diff --git a/src/Cryptie.Server/DatabaseUpdater.cs b/src/Cryptie.Server/DatabaseUpdater.cs
index 9515303..6ed5a8d 100644
--- a/src/Cryptie.Server/DatabaseUpdater.cs
+++ b/src/Cryptie.Server/DatabaseUpdater.cs
@@ -12,6 +12,10 @@ public DatabaseUpdater(IServiceProvider serviceProvider)
         _serviceProvider = serviceProvider;
     }
 
+    /// <summary>
+    ///     Applies pending Entity Framework migrations on application startup.
+    /// </summary>
+    /// <returns>A task representing the asynchronous operation.</returns>
     public async Task PerformDatabaseUpdate()
     {
         using var scope = _serviceProvider.CreateScope();
diff --git a/src/Cryptie.Server/DockerStarter.cs b/src/Cryptie.Server/DockerStarter.cs
index e658c74..8f01d79 100644
--- a/src/Cryptie.Server/DockerStarter.cs
+++ b/src/Cryptie.Server/DockerStarter.cs
@@ -5,6 +5,10 @@ namespace Cryptie.Server;
 
 public class DockerStarter
 {
+    /// <summary>
+    ///     Starts a local PostgreSQL container if it is not running.
+    /// </summary>
+    /// <returns>A task representing the asynchronous startup process.</returns>
     public async Task StartPostgresAsync()
     {
         var client = new DockerClientConfiguration().CreateClient();
diff --git a/src/Cryptie.Server/Features/Authentication/Services/AuthenticationService.cs b/src/Cryptie.Server/Features/Authentication/Services/AuthenticationService.cs
index e1abdfd..53d60c5 100644
--- a/src/Cryptie.Server/Features/Authentication/Services/AuthenticationService.cs
+++ b/src/Cryptie.Server/Features/Authentication/Services/AuthenticationService.cs
@@ -15,6 +15,15 @@ public class AuthenticationService(
     IDatabaseService databaseService)
     : ControllerBase, IAuthenticationService
 {
+    /// <summary>
+    ///     Handles the first phase of login by verifying provided credentials
+    ///     and issuing a temporary TOTP token when successful.
+    /// </summary>
+    /// <param name="loginRequest">Login credentials.</param>
+    /// <returns>
+    ///     <see cref="LoginResponseDto"/> containing a TOTP token when
+    ///     credentials are valid; otherwise an error result.
+    /// </returns>
     public IActionResult LoginHandler(LoginRequestDto loginRequest)
     {
         var user = appDbContext.Users
@@ -40,6 +49,12 @@ public IActionResult LoginHandler(LoginRequestDto loginRequest)
         return Ok(new LoginResponseDto { TotpToken = totpToken });
     }
 
+    /// <summary>
+    ///     Validates the provided TOTP code and issues a session token when
+    ///     the code is correct.
+    /// </summary>
+    /// <param name="totpRequest">Request containing TOTP code and token.</param>
+    /// <returns>Session token on success or an error result.</returns>
     public IActionResult TotpHandler(TotpRequestDto totpRequest)
     {
         var now = DateTime.UtcNow;
@@ -72,6 +87,12 @@ public IActionResult TotpHandler(TotpRequestDto totpRequest)
         });
     }
 
+    /// <summary>
+    ///     Registers a new user and returns the initial TOTP configuration
+    ///     along with a TOTP token for verification.
+    /// </summary>
+    /// <param name="registerRequest">Information required to create the user.</param>
+    /// <returns>Registration details including the TOTP secret.</returns>
     public IActionResult RegisterHandler(RegisterRequestDto registerRequest)
     {
         if (databaseService.FindUserByLogin(registerRequest.Login) != null) return BadRequest();
diff --git a/src/Cryptie.Server/Features/Authentication/Services/DelayService.cs b/src/Cryptie.Server/Features/Authentication/Services/DelayService.cs
index a977c3d..3942fa9 100644
--- a/src/Cryptie.Server/Features/Authentication/Services/DelayService.cs
+++ b/src/Cryptie.Server/Features/Authentication/Services/DelayService.cs
@@ -7,6 +7,12 @@ public class DelayService : IDelayService
 {
     private const int TargetMilliseconds = 100;
 
