diff --git a/app/src/App.tsx b/app/src/App.tsx
index 146a829..1cc88fb 100644
--- a/app/src/App.tsx
+++ b/app/src/App.tsx
@@ -20,23 +20,25 @@ import { useAppStore } from './stores/app'
 import { useAuth } from './hooks/useAuth'
 import { useSSE } from './hooks/useSSE'
 import { useNetworkConfigStore, fetchNetworkConfig } from './lib/networkConfig'
+import { ToastProvider } from './providers/ToastProvider'
+import { AuthSyncProvider } from './providers/AuthSyncProvider'
 
 function AppShell() {
   const activeView = useAppStore((s) => s.activeView)
   const { token, isAdmin } = useAuth()
-  const { events } = useSSE(token)
+  const { events } = useSSE()
   const beta = useNetworkConfigStore((s) => s.config?.beta ?? false)
 
   const renderView = () => {
     switch (activeView) {
       case 'dashboard':
-        return <DashboardView events={events} token={token} />
+        return <DashboardView events={events} />
       case 'vault':
-        return <VaultView token={token} />
+        return <VaultView />
       case 'herald':
-        return isAdmin ? <HeraldView token={token} /> : <DashboardView events={events} token={token} />
+        return isAdmin ? <HeraldView token={token} /> : <DashboardView events={events} />
       case 'squad':
-        return isAdmin ? <SquadView token={token} /> : <DashboardView events={events} token={token} />
+        return isAdmin ? <SquadView token={token} /> : <DashboardView events={events} />
       case 'chat':
         return (
           <div className="lg:hidden h-full">
@@ -44,7 +46,7 @@ function AppShell() {
           </div>
         )
       default:
-        return <DashboardView events={events} token={token} />
+        return <DashboardView events={events} />
     }
   }
 
@@ -105,7 +107,11 @@ export default function App() {
     <ConnectionProvider endpoint={config.publicRpcUrl}>
       <WalletProvider wallets={wallets} autoConnect>
         <WalletModalProvider>
-          <AppShell />
+          <ToastProvider>
+            <AuthSyncProvider>
+              <AppShell />
+            </AuthSyncProvider>
+          </ToastProvider>
         </WalletModalProvider>
       </WalletProvider>
     </ConnectionProvider>
diff --git a/app/src/api/__tests__/auth.test.ts b/app/src/api/__tests__/auth.test.ts
new file mode 100644
index 0000000..102d516
--- /dev/null
+++ b/app/src/api/__tests__/auth.test.ts
@@ -0,0 +1,70 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { requestNonce, verifySignature } from '../auth'
+
+describe('auth api client', () => {
+  const originalFetch = global.fetch
+
+  beforeEach(() => {
+    global.fetch = vi.fn() as unknown as typeof fetch
+  })
+
+  afterEach(() => {
+    global.fetch = originalFetch
+  })
+
+  describe('requestNonce', () => {
+    it('POSTs to /api/auth/nonce with wallet and returns nonce + message', async () => {
+      ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ nonce: 'abc', message: 'sign this' }),
+      })
+
+      const result = await requestNonce('walletA')
+
+      expect(global.fetch).toHaveBeenCalledWith(
+        '/api/auth/nonce',
+        expect.objectContaining({
+          method: 'POST',
+          body: JSON.stringify({ wallet: 'walletA' }),
+          headers: expect.objectContaining({ 'Content-Type': 'application/json' }),
+        }),
+      )
+      expect(result).toEqual({ nonce: 'abc', message: 'sign this' })
+    })
+  })
+
+  describe('verifySignature', () => {
+    it('returns token, isAdmin, and expiresIn from server response', async () => {
+      ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ token: 'tok', isAdmin: false, expiresIn: '24h' }),
+      })
+
+      const result = await verifySignature('walletA', 'nonce', 'sig')
+
+      expect(result).toEqual({ token: 'tok', isAdmin: false, expiresIn: '24h' })
+    })
+
+    it('preserves isAdmin true from server response', async () => {
+      ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ token: 'tok', isAdmin: true, expiresIn: '1h' }),
+      })
+
+      const result = await verifySignature('walletA', 'nonce', 'sig')
+
+      expect(result.isAdmin).toBe(true)
+      expect(result.expiresIn).toBe('1h')
+    })
+
+    it('throws on non-OK response with structured error', async () => {
+      ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+        ok: false,
+        status: 401,
+        json: async () => ({ error: 'invalid signature' }),
+      })
+
+      await expect(verifySignature('walletA', 'nonce', 'sig')).rejects.toThrow(/invalid signature/)
+    })
+  })
+})
