diff --git a/tests/main_test.go b/tests/main_test.go
index e521649..49e24e3 100644
--- a/tests/main_test.go
+++ b/tests/main_test.go
@@ -19,6 +19,7 @@ var validTokenForDelete = os.Getenv("VALID_JWT_TOKEN_FOR_DELETE")
 var validAdminToken = os.Getenv("VALID_ADMIN_JWT_TOKEN")
 var existingUserIDToken = os.Getenv("EXISTING_USER_ID_JWT_TOKEN")
 
+var userIDForDelete = os.Getenv("USER_ID_FOR_DELETE")
 var existingUserID = os.Getenv("EXISTING_USER_ID")
 var testUserID = os.Getenv("TEST_USER_ID")
 var sqlInjectionInput = "'; DROP TABLE accounts; --"
@@ -715,7 +716,7 @@ func deleteAccountByUserIDRequest(token string, body interface{}) (*http.Respons
 }
 
 func TestDeleteAccountByUserID_Success(t *testing.T) {
-	resp, err := deleteAccountByUserIDRequest(validAdminToken, map[string]string{"userId": testUserID})
+	resp, err := deleteAccountByUserIDRequest(validAdminToken, map[string]string{"userId": userIDForDelete})
 	assert.NoError(t, err)
 	assert.Equal(t, http.StatusOK, resp.StatusCode)
 	assert.Equal(t, "application/json", resp.Header.Get("Content-Type"))
@@ -728,7 +729,7 @@ func TestDeleteAccountByUserID_Success(t *testing.T) {
 
 func TestDeleteAccountByUserID_Auth(t *testing.T) {
 	t.Run("NoToken", func(t *testing.T) {
-		req, err := http.NewRequest("DELETE", baseURL+"/account/"+testUserID, nil)
+		req, err := http.NewRequest("DELETE", baseURL+"/account/"+userIDForDelete, nil)
 		assert.NoError(t, err)
 		resp, err := http.DefaultClient.Do(req)
 		assert.NoError(t, err)
@@ -736,13 +737,13 @@ func TestDeleteAccountByUserID_Auth(t *testing.T) {
 	})
 
 	t.Run("InvalidToken", func(t *testing.T) {
-		resp, err := deleteAccountByUserIDRequest("invalid_token", map[string]string{"userId": testUserID})
+		resp, err := deleteAccountByUserIDRequest("invalid_token", map[string]string{"userId": userIDForDelete})
 		assert.NoError(t, err)
 		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
 	})
 
 	t.Run("ExpiredToken", func(t *testing.T) {
-		resp, err := deleteAccountByUserIDRequest(expiredToken, map[string]string{"userId": testUserID})
+		resp, err := deleteAccountByUserIDRequest(expiredToken, map[string]string{"userId": userIDForDelete})
 		assert.NoError(t, err)
 		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
 	})
@@ -783,3 +784,101 @@ func TestDeleteAccountByUserID_SQLInjection_XSS(t *testing.T) {
 }
 
 // todo 6.3.7 6.3.8 6.3.9 6.4
+
+func manualDoneRequest(token string, body map[string]string) (*http.Response, error) {
+	payload, err := json.Marshal(body)
+	if err != nil {
+		return nil, err
+	}
+	req, err := http.NewRequest("POST", baseURL+"/account/manualdone", bytes.NewReader(payload))
+	if err != nil {
+		return nil, err
+	}
+	req.Header.Set("Authorization", "Bearer "+token)
+	req.Header.Set("Content-Type", "application/json")
+	return http.DefaultClient.Do(req)
+}
+
+func TestManualDone_Success(t *testing.T) {
+	resp, err := manualDoneRequest(validAdminToken, map[string]string{"id": testUserID})
+	assert.NoError(t, err)
+	assert.Equal(t, http.StatusOK, resp.StatusCode)
+	assert.Equal(t, "application/json", resp.Header.Get("Content-Type"))
+
+	var result map[string]interface{}
+	err = json.NewDecoder(resp.Body).Decode(&result)
+	assert.NoError(t, err)
+	assert.Equal(t, testUserID, result["id"])
+}
+
+func TestManualDone_Auth(t *testing.T) {
+	t.Run("NoToken", func(t *testing.T) {
+		payload, err := json.Marshal(map[string]string{"id": testUserID})
+		assert.NoError(t, err)
+
+		req, err := http.NewRequest("POST", baseURL+"/account/manualdone", bytes.NewReader(payload))
+		assert.NoError(t, err)
+		req.Header.Set("Content-Type", "application/json")
+
+		resp, err := http.DefaultClient.Do(req)
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+	})
+
+	t.Run("InvalidToken", func(t *testing.T) {
+		resp, err := manualDoneRequest("invalid_token", map[string]string{"id": testUserID})
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+	})
+
+	t.Run("ExpiredToken", func(t *testing.T) {
+		resp, err := manualDoneRequest(expiredToken, map[string]string{"id": testUserID})
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusUnauthorized, resp.StatusCode)
+	})
+}
+
+func TestManualDone_Validation(t *testing.T) {
+	t.Run("EmptyBody", func(t *testing.T) {
+		payload := []byte(`{}`)
+
+		req, err := http.NewRequest("POST", baseURL+"/account/manualdone", bytes.NewReader(payload))
+		assert.NoError(t, err)
+		req.Header.Set("Authorization", "Bearer "+validAdminToken)
+		req.Header.Set("Content-Type", "application/json")
+
+		resp, err := http.DefaultClient.Do(req)
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	})
+
+	t.Run("InvalidID", func(t *testing.T) {
+		resp, err := manualDoneRequest(validAdminToken, map[string]string{"id": "invalid_id"})
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	})
+
+	t.Run("NonExistentID", func(t *testing.T) {
+		resp, err := manualDoneRequest(validAdminToken, map[string]string{"id": "nonexistent_id"})
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusNotFound, resp.StatusCode)
+	})
+}
+
+// todo 7.3.4 7.3.5
+
+func TestManualDone_Security(t *testing.T) {
+	t.Run("SQLInjection", func(t *testing.T) {
+		resp, err := manualDoneRequest(validAdminToken, map[string]string{"id": "1' OR '1'='1"})
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	})
+
+	t.Run("XSSAttack", func(t *testing.T) {
+		resp, err := manualDoneRequest(validAdminToken, map[string]string{"id": "<script>alert('xss')</script>"})
+		assert.NoError(t, err)
+		assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	})
+}
+
+// todo 7.3.7 7.3.8 7.3.9 7.4