+    /// <summary>
+    ///     Executes the given action and ensures that the call takes at least a
+    ///     predefined amount of time. Useful to mitigate timing attacks.
+    /// </summary>
+    /// <param name="func">Action returning an <see cref="IActionResult"/> to execute.</param>
+    /// <returns>Result of <paramref name="func"/> after the artificial delay.</returns>
     public async Task<IActionResult> FakeDelay(Func<IActionResult> func)
     {
         var stopwatch = Stopwatch.StartNew();
diff --git a/src/Cryptie.Server/Features/Authentication/Services/LockoutService.cs b/src/Cryptie.Server/Features/Authentication/Services/LockoutService.cs
index dc72f65..beaf518 100644
--- a/src/Cryptie.Server/Features/Authentication/Services/LockoutService.cs
+++ b/src/Cryptie.Server/Features/Authentication/Services/LockoutService.cs
@@ -5,6 +5,13 @@ namespace Cryptie.Server.Features.Authentication.Services;
 
 public class LockoutService(IAppDbContext appDbContext) : ILockoutService
 {
+    /// <summary>
+    ///     Determines whether a user or honeypot account should be locked out
+    ///     based on failed login attempts.
+    /// </summary>
+    /// <param name="user">Real user instance if available.</param>
+    /// <param name="honeypotLogin">Login of a honeypot account when no real user exists.</param>
+    /// <returns><c>true</c> if the account is locked out; otherwise <c>false</c>.</returns>
     public bool IsUserLockedOut(User? user, string honeypotLogin = "")
     {
         var referenceLockTimestamp = DateTime.UtcNow.AddMinutes(-60);
@@ -28,28 +35,56 @@ public bool IsUserLockedOut(User? user, string honeypotLogin = "")
         return true;
     }
 
+    /// <summary>
+    ///     Checks if the specified user has an active lockout entry.
+    /// </summary>
+    /// <param name="user">User entity to check.</param>
+    /// <param name="referenceLockTimestamp">Timestamp defining the lockout window.</param>
+    /// <returns><c>true</c> when the user has an active lock.</returns>
     public bool IsUserAccountHasLock(User user, DateTime referenceLockTimestamp)
     {
         return appDbContext.UserAccountLocks.Any(l => l.User == user && l.Until > referenceLockTimestamp);
     }
 
+    /// <summary>
+    ///     Checks if the honeypot account has an active lockout entry.
+    /// </summary>
+    /// <param name="user">Honeypot login to check.</param>
+    /// <param name="referenceLockTimestamp">Timestamp defining the lockout window.</param>
+    /// <returns><c>true</c> when the account has an active lock.</returns>
     public bool IsUserAccountHasLock(string user, DateTime referenceLockTimestamp)
     {
         return appDbContext.HoneypotAccountLocks.Any(l => l.Username == user && l.Until > referenceLockTimestamp);
     }
 
+    /// <summary>
+    ///     Evaluates if the user has exceeded the allowed login attempts.
+    /// </summary>
+    /// <param name="user">User entity to check.</param>
+    /// <param name="referenceAttemptTimestamp">Timestamp defining the attempts window.</param>
+    /// <returns><c>true</c> if there are too many attempts.</returns>
     public bool IsUserAccountHasTooManyAttempts(User user, DateTime referenceAttemptTimestamp)
     {
         return appDbContext.UserLoginAttempts.Count(a => a.User == user && a.Timestamp > referenceAttemptTimestamp) <
                2;
     }
 
+    /// <summary>
+    ///     Evaluates if the honeypot account has exceeded the allowed login attempts.
+    /// </summary>
+    /// <param name="user">Honeypot login to check.</param>
+    /// <param name="referenceAttemptTimestamp">Timestamp defining the attempts window.</param>
+    /// <returns><c>true</c> if there are too many attempts.</returns>
     public bool IsUserAccountHasTooManyAttempts(string user, DateTime referenceAttemptTimestamp)
     {
         return appDbContext.HoneypotLoginAttempts.Count(a =>
             a.Username == user && a.Timestamp > referenceAttemptTimestamp) < 2;
     }
 
+    /// <summary>
+    ///     Creates a lockout entry for the specified user.
+    /// </summary>
+    /// <param name="user">User entity to lock.</param>
     public void LockUserAccount(User user)
     {
         appDbContext.UserAccountLocks.Add(new UserAccountLock
@@ -62,6 +97,10 @@ public void LockUserAccount(User user)
         appDbContext.SaveChanges();
     }
 