diff --git a/app/src/api/__tests__/client.test.ts b/app/src/api/__tests__/client.test.ts
new file mode 100644
index 0000000..30d4563
--- /dev/null
+++ b/app/src/api/__tests__/client.test.ts
@@ -0,0 +1,143 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { apiFetch, registerAuthInterceptor } from '../client'
+
+describe('apiFetch', () => {
+  const originalFetch = global.fetch
+
+  beforeEach(() => {
+    global.fetch = vi.fn() as unknown as typeof fetch
+    registerAuthInterceptor(null)
+  })
+
+  afterEach(() => {
+    global.fetch = originalFetch
+    registerAuthInterceptor(null)
+  })
+
+  it('returns parsed json on 2xx', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: async () => ({ hello: 'world' }),
+    })
+    const result = await apiFetch<{ hello: string }>('/test')
+    expect(result).toEqual({ hello: 'world' })
+  })
+
+  it('attaches Authorization header when token option provided', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: async () => ({}),
+    })
+    await apiFetch('/test', { token: 'abc' })
+    const callArgs = (global.fetch as unknown as ReturnType<typeof vi.fn>).mock.calls[0][1]
+    expect(callArgs.headers).toMatchObject({ Authorization: 'Bearer abc' })
+  })
+
+  it('calls registered interceptor on 401', async () => {
+    const onUnauth = vi.fn()
+    registerAuthInterceptor(onUnauth)
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 401,
+      json: async () => ({ error: { code: 'EXPIRED', message: 'expired' } }),
+    })
+
+    await expect(apiFetch('/test')).rejects.toThrow(/expired/)
+    expect(onUnauth).toHaveBeenCalledOnce()
+  })
+
+  it('does not call interceptor on non-401 errors', async () => {
+    const onUnauth = vi.fn()
+    registerAuthInterceptor(onUnauth)
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 500,
+      json: async () => ({ error: 'server error' }),
+    })
+
+    await expect(apiFetch('/test')).rejects.toThrow(/server error/)
+    expect(onUnauth).not.toHaveBeenCalled()
+  })
+
+  it('does not call interceptor on 2xx', async () => {
+    const onUnauth = vi.fn()
+    registerAuthInterceptor(onUnauth)
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      json: async () => ({ ok: true }),
+    })
+    await apiFetch('/test')
+    expect(onUnauth).not.toHaveBeenCalled()
+  })
+
+  it('still throws on 401 even if interceptor throws', async () => {
+    registerAuthInterceptor(() => {
+      throw new Error('handler crashed')
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 401,
+      json: async () => ({ error: 'expired' }),
+    })
+
+    await expect(apiFetch('/test')).rejects.toThrow(/expired/)
+  })
+
+  it('parses legacy string error shape on non-2xx', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 400,
+      json: async () => ({ error: 'bad request' }),
+    })
+    await expect(apiFetch('/test')).rejects.toThrow(/bad request/)
+  })
+
+  it('parses structured error envelope on non-2xx', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 400,
+      json: async () => ({ error: { code: 'X', message: 'detail' } }),
+    })
+    await expect(apiFetch('/test')).rejects.toThrow(/detail/)
+  })
+
+  it('falls back to status-based message when no body', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 503,
+      json: async () => {
+        throw new Error('not json')
+      },
+    })
+    await expect(apiFetch('/test')).rejects.toThrow(/503/)
+  })
+
+  it('returns undefined for 204 No Content without parsing body', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: true,
+      status: 204,
+      headers: new Headers(),
+      json: async () => {
+        throw new Error('should not be called')
+      },
+    })
+    const result = await apiFetch('/test', { method: 'POST' })
+    expect(result).toBeUndefined()
+  })
+
+  it('returns undefined for content-length: 0 without parsing body', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: true,
+      status: 200,
+      headers: new Headers({ 'content-length': '0' }),
+      json: async () => {
+        throw new Error('should not be called')
+      },
+    })
+    const result = await apiFetch('/test')
+    expect(result).toBeUndefined()
+  })
+})
diff --git a/app/src/api/__tests__/refresh.test.ts b/app/src/api/__tests__/refresh.test.ts
new file mode 100644
index 0000000..e163999
--- /dev/null
+++ b/app/src/api/__tests__/refresh.test.ts
@@ -0,0 +1,94 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { refreshToken } from '../refresh'
+
+describe('refreshToken', () => {
+  const originalFetch = global.fetch
