diff --git a/app/Plan/PlanController.php b/app/Plan/PlanController.php
index cb88de8..f7aa4ec 100644
--- a/app/Plan/PlanController.php
+++ b/app/Plan/PlanController.php
@@ -5,6 +5,7 @@ namespace App\Plan;
 use App\Exceptions\BadRequestException;
 use App\Plan\UseCases\CreatePlan;
 use App\Plan\UseCases\CreatePlanRequest;
+use App\User\User;
 use DomainException;
 use Psr\Http\Message\ResponseInterface as Response;
 use Psr\Http\Message\ServerRequestInterface as Request;
@@ -16,9 +17,17 @@ class PlanController
         Response $response,
         CreatePlan $createPlanUseCase,
     ): Response {
+        $user = $request->getAttribute('user');
+        if (!$user instanceof User) {
+            $response->getBody()->write(
+                json_encode(['error' => 'unauthenticated'])
+            );
+            return $response->withStatus(401)
+                ->withHeader('Content-Type', 'application/json');
+        }
+
         $data = json_decode((string) $request->getBody(), true) ?? [];
 
-        $userId = isset($data['userId']) ? (int) $data['userId'] : null;
         $textId = isset($data['textId']) ? (int) $data['textId'] : null;
         $name = $data['name'] ?? null;
         $dateStart = $data['dateStart'] ?? null;
@@ -26,7 +35,7 @@ class PlanController
 
         try {
             $plan = $createPlanUseCase->execute(new CreatePlanRequest(
-                userId: $userId,
+                userId: $user->getId(),
                 textId: $textId,
                 name: $name,
                 dateStart: $dateStart,