+    /// <summary>
+    ///     Creates a lockout entry for the specified honeypot login.
+    /// </summary>
+    /// <param name="user">Honeypot login to lock.</param>
     public void LockUserAccount(string user)
     {
         appDbContext.HoneypotAccountLocks.Add(new HoneypotAccountLock
diff --git a/src/Cryptie.Server/Features/GroupManagement/Services/GroupManagementService.cs b/src/Cryptie.Server/Features/GroupManagement/Services/GroupManagementService.cs
index 6686cc1..a76feac 100644
--- a/src/Cryptie.Server/Features/GroupManagement/Services/GroupManagementService.cs
+++ b/src/Cryptie.Server/Features/GroupManagement/Services/GroupManagementService.cs
@@ -9,6 +9,11 @@ public class GroupManagementService(
     IDatabaseService databaseService
 ) : ControllerBase, IGroupManagementService
 {
+    /// <summary>
+    ///     Determines privacy status for a collection of groups.
+    /// </summary>
+    /// <param name="isGroupsPrivateRequest">List of group identifiers.</param>
+    /// <returns>Dictionary with group ids and their privacy status.</returns>
     public IActionResult IsGroupsPrivate(IsGroupsPrivateRequestDto isGroupsPrivateRequest)
     {
         var result = new Dictionary<Guid, bool>();
@@ -22,6 +27,12 @@ public IActionResult IsGroupsPrivate(IsGroupsPrivateRequestDto isGroupsPrivateRe
         return Ok(new IsGroupsPrivateResponseDto { GroupStatuses = result });
     }
 
+    /// <summary>
+    ///     Returns display names for all groups the user is a member of.
+    ///     Private groups are represented by the other member's display name.
+    /// </summary>
+    /// <param name="getGroupsNamesRequest">Request containing user session token.</param>
+    /// <returns>Mapping of group ids to their display names.</returns>
     public IActionResult GetGroupsNames([FromBody] GetGroupsNamesRequestDto getGroupsNamesRequest)
     {
         var user = databaseService.GetUserFromToken(getGroupsNamesRequest.SessionToken);
diff --git a/src/Cryptie.Server/Features/KeysManagement/Services/KeysManagementService.cs b/src/Cryptie.Server/Features/KeysManagement/Services/KeysManagementService.cs
index 7cf98ec..283661b 100644
--- a/src/Cryptie.Server/Features/KeysManagement/Services/KeysManagementService.cs
+++ b/src/Cryptie.Server/Features/KeysManagement/Services/KeysManagementService.cs
@@ -6,6 +6,11 @@ namespace Cryptie.Server.Features.KeysManagement.Services;
 
 public class KeysManagementService(IDatabaseService databaseService) : ControllerBase, IKeysManagementService
 {
+    /// <summary>
+    ///     Retrieves public key of specified user.
+    /// </summary>
+    /// <param name="getUserKeyRequest">Request containing the user identifier.</param>
+    /// <returns>DTO with the public key string.</returns>
     public IActionResult getUserKey([FromBody] GetUserKeyRequestDto getUserKeyRequest)
     {
         var key = databaseService.GetUserPublicKey(getUserKeyRequest.UserId);
@@ -15,6 +20,11 @@ public IActionResult getUserKey([FromBody] GetUserKeyRequestDto getUserKeyReques
         });
     }
 
+    /// <summary>
+    ///     Retrieves AES keys for all groups the current user belongs to.
+    /// </summary>
+    /// <param name="getGroupsKeyRequest">Request containing the session token.</param>
+    /// <returns>Dictionary mapping group ids to their AES keys.</returns>
     public IActionResult getGroupsKey([FromBody] GetGroupsKeyRequestDto getGroupsKeyRequest)
     {
         var user = databaseService.GetUserFromToken(getGroupsKeyRequest.SessionToken);
diff --git a/src/Cryptie.Server/Features/Messages/Hubs/MessageHub.cs b/src/Cryptie.Server/Features/Messages/Hubs/MessageHub.cs
index 8f18975..4349a38 100644
--- a/src/Cryptie.Server/Features/Messages/Hubs/MessageHub.cs
+++ b/src/Cryptie.Server/Features/Messages/Hubs/MessageHub.cs
@@ -7,11 +7,20 @@ public class MessageHub : Hub, IMessageHub
 {
     private static readonly ConcurrentDictionary<string, Guid> Users = new();
 