+
+  beforeEach(() => {
+    global.fetch = vi.fn() as unknown as typeof fetch
+  })
+
+  afterEach(() => {
+    global.fetch = originalFetch
+  })
+
+  it('POSTs to /api/auth/refresh with Bearer token and returns new token', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: true,
+      json: async () => ({ token: 'newtok', expiresIn: '24h' }),
+    })
+
+    const result = await refreshToken('oldtok')
+
+    expect(global.fetch).toHaveBeenCalledWith(
+      '/api/auth/refresh',
+      expect.objectContaining({
+        method: 'POST',
+        headers: { Authorization: 'Bearer oldtok' },
+      }),
+    )
+    expect(result).toEqual({ token: 'newtok', expiresIn: '24h' })
+  })
+
+  it('returns null on 425 (too early)', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 425,
+      json: async () => ({ error: { code: 'TOO_EARLY' } }),
+    })
+
+    const result = await refreshToken('oldtok')
+    expect(result).toBeNull()
+  })
+
+  it('returns null on 404 (endpoint not deployed yet)', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 404,
+      json: async () => ({}),
+    })
+
+    const result = await refreshToken('oldtok')
+    expect(result).toBeNull()
+  })
+
+  it('throws on 401 with structured error message', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 401,
+      json: async () => ({ error: { code: 'INVALID_TOKEN', message: 'Token invalid or expired' } }),
+    })
+
+    await expect(refreshToken('oldtok')).rejects.toThrow(/Token invalid or expired/)
+  })
+
+  it('throws on 401 with legacy string error', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 401,
+      json: async () => ({ error: 'unauthorized' }),
+    })
+
+    await expect(refreshToken('oldtok')).rejects.toThrow(/unauthorized/)
+  })
+
+  it('throws on 401 with no error body (default message)', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 401,
+      json: async () => ({}),
+    })
+
+    await expect(refreshToken('oldtok')).rejects.toThrow(/full re-sign required/)
+  })
+
+  it('throws on 5xx with status in message', async () => {
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: false,
+      status: 503,
+      json: async () => ({}),
+    })
+
+    await expect(refreshToken('oldtok')).rejects.toThrow(/503/)
+  })
+})
diff --git a/app/src/api/__tests__/sse.test.ts b/app/src/api/__tests__/sse.test.ts
new file mode 100644
index 0000000..77a1132
--- /dev/null
+++ b/app/src/api/__tests__/sse.test.ts
@@ -0,0 +1,34 @@
+import { describe, it, expect } from 'vitest'
+import { pickSseUrl } from '../sse'
+
+const TOKEN = 'jwt-token-with/special=chars'
+const TICKET = 'ticket-abc'
+const BASE = 'http://localhost:3000'
+
+describe('pickSseUrl', () => {
+  it('uses the ticket query param when ticket is present (any environment)', () => {
+    const url = pickSseUrl(TOKEN, TICKET, BASE, false)
+    expect(url).toBe(`${BASE}/api/stream?ticket=${encodeURIComponent(TICKET)}`)
+  })
+
+  it('uses the ticket even when isDev is true (ticket always wins)', () => {
+    const url = pickSseUrl(TOKEN, TICKET, BASE, true)
+    expect(url).toBe(`${BASE}/api/stream?ticket=${encodeURIComponent(TICKET)}`)
+  })
+
+  it('falls back to ?token= URL in DEV when ticket exchange returns null', () => {
+    const url = pickSseUrl(TOKEN, null, BASE, true)
+    expect(url).toBe(`${BASE}/api/stream?token=${encodeURIComponent(TOKEN)}`)
+  })
+
+  it('throws in production when ticket is null', () => {
+    expect(() => pickSseUrl(TOKEN, null, BASE, false)).toThrow(
+      /JWT-in-URL fallback is disabled in production/i,
+    )
+  })
+
+  it('encodes special characters in the ticket', () => {
+    const url = pickSseUrl(TOKEN, 'a/b=c&d', BASE, false)
+    expect(url).toBe(`${BASE}/api/stream?ticket=${encodeURIComponent('a/b=c&d')}`)
+  })
+})
diff --git a/app/src/api/auth.ts b/app/src/api/auth.ts
index 2e2bd0f..d4623cf 100644
--- a/app/src/api/auth.ts
+++ b/app/src/api/auth.ts
@@ -1,16 +1,41 @@
 import { apiFetch } from './client'
 
-export async function requestNonce(wallet: string): Promise<{ nonce: string; message: string }> {
+export interface NonceResponse {
+  nonce: string
+  message: string
+}
+
+export interface VerifyResponse {
+  token: string
+  expiresIn: string
+  isAdmin: boolean
+}
+
+export async function requestNonce(wallet: string): Promise<NonceResponse> {
   return apiFetch('/api/auth/nonce', { method: 'POST', body: JSON.stringify({ wallet }) })
 }
 
+export interface VerifyOptions {
+  /**
+   * Base64-encoded bytes of the message the wallet actually signed.
