diff --git a/.env b/.env
index 50988a3..1dbbdd7 100644
--- a/.env
+++ b/.env
@@ -3,7 +3,7 @@ FLASK_SECRET_KEY=replace-with-long-random-string
 
 # Firebase Admin (choose ONE of these approaches)
 # 1) Path to JSON creds file
-GOOGLE_APPLICATION_CREDENTIALS=./rothbard-service-account.json
+GOOGLE_APPLICATION_CREDENTIALS=./rothbard-staging2-12345-firebase-adminsdk-fbsvc-7f95268383.json
 # 2) Or inline JSON (escaped as single line)
 # FIREBASE_SERVICE_ACCOUNT_JSON={"type":"service_account",...}
 
@@ -15,7 +15,8 @@ FILEVINE_ORG_ID=9227
 FILEVINE_USER_ID=100510
 
 # Front-end Firebase (public — safe to expose)
-FIREBASE_API_KEY=AIzaSyC7t2D0uSuc1hm6ZEkfUMVPtkaE2TXF1a0
-FIREBASE_AUTH_DOMAIN=rothbard-3f496.firebaseapp.com
-FIREBASE_PROJECT_ID=rothbard-3f496
-FIREBASE_APP_ID=1:90016977941:web:da38d57849021115e52a1c
+FIREBASE_API_KEY=AIzaSyB4pblbfM4YIs37xTHbWyUkyXWNfuWnefI
+FIREBASE_AUTH_DOMAIN=rothbard-staging2-12345.firebaseapp.com
+FIREBASE_PROJECT_ID=rothbard-staging2-12345
+FIREBASE_APP_ID=1:695441955489:web:bbee4153fe0994c5c72ee0
+FIRESTORE_DB=rothbard-staging2
diff --git a/firestore.rules b/firestore.rules
new file mode 100644
index 0000000..18cdb05
--- /dev/null
+++ b/firestore.rules
@@ -0,0 +1,14 @@
+rules_version = '2';
+service cloud.firestore {
+  match /databases/{database}/documents {
+    // Allow read/write access to user's own settings
+    match /users/{userId} {
+      allow read, write: if request.auth != null && request.auth.uid == userId;
+    }
+
+    // Deny access to all other documents
+    match /{document=**} {
+      allow read, write: if false;
+    }
+  }
+}
\ No newline at end of file
diff --git a/main.tf b/main.tf
index 9e7cf79..6caf663 100644
--- a/main.tf
+++ b/main.tf
@@ -2,7 +2,7 @@
 provider "google" {
   project = var.project_id
   billing_project =  var.project_id
-  region  = var.region
+  region  = var.region 
   user_project_override = true
 }
 
@@ -79,7 +79,7 @@ resource "google_firebase_web_app" "main_app" {
 resource "google_firestore_database" "main_firestore" {
   provider       = google-beta
   project        = google_project.main_project.project_id
-  name           = "${google_project.main_project.name}"
+  name           = "(default)"
   location_id    = var.region
   type           = "FIRESTORE_NATIVE"
   concurrency_mode = "OPTIMISTIC"
@@ -136,6 +136,33 @@ resource "google_identity_platform_config" "main_config" {
   depends_on = [google_project_service.auth_service]
 }
 