+    /// <summary>
+    ///     Broadcasts a plain text message to all connected clients.
+    /// </summary>
+    /// <param name="message">Message to broadcast.</param>
     public async Task SendMessage(string message)
     {
         await Clients.All.SendAsync("ReceiveMessage", message);
     }
 
+    /// <summary>
+    ///     Adds the current connection to a SignalR group and notifies other members.
+    /// </summary>
+    /// <param name="user">Identifier of the joining user.</param>
+    /// <param name="group">Group identifier.</param>
     public async Task JoinGroup(Guid user, Guid group)
     {
         Users.TryAdd(Context.ConnectionId, user);
@@ -19,6 +28,12 @@ public async Task JoinGroup(Guid user, Guid group)
         await Clients.Group(group.ToString()).SendAsync("UserJoinedGroup", user, group);
     }
 
+    /// <summary>
+    ///     Sends a message to all members of a group.
+    /// </summary>
+    /// <param name="group">Group identifier.</param>
+    /// <param name="senderId">Sender identifier.</param>
+    /// <param name="message">Encrypted message payload.</param>
     public async Task SendMessageToGroup(Guid group, Guid senderId, string message)
     {
         await Clients
diff --git a/src/Cryptie.Server/Features/Messages/Services/MessageHubService.cs b/src/Cryptie.Server/Features/Messages/Services/MessageHubService.cs
index e4c48ba..f12e08d 100644
--- a/src/Cryptie.Server/Features/Messages/Services/MessageHubService.cs
+++ b/src/Cryptie.Server/Features/Messages/Services/MessageHubService.cs
@@ -12,6 +12,12 @@ public MessageHubService(IHubContext<MessageHub> hubContext)
         _hubContext = hubContext;
     }
 
+    /// <summary>
+    ///     Sends a real-time notification to all clients connected to the specified group.
+    /// </summary>
+    /// <param name="group">Group identifier.</param>
+    /// <param name="senderId">Identifier of the message sender.</param>
+    /// <param name="message">Encrypted message body.</param>
     public void SendMessageToGroup(Guid group, Guid senderId, string message)
     {
         _hubContext.Clients.Group(group.ToString())
diff --git a/src/Cryptie.Server/Features/Messages/Services/MessagesService.cs b/src/Cryptie.Server/Features/Messages/Services/MessagesService.cs
index b7001cb..08d0814 100644
--- a/src/Cryptie.Server/Features/Messages/Services/MessagesService.cs
+++ b/src/Cryptie.Server/Features/Messages/Services/MessagesService.cs
@@ -7,6 +7,11 @@ namespace Cryptie.Server.Features.Messages.Services;
 public class MessagesService(IDatabaseService databaseService, IMessageHubService messageHubService)
     : ControllerBase, IMessagesService
 {
+    /// <summary>
+    ///     Sends a message to a specified group on behalf of the authenticated user.
+    /// </summary>
+    /// <param name="sendMessageRequest">Request containing message and authentication data.</param>
+    /// <returns><see cref="OkResult"/> when the message is sent.</returns>
     public IActionResult SendMessage([FromBody] SendMessageRequestDto sendMessageRequest)
     {
         var user = databaseService.GetUserFromToken(sendMessageRequest.SenderToken);
@@ -24,6 +29,11 @@ public IActionResult SendMessage([FromBody] SendMessageRequestDto sendMessageReq
         return Ok();
     }
 
+    /// <summary>
+    ///     Retrieves all messages for a particular group.
+    /// </summary>
+    /// <param name="request">Request containing user token and group identifier.</param>
+    /// <returns>List of messages.</returns>
     public IActionResult GetGroupMessages([FromBody] GetGroupMessagesRequestDto request)
     {
         var user = databaseService.GetUserFromToken(request.UserToken);
@@ -49,6 +59,11 @@ public IActionResult GetGroupMessages([FromBody] GetGroupMessagesRequestDto requ
         return Ok(response);
     }
 
