisosController: ControllerBase {
+    [HttpPost("api/admin/permisos")]
+    public IActionResult CrearPermisos([FromBody] AdminPermiso permiso) {
+        if (String.IsNullOrEmpty(permiso.descripcion)) return BadRequest();
+
+        bool ret = RepositorioPermisos.Singleton.CrearPermiso(permiso.descripcion);
+        return (ret) ? Ok(ret) : BadRequest();
+    }
+}
+
+public record AdminPermiso(string descripcion);
+#endif
\ No newline at end of file
diff --git a/Entidades/Dto/InquilinoDto.cs b/Entidades/Dto/InquilinoDto.cs
new file mode 100644
index 0000000..c02552b
--- /dev/null
+++ b/Entidades/Dto/InquilinoDto.cs
@@ -0,0 +1,8 @@
+namespace Entidades.Dto;
+
+public class InquilinoDto {
+    public long Dni { get; set; }
+    public string Nombre { get; set; } = "";
+    public string Apellido { get; set; } = "";
+
+}
\ No newline at end of file
diff --git a/Entidades/Dto/LoginDto.cs b/Entidades/Dto/LoginDto.cs
index 795194f..568ecf2 100644
--- a/Entidades/Dto/LoginDto.cs
+++ b/Entidades/Dto/LoginDto.cs
@@ -1,9 +1,7 @@
-using System.ComponentModel.DataAnnotations.Schema;
-
 namespace Entidades.Dto;
 
 public class LoginDto
 {
     public string Email {get; set;} = string.Empty;
-    public string Contraseña {get; set;} = string.Empty;
+    public string? Contraseña {get; set;} = string.Empty;
 }
diff --git a/Front/src/lib/NavBarAutocompletable.svelte b/Front/src/lib/NavBarAutocompletable.svelte
index 54c4262..dff21f9 100644
--- a/Front/src/lib/NavBarAutocompletable.svelte
+++ b/Front/src/lib/NavBarAutocompletable.svelte
@@ -1,44 +1,59 @@
 <script lang="ts">
-    import { Navbar, NavbarBrand, NavbarToggler, NavItem, Nav, NavLink, Collapse } from "@sveltestrap/sveltestrap";
-    import { onMount } from "svelte";
-    import { navigate } from "svelte-routing";
-    let isOpen = false;
-  
-  function handleUpdate(event: any) {
-    isOpen = event.detail.isOpen;
-  }  
+  import { Navbar, NavbarBrand, NavbarToggler, NavItem, Nav, NavLink, Collapse } from "@sveltestrap/sveltestrap";
+  import { onMount } from "svelte";
+  import { writable } from 'svelte/store';
 
-  let permisos = $state()
+  let isOpen: boolean = $state(false);
 
+  interface Permiso {
+    id: number;
+    descripcion: string;
+  }
+
+  const permisos = writable<Permiso[]>([]);
+  const email = localStorage.getItem('email');
+  const token = sessionStorage.getItem('token');
+
+ 
   async function obtenerPermisos(){
     try {
       const response = await fetch("http://localhost:5007/api/acciones",{
         method: 'POST',
         headers: {
+          'Auth' : String(token),
           'Content-Type' : "application/json"
         },
-        credentials: 'include'
+        body: JSON.stringify({email})
       });
       if (response.ok){
-        permisos = response.json();
+        const json  = await response.json();
+        
+        permisos.set(json);
       }
     } catch (e) {
       console.error(e);
-      navigate("/");
+ 
     }
   }
-
-  onMount(async () => {
-
+  
+  $inspect(permisos);
+  onMount( () => {
+     obtenerPermisos();
   })
 </script>
 
 <Navbar container="xxl" expand="md" color="dark-subtle">
-  <NavbarBrand href="/Menu">AlquilaFacil</NavbarBrand>
+  <NavbarBrand href="/">
+    AlquilaFacil
+  </NavbarBrand>
   <NavbarToggler on:click={() => (isOpen = !isOpen)} />
-  <Collapse isOpen={isOpen} navbar expand="md" on:update={handleUpdate}>
+  <Collapse isOpen={isOpen} navbar expand="md">
     <Nav class="ms-auto" navbar>
-    
+    {#each $permisos as item }
+      <NavItem>
+        <NavLink href="/accion/{item.id}">{item.descripcion}</NavLink>
+      </NavItem>
+    {/each}
     </Nav>
   </Collapse>
 </Navbar>
diff --git a/Front/src/lib/NavBarLogin.svelte b/Front/src/lib/NavBarLogin.svelte
index 79e38e5..556024e 100644
--- a/Front/src/lib/NavBarLogin.svelte
+++ b/Front/src/lib/NavBarLogin.svelte
@@ -1,9 +1,8 @@
 <script lang="ts">
     import { Navbar, NavbarBrand, NavbarToggler, NavItem, Nav, NavLink, Collapse } from "@sveltestrap/sveltestrap";
-    let isOpen = $state(false);
-    function handleUpdate(event) {
-      isOpen = event.detail.isOpen;
-    }
+    
+    let isOpen:boolean = false;
+ 
 </script>
 