+resource "google_firebaserules_ruleset" "primary" {
+  source {
+    files {
+      content = <<EOF
+rules_version = '2';
+service cloud.firestore {
+  match /databases/{database}/documents {
+    // Allow read/write access to user's own settings
+    match /users/{userId} {
+      allow read, write: if request.auth != null && request.auth.uid == userId;
+    }
+
+    // Deny access to all other documents
+    match /{document=**} {
+      allow read, write: if false;
+    }
+  }
+}
+
+EOF
+      name    = "firestore.rules"
+    }
+  }
+
+  project = google_project.main_project.project_id
+}
+
 # Output the project ID and name
 output "project_id" {
   value = google_project.main_project.project_id
@@ -152,3 +179,4 @@ output "firebase_app_id" {
 output "firestore_database_name" {
   value = google_firestore_database.main_firestore.name
 }
+
diff --git a/rothbard-staging2-12345-firebase-adminsdk-fbsvc-7f95268383.json b/rothbard-staging2-12345-firebase-adminsdk-fbsvc-7f95268383.json
new file mode 100644
index 0000000..aec9262
--- /dev/null
+++ b/rothbard-staging2-12345-firebase-adminsdk-fbsvc-7f95268383.json
@@ -0,0 +1,13 @@
+{
+  "type": "service_account",
+  "project_id": "rothbard-staging2-12345",
+  "private_key_id": "7f95268383cee9ec4831c1c50499c6119ac13662",
+  "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDLD+lg+GaGmZHD\np02PwhFCdWk52pTFdrReAPAaTNe3eBv49IlI/uMayZKLmv6MjJ4NKJASTHkksHbb\n6Wz+f3qdkBqVT+8igDYUM4zE47FC3X7ZNmbpoLObXJrMgS0H9W0RymLPxlKkHeG7\nDixzC7etrigvExbYoyXWlx+u/k/BWYnx76IUp2klG16e/n2NkqBxQiVlEUhDBG2D\n/TA0oKdr3NekQqoGXvYKbzp5QFoY4GA2xAqMzEN/hFxo2LSxGeqFYmh3BUR+vXdn\nEIlgvKDI30jmuxF0/qWHv0d/nvcnFLx17WlvYJI7CFyRVSWE/jvR8gkhgpKBU762\nc0BRcIG1AgMBAAECggEAEvdfP7qrztYgroLdpHgGpyuywp/XJfNuqNoTEw3K1zzd\ndf0XJo2CFlIuASKetG984rM/c6oXZZUi4Or2TnYHNJjNVtViu1j41B21f/1ZZOqt\nyqmBZsBnDjOR1Nia5WOnxpHd9VSrit8soo1SGwPE6fC6mZ0BlQX2BotSfwSLW/5v\ncosLdPR8EfESfATpE6jrtg8pFq5tpztCx3EO4zsEcWl31v7ogbNIPeTn+/kTVuiq\ngDhePWahw7fb5Vbq8KWU7kLjwIMubQBKsQSZm4eMpjGSLtg0PdQb41tDKBK4U2XZ\n/grrpVr2CmRTi00QBgCd1BkEASo395q54Z4xXXTJAQKBgQD6uBewUfVFdnJa6pH2\nStvH1ndIvZ64CQRqQJoD7EwJgULP2dP7aLKo51nOL+6UKvOwSg8R7/uEDQQHgibw\nCfZvI+MSMZ11Q1iY9RW8wecSkYvW2428SXXTvP7OkcaJII5QDzX6D16p12197BMP\n/EHmbsSerpWxGkKSb/IN5v5ktQKBgQDPVtjan26rdXv3H4XWOibBZQE+oKv1uy4M\nHvULCxOREdgtWRXtH8SKEEoHcwYAGpGdOYcwTr1wts0XHKxBx7okCF9v5BGWKK4k\ng8M2lzyuEEFk6ky0qF4UTNTWwzarGdQp7itt+78Pd4yHEOGhTzROP3U4FphP1Ev8\nLT3Ks+DJAQKBgQDP+b3MyW/IO0UJHeQOhnJiBwnUEVeEGhbLfONFtdItYEhn2q35\nsxPhAGiCnUgvKKIU7popqwTcuV9KSzC5lcoSz5YhFX8kMsVfvI5XkhF4WbvCc0XT\nlqxjBDfqawph3duvla6UzAMeqFFvT1FQxVR1LhVz/Ca4TqxChRIpbiBAsQKBgHEj\n4P2bllZ1q4m0Z+H4pYFOzpkQMAXNeFkg43J9PtYguKg2PqLAfQ0hymO6PoH7/Y2g\nAMc5kGJbPhroiI70n/xdnUZ/W6Fm3XALfpDhgjkxoZ2hxO2oGn5VVqdCqyg+1elz\nj7tabm3QPJzPd3AAunggZKSQn9if7j7TqS5dbcIBAoGAL2GfmyUgD4biUC33ff1V\noe1BXPszk2WF9ckdx/+kwGXKgXVAH+ntkj4AaqKmhKNE8fuYG8cBa7cAwDGn7YAT\nNPqYFyzWZxmHglK/WD+Tb/MZ1OkX3YSMNH/f/hZIh4+ZRvm0er1Eg5b6ful4UDgV\nJBvRVf7LxYVsnESbAtY6wWQ=\n-----END PRIVATE KEY-----\n",
+  "client_email": "firebase-adminsdk-fbsvc@rothbard-staging2-12345.iam.gserviceaccount.com",
+  "client_id": "102233583907957648564",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-fbsvc%40rothbard-staging2-12345.iam.gserviceaccount.com",
+  "universe_domain": "googleapis.com"
+}