+    /// <summary>
+    ///     Retrieves messages for a group that were sent after the specified timestamp.
+    /// </summary>
+    /// <param name="request">Request containing group id, token and timestamp.</param>
+    /// <returns>List of messages sent since the provided date.</returns>
     public IActionResult GetGroupMessagesSince([FromBody] GetGroupMessagesSinceRequestDto request)
     {
         var user = databaseService.GetUserFromToken(request.UserToken);
diff --git a/src/Cryptie.Server/Features/ServerStatus/Services/ServerStatusService.cs b/src/Cryptie.Server/Features/ServerStatus/Services/ServerStatusService.cs
index c3173d0..e84c2f5 100644
--- a/src/Cryptie.Server/Features/ServerStatus/Services/ServerStatusService.cs
+++ b/src/Cryptie.Server/Features/ServerStatus/Services/ServerStatusService.cs
@@ -4,6 +4,10 @@ namespace Cryptie.Server.Features.ServerStatus.Services;
 
 public class ServerStatusService : ControllerBase, IServerStatusService
 {
+    /// <summary>
+    ///     Simple health-check endpoint.
+    /// </summary>
+    /// <returns><see cref="OkResult"/> when the server is running.</returns>
     public IActionResult GetServerStatus()
     {
         return Ok();
diff --git a/src/Cryptie.Server/Features/UserManagement/Services/UserManagementService.cs b/src/Cryptie.Server/Features/UserManagement/Services/UserManagementService.cs
index ea0615d..379f35c 100644
--- a/src/Cryptie.Server/Features/UserManagement/Services/UserManagementService.cs
+++ b/src/Cryptie.Server/Features/UserManagement/Services/UserManagementService.cs
@@ -6,6 +6,11 @@ namespace Cryptie.Server.Features.UserManagement.Services;
 
 public class UserManagementService(IDatabaseService databaseService) : ControllerBase, IUserManagementService
 {
+    /// <summary>
+    ///     Returns user GUID associated with a session token.
+    /// </summary>
+    /// <param name="userGuidFromTokenRequest">Request containing session token.</param>
+    /// <returns>User identifier on success.</returns>
     public IActionResult UserGuidFromToken([FromBody] UserGuidFromTokenRequestDto userGuidFromTokenRequest)
     {
         var user = databaseService.GetUserFromToken(userGuidFromTokenRequest.SessionToken);
@@ -17,6 +22,11 @@ public IActionResult UserGuidFromToken([FromBody] UserGuidFromTokenRequestDto us
         });
     }
 
+    /// <summary>
+    ///     Adds a user to the current user's friend list and creates a private group for them.
+    /// </summary>
+    /// <param name="addFriendRequest">Request containing friend login and encryption keys.</param>
+    /// <returns><see cref="OkResult"/> when the friend was added.</returns>
     public IActionResult AddFriend([FromBody] AddFriendRequestDto addFriendRequest)
     {
         var friend = databaseService.FindUserByLogin(addFriendRequest.Friend);
@@ -44,6 +54,11 @@ public IActionResult AddFriend([FromBody] AddFriendRequestDto addFriendRequest)
         return Ok();
     }
 
+    /// <summary>
+    ///     Retrieves the display name of a user by their GUID.
+    /// </summary>
+    /// <param name="nameFromGuidRequest">Request with the user's id.</param>
+    /// <returns>Display name of the user.</returns>
     public IActionResult NameFromGuid([FromBody] NameFromGuidRequestDto nameFromGuidRequest)
     {
         var user = databaseService.FindUserById(nameFromGuidRequest.Id);
@@ -55,6 +70,11 @@ public IActionResult NameFromGuid([FromBody] NameFromGuidRequestDto nameFromGuid
         });
     }
 
+    /// <summary>
+    ///     Returns identifiers of groups the user belongs to.
+    /// </summary>
+    /// <param name="userGroupsRequest">Request containing session token.</param>
+    /// <returns>List of group identifiers.</returns>
     public IActionResult UserGroups([FromBody] UserGroupsRequestDto userGroupsRequest)
     {
         var user = databaseService.GetUserFromToken(userGroupsRequest.SessionToken);
@@ -68,6 +88,11 @@ public IActionResult UserGroups([FromBody] UserGroupsRequestDto userGroupsReques
         });
     }
 
+    /// <summary>
+    ///     Changes the display name of the authenticated user.
+    /// </summary>
+    /// <param name="userDisplayNameRequest">Request containing token and new name.</param>
+    /// <returns><see cref="OkResult"/> when the change was applied.</returns>
     public IActionResult UserDisplayName([FromBody] UserDisplayNameRequestDto userDisplayNameRequest)
     {
         var user = databaseService.GetUserFromToken(userDisplayNameRequest.Token);
@@ -78,6 +103,11 @@ public IActionResult UserDisplayName([FromBody] UserDisplayNameRequestDto userDi
         return Ok();
     }
 