 
@@ -12,7 +11,7 @@
     AlquilaFacil
   </NavbarBrand>
   <NavbarToggler on:click={() => (isOpen = !isOpen)} />
-  <Collapse isOpen={isOpen} navbar expand="md" on:update={handleUpdate}>
+  <Collapse isOpen={isOpen} navbar expand="md">
     <Nav class="ms-auto" navbar>
       <NavItem>
         <NavLink href="/">Login</NavLink>
diff --git a/Front/src/lib/RutaProtegida.svelte b/Front/src/lib/RutaProtegida.svelte
index a4c252e..d49816a 100644
--- a/Front/src/lib/RutaProtegida.svelte
+++ b/Front/src/lib/RutaProtegida.svelte
@@ -1,51 +1,53 @@
 <script>
-  import { onMount } from 'svelte';
-  import { navigate } from 'svelte-routing'; // Asumiendo que estás usando svelte-routing
-  import { writable } from 'svelte/store';
-
-  let isAuthenticated = writable(false);
-  let isVerified = writable(false);
-
- 
-  let { component } = $props();
-
-  let redirect = window.location.pathname;
-
-  const email = localStorage.getItem('email');
-
-  const handleAccess = async () => {
+    import { onMount } from 'svelte';
+    import { navigate } from 'svelte-routing'; 
+    import { writable } from 'svelte/store';
+  
+    export let component;  
+  
+    const isAuthenticated = writable(false); 
+    const isVerified = writable(false); 
+  
+    const redirect = window.location.pathname;
+    const email = localStorage.getItem('email');
+    const token = sessionStorage.getItem('token');
+  
+    const handleAccess = async () => {
       try {
-          const response = await fetch('http://127.0.0.1:5007/api/login/validar', {
-              method: 'POST',
-              headers: {
-                  'Content-Type': 'application/json',
-              },
-              body: JSON.stringify( {email, redirect} ),
-              credentials: "include"
-          });
-
-          if (response.ok) {
-              isAuthenticated.set(true);
-          }
+        const response = await fetch('http://127.0.0.1:5007/api/login/validar', {
+          method: 'POST',
+          headers: {
+            'Auth': String(token),
+            'Content-Type': 'application/json',
+          },
+          body: JSON.stringify({ email, redirect }),
+          credentials: "include"
+        });
+  
+        if (response.ok) {
+          isAuthenticated.set(true); // Actualiza el store
+        }
+      } catch (error) {
+        console.error('Error durante la autenticación:', error);
       } finally {
-          isVerified.set(true);
+        isVerified.set(true); // Marca la verificación como completada
       }
-  };
-
-  onMount(async () => {
-      await handleAccess();
-  });
-</script>
-
-{#if !$isVerified}
+    };
+  
+    onMount(() => {
+      handleAccess();
+    });
+  </script>
+  
+  {#if !$isVerified}
     <div class="spinner-border position-absolute top-50 start-50 translate-middle" role="status">
-        <span class="visually-hidden">Cargando</span>
+      <span class="visually-hidden">Cargando</span>
     </div>
-{:else}
+  {:else}
     {#if $isAuthenticated}
-        {@const SvelteComponent = component}
-        <SvelteComponent/>
+      <svelte:component this={component} />
     {:else}
-        {navigate('/')}
+      {navigate('/')}  
     {/if}
-{/if}
+  {/if}
+  
\ No newline at end of file
diff --git a/Front/src/lib/login.svelte b/Front/src/lib/login.svelte
index f3202d6..a98a8f3 100644
--- a/Front/src/lib/login.svelte
+++ b/Front/src/lib/login.svelte
@@ -32,6 +32,7 @@
       const ret = await response.json();
       localStorage.clear();
       localStorage.setItem('email', ret.email);
+      sessionStorage.setItem('token', ret.token);
       //setTimeout(() => console.log("50ms") ,50);
       navigate(ret.redirect);
     } catch (e) {
diff --git a/Front/tsconfig.json b/Front/tsconfig.json
index 1f46d53..df56300 100644
--- a/Front/tsconfig.json
+++ b/Front/tsconfig.json
@@ -17,5 +17,5 @@
     "moduleDetection": "force"
   },
   "include": ["src/**/*.ts", "src/**/*.js", "src/**/*.svelte"],
-  "references": [{ "path": "./tsconfig.json" }]
+  "references": [{ "path": "./tsconfig.node.json" }]
 }
diff --git a/Modelo/RepositorioGrupos.cs b/Modelo/RepositorioGrupos.cs
new file mode 100644
index 0000000..b8ce74a
--- /dev/null
+++ b/Modelo/RepositorioGrupos.cs
@@ -0,0 +1,25 @@
+#if DEBUG
+
+using Entidades;
+
+namespace Modelo;
+public class RepositorioGrupos: RepositorioBase<RepositorioGrupos> {
+    public bool CrearGrupo(string descripcion)
+    {
+        var con = Context;
+
+        int mx = con.Grupos.Max(grupo => grupo.Id);
+        Grupo gru = new Grupo{
+            Id = mx+1,
+            Nombre = descripcion,
+        };
+        con.Grupos.Add(gru);
+        
+        return Guardar(con);
+    }
+
+ 
+
+}
+
+#endif
\ No newline at end of file
diff --git a/Modelo/RepositorioInquilinos.cs b/Modelo/RepositorioInquilinos.cs
new file mode 100644
index 0000000..809b15e
--- /dev/null
+++ b/Modelo/RepositorioInquilinos.cs
@@ -0,0 +1,17 @@
+using Entidades.Dto;
+using Microsoft.EntityFrameworkCore;
+
+namespace Modelo;
+
+public class RepositorioInquilinos: RepositorioBase<RepositorioInquilinos> {
+    public IQueryable<InquilinoDto> GetInquilinos()
+    {
+        FormattableString sqlq =
+        $"""
+        SELECT I.Dni, I.Nombre, I.Apellido FROM Inquilinos
+        """;
+        return Context.Database.SqlQuery<InquilinoDto>(sqlq);
+    }
+
+
+}
\ No newline at end of file
diff --git a/Modelo/RepositorioPermisos.cs b/Modelo/RepositorioPermisos.cs
index 4439813..c4c155f 100644
--- a/Modelo/RepositorioPermisos.cs
+++ b/Modelo/RepositorioPermisos.cs
@@ -1,3 +1,4 @@
+using System.Text.RegularExpressions;
 using Entidades;
 using Microsoft.EntityFrameworkCore;
 
