diff --git a/src/app/api/notifications/route.ts b/src/app/api/notifications/route.ts
index 4d45ba0..61625fa 100644
--- a/src/app/api/notifications/route.ts
+++ b/src/app/api/notifications/route.ts
@@ -1,5 +1,6 @@
 import { NextResponse } from "next/server";
 import { sql } from "@/db";
+import { requireFamily, requireOwnership } from "@/lib/auth";
 
 // IAP Vaccination Schedule (weeks from birth)
 const IAP_SCHEDULE = [
@@ -33,6 +34,9 @@ const IAP_SCHEDULE = [
 
 export async function GET(request: Request) {
   try {
+    const auth = await requireFamily();
+    if (!auth.success) return NextResponse.json({ error: auth.error }, { status: auth.status });
+
     const { searchParams } = new URL(request.url);
     const childId = searchParams.get("childId");
 
@@ -40,6 +44,9 @@ export async function GET(request: Request) {
       return NextResponse.json({ error: "childId required" }, { status: 400 });
     }
 
+    const ownership = await requireOwnership(childId, "children", "Child");
+    if (!ownership.success) return NextResponse.json({ error: ownership.error }, { status: ownership.status });
+
     // Get child's birth date
     const children = await sql`
       SELECT id, name, birth_date FROM children WHERE id = ${childId}