+    /// <summary>
+    ///     Returns the user's private key used for end-to-end encryption.
+    /// </summary>
+    /// <param name="userPrivateKeyRequest">Request containing session token.</param>
+    /// <returns>Private key and associated control value.</returns>
     public IActionResult UserPrivateKey([FromBody] UserPrivateKeyRequestDto userPrivateKeyRequest)
     {
         var user = databaseService.GetUserFromToken(userPrivateKeyRequest.SessionToken);
@@ -90,6 +120,11 @@ public IActionResult UserPrivateKey([FromBody] UserPrivateKeyRequestDto userPriv
         });
     }
 
+    /// <summary>
+    ///     Retrieves the unique identifier of a user from their login name.
+    /// </summary>
+    /// <param name="guidFromLoginRequest">Request containing user login.</param>
+    /// <returns>User identifier when found.</returns>
     public IActionResult GuidFromLogin([FromBody] GuidFromLoginRequestDto guidFromLoginRequest)
     {
         var user = databaseService.FindUserByLogin(guidFromLoginRequest.Login);
diff --git a/src/Cryptie.Server/Services/DatabaseService.cs b/src/Cryptie.Server/Services/DatabaseService.cs
index 05a06fe..720ecb4 100644
--- a/src/Cryptie.Server/Services/DatabaseService.cs
+++ b/src/Cryptie.Server/Services/DatabaseService.cs
@@ -6,6 +6,11 @@ namespace Cryptie.Server.Services;
 
 public class DatabaseService(IAppDbContext appDbContext) : IDatabaseService
 {
+    /// <summary>
+    ///     Retrieves a user entity from a session token.
+    /// </summary>
+    /// <param name="guid">Token identifier.</param>
+    /// <returns>User entity or <c>null</c> when not found.</returns>
     public User? GetUserFromToken(Guid guid)
     {
         return appDbContext.UserTokens
@@ -17,18 +22,33 @@ public class DatabaseService(IAppDbContext appDbContext) : IDatabaseService
             .User;
     }
 
+    /// <summary>
+    ///     Finds a user by its unique identifier.
+    /// </summary>
+    /// <param name="id">User identifier.</param>
+    /// <returns>User entity or <c>null</c>.</returns>
     public User? FindUserById(Guid id)
     {
         var user = appDbContext.Users.Find(id);
         return user;
     }
 
+    /// <summary>
+    ///     Locates a user by login name.
+    /// </summary>
+    /// <param name="login">Login name.</param>
+    /// <returns>User entity or <c>null</c>.</returns>
     public User? FindUserByLogin(string login)
     {
         var user = appDbContext.Users.FirstOrDefault(u => u.Login == login);
         return user;
     }
 
+    /// <summary>
+    ///     Retrieves a group by its identifier including member list.
+    /// </summary>
+    /// <param name="id">Group identifier.</param>
+    /// <returns>Group entity or <c>null</c>.</returns>
     public Group? FindGroupById(Guid id)
     {
         return appDbContext.Groups
@@ -36,6 +56,12 @@ public class DatabaseService(IAppDbContext appDbContext) : IDatabaseService
             .SingleOrDefault(g => g.Id == id);
     }
 
+    /// <summary>
+    ///     Creates a new group and assigns the specified user as a member.
+    /// </summary>
+    /// <param name="user">Initial member.</param>
+    /// <param name="name">Name of the group.</param>
+    /// <returns>The newly created group.</returns>
     public Group CreateNewGroup(User user, string name)
     {
         var newGroup = new Group
@@ -51,6 +77,11 @@ public Group CreateNewGroup(User user, string name)
         return createdGroup.Entity;
     }
 
+    /// <summary>
+    ///     Adds an existing user to an existing group.
+    /// </summary>
+    /// <param name="user">User identifier.</param>
+    /// <param name="group">Group identifier.</param>
     public void AddUserToGroup(Guid user, Guid group)
     {
         var userToAdd = appDbContext.Users.SingleOrDefault(u => u.Id == user);
@@ -59,6 +90,11 @@ public void AddUserToGroup(Guid user, Guid group)
         appDbContext.SaveChanges();
     }
 