@@ -14,6 +15,46 @@ public class RepositorioPermisos: RepositorioBase<RepositorioPermisos> {
         .SelectMany(g => g.Idpermisos)      
         .Distinct();
         return list;
-        
     }
+
+    public bool CheckPermisos(string token, string path){
+        var con = Context;
+        //checkeo que el token corresponda a un usuario
+        Cliente? cli = con.Clientes.FirstOrDefault(x => x.Token == token);
+        if (cli == null || cli.Dni == 0) return false;
+
+        // obtengo una lista de los permisos
+        var permisos = con.Clientes
+            .Where(x => x.Dni == cli.Dni)
+            .SelectMany(x => x.Idgrupos)
+            .SelectMany(x => x.Idpermisos)
+            .Distinct();
+        
+        //me inspiré y hice un regex pero si eliminaba los primeros 8(?) caracteres del string era lo mismo
+        Match match = Regex.Match(path, @"^/accion/(\d+)$");
+        int.TryParse(match.Groups[1].Value, out int idpermiso);
+        bool tienePermiso = false;
+
+        Parallel.ForEach(permisos, (x, i) =>{
+            if (x.Id == idpermiso) {
+                tienePermiso = true;
+            }
+        });
+
+        return tienePermiso;
+    }
+
+#if DEBUG
+    public bool CrearPermiso(string descripcion) {
+        var con = Context;
+        int mx = con.Permisos.Max(x => x.Id);
+        
+        Permiso per = new Permiso{
+            Id = mx,
+            Descripcion = descripcion
+        };
+        con.Permisos.Add(per);
+        return Guardar(con);
+    }
+#endif
 }
\ No newline at end of file
diff --git a/Modelo/RepositorioUsuarios.cs b/Modelo/RepositorioUsuarios.cs
index dfc4701..14e998f 100644
--- a/Modelo/RepositorioUsuarios.cs
+++ b/Modelo/RepositorioUsuarios.cs
@@ -57,6 +57,10 @@ public class RepositorioUsuarios: RepositorioBase<RepositorioUsuarios>
         var usu = Context.Clientes.FirstOrDefault(x => x.Email ==  email);
         if (usu == null) return false;
 
+        #if DEBUG
+        //Console.WriteLine(token + "\n" +usu.Token);
+        #endif
+        
         return usu.Token == token;
     }