diff --git a/src/controllers/04-institution-controller.ts b/src/controllers/04-institution-controller.ts
index 06522a5..202a443 100644
--- a/src/controllers/04-institution-controller.ts
+++ b/src/controllers/04-institution-controller.ts
@@ -4,11 +4,13 @@ import {
   Controller,
   Delete,
   Get,
+  Head,
   OperationId,
   Path,
   Post,
   Put,
   Query,
+  Request,
   Route,
   Security,
   Tags,
@@ -16,6 +18,10 @@ import {
 import prisma from "../db";
 import { notFoundError } from "../utils/error";
 import { queryOrNot } from "../utils/relation";
+import { RequestWithUser } from "../interfaces/user";
+import { deleteFile, fileLocation, getFile, getPresigned, listFile, setFile } from "../utils/minio";
+import HttpError from "../interfaces/http-error";
+import HttpStatus from "../interfaces/http-status";
 
 type InstitutionPayload = {
   name: string;
@@ -138,3 +144,107 @@ export class InstitutionController extends Controller {
     });
   }
 }
+
+@Route("api/v1/institution/{institutionId}")
+@Tags("Institution")
+export class InstitutionFileController extends Controller {
+  private async checkPermission(_user: RequestWithUser["user"], id: string) {
+    const data = await prisma.institution.findUnique({
+      where: { id },
+    });
+    if (!data) throw notFoundError("Institution");
+  }
+
+  @Get("image")
+  @Security("keycloak")
+  async listImage(@Request() req: RequestWithUser, @Path() institutionId: string) {
+    await this.checkPermission(req.user, institutionId);
+    return await listFile(fileLocation.institution.img(institutionId));
+  }
+
+  @Get("image/{name}")
+  async getImage(
+    @Request() req: RequestWithUser,
+    @Path() institutionId: string,
+    @Path() name: string,
+  ) {
+    return req.res?.redirect(await getFile(fileLocation.institution.img(institutionId, name)));
+  }
+
+  @Head("image/{name}")
+  async headImage(
+    @Request() req: RequestWithUser,
+    @Path() institutionId: string,
+    @Path() name: string,
+  ) {
+    return req.res?.redirect(
+      await getPresigned("head", fileLocation.institution.img(institutionId, name)),
+    );
+  }
+
+  @Put("image/{name}")
+  @Security("keycloak")
+  async putImage(
+    @Request() req: RequestWithUser,
+    @Path() institutionId: string,
+    @Path() name: string,
+  ) {
+    if (!req.headers["content-type"]?.startsWith("image/")) {
+      throw new HttpError(HttpStatus.BAD_REQUEST, "Not a valid image.", "notValidImage");
+    }
+    await this.checkPermission(req.user, institutionId);
+    return req.res?.redirect(await setFile(fileLocation.institution.img(institutionId, name)));
+  }
+
+  @Delete("image/{name}")
+  @Security("keycloak")
+  async delImage(
+    @Request() req: RequestWithUser,
+    @Path() institutionId: string,
+    @Path() name: string,
+  ) {
+    await this.checkPermission(req.user, institutionId);
+    return await deleteFile(fileLocation.institution.img(institutionId, name));
+  }
+
+  @Get("attachment")
+  @Security("keycloak")
+  async listAttachment(@Request() req: RequestWithUser, @Path() institutionId: string) {
+    await this.checkPermission(req.user, institutionId);
+    return await listFile(fileLocation.institution.attachment(institutionId));
+  }
+
+  @Get("attachment/{name}")
+  @Security("keycloak")
+  async getAttachment(@Path() institutionId: string, @Path() name: string) {
+    return await getFile(fileLocation.institution.attachment(institutionId, name));
+  }
+
+  @Head("attachment/{name}")
+  @Security("keycloak")
+  async headAttachment(@Path() institutionId: string, @Path() name: string) {
+    return await getPresigned("head", fileLocation.institution.attachment(institutionId, name));
+  }
+
+  @Put("attachment/{name}")
+  @Security("keycloak")
+  async putAttachment(
+    @Request() req: RequestWithUser,
+    @Path() institutionId: string,
+    @Path() name: string,
+  ) {
+    await this.checkPermission(req.user, institutionId);
+    return await setFile(fileLocation.institution.attachment(institutionId, name));
+  }
+
+  @Delete("attachment/{name}")
+  @Security("keycloak")
+  async delAttachment(
+    @Request() req: RequestWithUser,
+    @Path() institutionId: string,
+    @Path() name: string,
+  ) {
+    await this.checkPermission(req.user, institutionId);
+    return await deleteFile(fileLocation.institution.attachment(institutionId, name));
+  }
+}
diff --git a/src/utils/minio.ts b/src/utils/minio.ts
index d582277..e54d4f3 100644
--- a/src/utils/minio.ts
+++ b/src/utils/minio.ts
@@ -104,4 +104,9 @@ export const fileLocation = {
     attachment: (requestId: string, name?: string) =>
       `request/attachment-${requestId}/${name || ""}`,
   },
+  institution: {
+    attachment: (institutionId: string, name?: string) =>
+      `institution/attachment-${institutionId}/${name || ""}`,
+    img: (institutionId: string, name?: string) => `institution/img-${institutionId}/${name}`,
+  },
 };