SecPal · kevalyq · Nov 23, 2025 · Nov 23, 2025 · Nov 23, 2025 · Nov 23, 2025
diff --git a/.preflight-allow-large-pr b/.preflight-allow-large-pr
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -14,6 +14,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+- **httpOnly Cookie Authentication Tests & Documentation** (#208)
+  - Comprehensive test suite in `tests/Feature/Auth/SanctumCookieAuthTest.php`
+  - 14 integration tests covering Sanctum authentication configuration
+  - Tests verify session cookie configuration (httpOnly, secure, sameSite=lax)
+  - Tests cover login flow, Bearer token logout, authenticated requests via actingAs(), and personal access token management
+  - Tests validate both SPA (cookie) and API client (Bearer token) authentication modes
+  - Complete API documentation in `docs/api/authentication.md`
+  - Detailed httpOnly cookie authentication flow with step-by-step examples
+  - CSRF token handling guide with JavaScript examples
+  - Migration guide from localStorage to httpOnly cookies
+  - Security recommendations for SPA and API client developers
+  - Production deployment checklist for secure cookie configuration
+  - Part of Epic: httpOnly Cookie Authentication Migration (frontend#208)
+  - Closes: #208
+
 - **httpOnly Cookie Authentication** (#210)
   - Configured Laravel Sanctum for httpOnly cookie-based SPA authentication
   - Session cookies configured with `httpOnly=true`, `sameSite=lax` for CSRF protection

diff --git a/README.md b/README.md
@@ -27,6 +27,33 @@ SecPal API is the backend service for the SecPal platform, built with Laravel 12
 
 ## Key Features
 
+### 🔐 Authentication (Laravel Sanctum)
+
+SecPal uses **Laravel Sanctum** with dual authentication modes:
+
+1. **httpOnly Cookie Authentication (SPA Mode)** - Recommended for browser-based SPAs
+   - XSS-resistant with httpOnly cookies
+   - CSRF protection via Laravel's built-in middleware
+   - Session-based authentication for React PWA
+
+2. **Bearer Token Authentication** - For API clients
+   - Personal Access Tokens (PAT) for mobile apps
+   - Token-based authentication for CLI tools and integrations
+
+**Quick Start:**
+
+```bash
+# SPA: Get CSRF token, then login
+GET /sanctum/csrf-cookie
+POST /v1/auth/token { "email": "...", "password": "..." }
+
+# API Clients: Get Bearer token
+POST /v1/auth/token { "email": "...", "password": "...", "device_name": "mobile" }
+# Use: Authorization: Bearer {token}
+```
+
+**Documentation:** [Authentication API Guide](docs/api/authentication.md)
+
 ### 🔐 Role-Based Access Control (RBAC)
 
 Comprehensive RBAC system with temporal role assignments and direct permission management.