+    /// <summary>
+    ///     Removes a user from a group.
+    /// </summary>
+    /// <param name="user">User identifier.</param>
+    /// <param name="group">Group identifier.</param>
     public void RemoveUserFromGroup(Guid user, Guid group)
     {
         var userToRemove = appDbContext.Users.SingleOrDefault(u => u.Id == user);
@@ -67,6 +103,11 @@ public void RemoveUserFromGroup(Guid user, Guid group)
         appDbContext.SaveChanges();
     }
 
+    /// <summary>
+    ///     Deletes a group from the database.
+    /// </summary>
+    /// <param name="groupGuid">Group identifier.</param>
+    /// <returns><c>true</c> if removed; otherwise <c>false</c>.</returns>
     public bool DeleteGroup(Guid groupGuid)
     {
         var group = appDbContext.Groups.SingleOrDefault(g => g.Id == groupGuid);
@@ -76,6 +117,12 @@ public bool DeleteGroup(Guid groupGuid)
         return true;
     }
 
+    /// <summary>
+    ///     Changes the name of a group.
+    /// </summary>
+    /// <param name="groupGuid">Group identifier.</param>
+    /// <param name="name">New name.</param>
+    /// <returns><c>true</c> if the group exists and was updated.</returns>
     public bool ChangeGroupName(Guid groupGuid, string name)
     {
         var group = appDbContext.Groups.SingleOrDefault(g => g.Id == groupGuid);
@@ -87,6 +134,11 @@ public bool ChangeGroupName(Guid groupGuid, string name)
         return true;
     }
 
+    /// <summary>
+    ///     Creates a TOTP token entity for the user.
+    /// </summary>
+    /// <param name="user">User to associate the token with.</param>
+    /// <returns>Identifier of the created token.</returns>
     public Guid CreateTotpToken(User user)
     {
         var totpToken = appDbContext.TotpTokens.Add(new TotpToken
@@ -101,6 +153,10 @@ public Guid CreateTotpToken(User user)
         return totpToken.Entity.Id;
     }
 
+    /// <summary>
+    ///     Logs a failed login attempt for a real user.
+    /// </summary>
+    /// <param name="user">User entity.</param>
     public void LogLoginAttempt(User user)
     {
         appDbContext.UserLoginAttempts.Add(new UserLoginAttempt
@@ -113,6 +169,10 @@ public void LogLoginAttempt(User user)
         appDbContext.SaveChanges();
     }
 
+    /// <summary>
+    ///     Logs a failed login attempt for a honeypot account.
+    /// </summary>
+    /// <param name="user">Honeypot login name.</param>
     public void LogLoginAttempt(string user)
     {
         appDbContext.HoneypotLoginAttempts.Add(new HoneypotLoginAttempt
@@ -125,6 +185,11 @@ public void LogLoginAttempt(string user)
         appDbContext.SaveChanges();
     }
 
+    /// <summary>
+    ///     Generates and persists a new session token for the user.
+    /// </summary>
+    /// <param name="user">User entity.</param>
+    /// <returns>Identifier of the new token.</returns>
     public Guid GenerateUserToken(User user)
     {
         var token = appDbContext.UserTokens.Add(new UserToken
@@ -138,12 +203,23 @@ public Guid GenerateUserToken(User user)
         return token.Entity.Id;
     }
 
+    /// <summary>
+    ///     Adds a friend relationship between two users.
+    /// </summary>
+    /// <param name="user">User initiating the friendship.</param>
+    /// <param name="friend">Friend user.</param>
     public void AddFriend(User user, User friend)
     {
         user.Friends.Add(friend);
         appDbContext.SaveChanges();
     }
 
+    /// <summary>
+    ///     Creates a new group without assigning members.
+    /// </summary>
+    /// <param name="name">Name of the group.</param>
+    /// <param name="isPrivate">Whether the group is private.</param>
+    /// <returns>The created group.</returns>
     public Group CreateGroup(string name, bool isPrivate = false)
     {
         var group = appDbContext.Groups.Add(new Group
@@ -157,6 +233,11 @@ public Group CreateGroup(string name, bool isPrivate = false)
         return group.Entity;
     }
 
+    /// <summary>
+    ///     Updates the display name of the specified user.
+    /// </summary>
+    /// <param name="user">User entity.</param>
+    /// <param name="name">New display name.</param>
     public void ChangeUserDisplayName(User user, string name)
     {
         user.DisplayName = name;
@@ -164,6 +245,11 @@ public void ChangeUserDisplayName(User user, string name)
         appDbContext.SaveChanges();
     }
 
