From 8ee58471b25b1d31a1579ee8a5f78e7a37092752 Mon Sep 17 00:00:00 2001
From: Flea Flicker <flea@groombook.dev>
Date: Sat, 23 May 2026 14:02:16 +0000
Subject: [PATCH] =?UTF-8?q?docs(UAT=5FPLAYBOOK):=20add=20TC-AUTH-5.3.4=20?=
 =?UTF-8?q?=E2=80=94=20SSO=20cookie=20after=20Authentik=20callback?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Documents the acceptance criteria for GRO-1592: after completing
Authentik SSO login without VITE_API_URL set, the
__Secure-better-auth.session_token cookie must be present in the
browser and sent with subsequent /api/* calls.

Updated: UAT_PLAYBOOK.md §5.3

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 UAT_PLAYBOOK.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/UAT_PLAYBOOK.md b/UAT_PLAYBOOK.md
index 655c505..d70c9a2 100644
--- a/UAT_PLAYBOOK.md
+++ b/UAT_PLAYBOOK.md
@@ -69,6 +69,7 @@ export const { signIn, signOut, useSession, changePassword } = authClient;
 | TC-AUTH-5.3.1 | Auth client falls back to window.location.origin | Do not set `VITE_API_URL`, load app | Auth client uses `window.location.origin` as base URL |
 | TC-AUTH-5.3.2 | Sign-in on localhost | Load app without `VITE_API_URL` on localhost:3000 | Auth client uses `http://localhost:3000` as base URL |
 | TC-AUTH-5.3.3 | Sign-in on dev environment | Load app without `VITE_API_URL` on `https://dev.groombook.dev` | Auth client uses `https://dev.groombook.dev` as base URL |
+| TC-AUTH-5.3.4 | SSO cookie set after Authentik callback (GRO-1592) | Complete Authentik SSO login on UAT without `VITE_API_URL` set | `__Secure-better-auth.session_token` cookie is present in browser; subsequent `/api/*` calls include the cookie and return 200 |
 
 ### 5.4 Session Persistence