diff --git a/server/routes/debug.js b/server/routes/debug.js
index bb01e49..b4ead64 100644
--- a/server/routes/debug.js
+++ b/server/routes/debug.js
@@ -1,8 +1,9 @@
 const express = require('express');
 const { ApiDebugLogger } = require('../utils/apiDebugLogger');
-const { DroneDetection, Heartbeat } = require('../models');
+const { DroneDetection, Heartbeat, Device } = require('../models');
 const { Op } = require('sequelize');
 const { authenticateToken } = require('../middleware/auth');
+const MultiTenantAuth = require('../middleware/multi-tenant-auth');
 
 const router = express.Router();
 const logger = new ApiDebugLogger();
@@ -25,7 +26,7 @@ router.get('/debug-test', (req, res) => {
 });
 
 // Get recent detection payloads with raw data
-router.get('/detection-payloads', authenticateToken, async (req, res) => {
+router.get('/detection-payloads', authenticateToken, MultiTenantAuth, async (req, res) => {
   try {
     const { limit = 50, offset = 0, device_id, detection_id } = req.query;
     
@@ -41,8 +42,17 @@ router.get('/detection-payloads', authenticateToken, async (req, res) => {
       whereClause.id = detection_id;
     }
     
+    // 🔒 SECURITY: Filter detections by user's tenant using device relationship
     const detections = await DroneDetection.findAll({
       where: whereClause,
+      include: [{
+        model: Device,
+        as: 'device',
+        where: {
+          tenant_id: req.user.tenant_id
+        },
+        attributes: ['id', 'name', 'tenant_id']
+      }],
       order: [['server_timestamp', 'DESC']],
       limit: parseInt(limit),
       offset: parseInt(offset),
@@ -52,13 +62,14 @@ router.get('/detection-payloads', authenticateToken, async (req, res) => {
       ]
     });
     
-    console.log(`🔍 Retrieved ${detections.length} detection payloads for debugging`);
+    console.log(`� Retrieved ${detections.length} detection payloads for tenant ${req.user.tenant_id}`);
     
     res.json({
       success: true,
       data: detections,
       total: detections.length,
-      filters: { device_id, limit, offset }
+      filters: { device_id, limit, offset },
+      tenant_id: req.user.tenant_id
     });
     
   } catch (error) {
@@ -71,7 +82,7 @@ router.get('/detection-payloads', authenticateToken, async (req, res) => {
 });
 
 // Get recent heartbeat payloads with raw data
-router.get('/heartbeat-payloads', authenticateToken, async (req, res) => {
+router.get('/heartbeat-payloads', authenticateToken, MultiTenantAuth, async (req, res) => {
   try {
     const { limit = 50, offset = 0, device_id } = req.query;
     
@@ -83,8 +94,17 @@ router.get('/heartbeat-payloads', authenticateToken, async (req, res) => {
       whereClause.device_id = device_id;
     }
     
+    // 🔒 SECURITY: Filter heartbeats by user's tenant using device relationship
     const heartbeats = await Heartbeat.findAll({
       where: whereClause,
+      include: [{
+        model: Device,
+        as: 'device',
+        where: {
+          tenant_id: req.user.tenant_id
+        },
+        attributes: ['id', 'name', 'tenant_id']
+      }],
       order: [['received_at', 'DESC']],
       limit: parseInt(limit),
       offset: parseInt(offset),
@@ -93,13 +113,14 @@ router.get('/heartbeat-payloads', authenticateToken, async (req, res) => {
       ]
     });
     
-    console.log(`🔍 Retrieved ${heartbeats.length} heartbeat payloads for debugging`);
+    console.log(`� Retrieved ${heartbeats.length} heartbeat payloads for tenant ${req.user.tenant_id}`);
     
     res.json({
       success: true,
       data: heartbeats,
       total: heartbeats.length,
-      filters: { device_id, limit, offset }
+      filters: { device_id, limit, offset },
+      tenant_id: req.user.tenant_id
     });
     
   } catch (error) {