+    /// <summary>
+    ///     Retrieves stored public key of a user.
+    /// </summary>
+    /// <param name="userId">User identifier.</param>
+    /// <returns>Public key string or empty when not found.</returns>
     public string GetUserPublicKey(Guid userId)
     {
         var user = appDbContext.Users
@@ -173,6 +259,12 @@ public string GetUserPublicKey(Guid userId)
         return user?.PublicKey ?? string.Empty;
     }
 
+    /// <summary>
+    ///     Stores new key pair for the user.
+    /// </summary>
+    /// <param name="user">User entity.</param>
+    /// <param name="privateKey">Private key string.</param>
+    /// <param name="publicKey">Public key string.</param>
     public void SaveUserKeys(User user, string privateKey, string publicKey)
     {
         user.PrivateKey = privateKey;
@@ -181,6 +273,13 @@ public void SaveUserKeys(User user, string privateKey, string publicKey)
         appDbContext.SaveChanges();
     }
 
+    /// <summary>
+    ///     Persists a new message in the specified group.
+    /// </summary>
+    /// <param name="group">Target group.</param>
+    /// <param name="sender">Sender user.</param>
+    /// <param name="message">Message content.</param>
+    /// <returns>The created <see cref="GroupMessage"/> entity.</returns>
     public GroupMessage SendGroupMessage(Group group, User sender, string message)
     {
         var groupMessage = new GroupMessage
@@ -198,6 +297,12 @@ public GroupMessage SendGroupMessage(Group group, User sender, string message)
         return groupMessage;
     }
 
+    /// <summary>
+    ///     Retrieves a single message by id from a group.
+    /// </summary>
+    /// <param name="messageId">Message identifier.</param>
+    /// <param name="groupId">Group identifier.</param>
+    /// <returns>Message entity or <c>null</c>.</returns>
     public GroupMessage? GetGroupMessage(Guid messageId, Guid groupId)
     {
         return appDbContext.GroupMessages
@@ -207,6 +312,11 @@ public GroupMessage SendGroupMessage(Group group, User sender, string message)
             .FirstOrDefault(m => m.Id == messageId && m.GroupId == groupId);
     }
 
+    /// <summary>
+    ///     Retrieves all messages for the specified group ordered by date.
+    /// </summary>
+    /// <param name="groupId">Group identifier.</param>
+    /// <returns>List of messages.</returns>
     public List<GroupMessage> GetGroupMessages(Guid groupId)
     {
         return appDbContext.GroupMessages
@@ -216,6 +326,12 @@ public List<GroupMessage> GetGroupMessages(Guid groupId)
             .ToList();
     }
 
+    /// <summary>
+    ///     Retrieves all messages for a group after the specified timestamp.
+    /// </summary>
+    /// <param name="groupId">Group identifier.</param>
+    /// <param name="since">Earliest timestamp.</param>
+    /// <returns>List of messages.</returns>
     public List<GroupMessage> GetGroupMessagesSince(Guid groupId, DateTime since)
     {
         return appDbContext.GroupMessages
@@ -225,6 +341,12 @@ public List<GroupMessage> GetGroupMessagesSince(Guid groupId, DateTime since)
             .ToList();
     }
 
+    /// <summary>
+    ///     Adds an AES encryption key for a user-group pair.
+    /// </summary>
+    /// <param name="userId">User identifier.</param>
+    /// <param name="groupId">Group identifier.</param>
+    /// <param name="key">Encryption key.</param>
     public void AddGroupEncryptionKey(Guid userId, Guid groupId, string key)
     {
         var user = appDbContext.Users
@@ -250,6 +372,12 @@ public void AddGroupEncryptionKey(Guid userId, Guid groupId, string key)
         appDbContext.SaveChanges();
     }
 
+    /// <summary>
+    ///     Retrieves the AES encryption key for a user-group pair.
+    /// </summary>
+    /// <param name="userId">User identifier.</param>
+    /// <param name="groupId">Group identifier.</param>
+    /// <returns>Encryption key string or empty when not set.</returns>
     public string getGroupEncryptionKey(Guid userId, Guid groupId)
     {
         var key = appDbContext.GroupEncryptionKeys