+   * Required for the SIWS path (the wallet signs a CAIP-122-style structured
+   * message that the server cannot reconstruct from `nonce` alone). When
+   * omitted, the server reconstructs its own message from `nonce` (legacy
+   * signMessage path).
+   */
+  signedMessage?: string
+}
+
 export async function verifySignature(
   wallet: string,
   nonce: string,
-  signature: string
-): Promise<{ token: string; expiresIn: string; isAdmin: boolean }> {
+  signature: string,
+  options: VerifyOptions = {}
+): Promise<VerifyResponse> {
+  const body: Record<string, string> = { wallet, nonce, signature }
+  if (options.signedMessage) body.signedMessage = options.signedMessage
   return apiFetch('/api/auth/verify', {
     method: 'POST',
-    body: JSON.stringify({ wallet, nonce, signature }),
+    body: JSON.stringify(body),
   })
 }
diff --git a/app/src/api/client.ts b/app/src/api/client.ts
index ffb619b..116cf66 100644
--- a/app/src/api/client.ts
+++ b/app/src/api/client.ts
@@ -1,5 +1,19 @@
 const BASE = import.meta.env.VITE_API_URL ?? ''
 
+type UnauthHandler = () => void
+
+let authInterceptor: UnauthHandler | null = null
+
+/**
+ * Register a single global handler invoked whenever apiFetch receives 401.
+ * Pass `null` to clear. AuthSyncProvider wires this up on mount and tears
+ * down on unmount, so callers across the app get a consistent re-auth UX
+ * (clearAuth + toast + Sign in CTA) without each fetch site reinventing it.
+ */
+export function registerAuthInterceptor(handler: UnauthHandler | null) {
+  authInterceptor = handler
+}
+
 export async function apiFetch<T>(
   path: string,
   options?: RequestInit & { token?: string }
@@ -13,9 +27,37 @@ export async function apiFetch<T>(
     ...fetchOpts,
     headers: { ...headers, ...(fetchOpts.headers as Record<string, string>) },
   })
+  if (res.status === 401) {
+    if (authInterceptor) {
+      try {
+        authInterceptor()
+      } catch {
+        // Never let an interceptor crash propagate up — auth-loss UX is
+        // best-effort. The original request still throws below.
+      }
+    }
+    const body = await res.json().catch(() => ({}))
+    const err = (body as { error?: { message?: string } | string }).error
+    if (typeof err === 'string') throw new Error(err)
+    if (err && typeof err === 'object' && typeof err.message === 'string') {
+      throw new Error(err.message)
+    }
+    throw new Error('Authentication required')
+  }
   if (!res.ok) {
     const body = await res.json().catch(() => ({}))
-    throw new Error((body as { error?: string }).error ?? `API error ${res.status}`)
+    const err = (body as { error?: { message?: string } | string }).error
+    if (typeof err === 'string') throw new Error(err)
+    if (err && typeof err === 'object' && typeof err.message === 'string') {
+      throw new Error(err.message)
+    }
+    throw new Error(`API error ${res.status}`)
+  }
+  // 204 No Content / explicitly empty bodies — there is nothing to parse and
+  // res.json() on an empty stream throws. Endpoints like promise-gate
+  // resolve/reject return 204 on success; callers ignore the return value.
+  if (res.status === 204 || res.headers?.get('content-length') === '0') {
+    return undefined as T
   }
   return res.json() as Promise<T>
 }
diff --git a/app/src/api/refresh.ts b/app/src/api/refresh.ts
new file mode 100644
index 0000000..d4b08cb
--- /dev/null
+++ b/app/src/api/refresh.ts
@@ -0,0 +1,33 @@
+const BASE = import.meta.env.VITE_API_URL ?? ''
+
+export interface RefreshResponse {
+  token: string
+  expiresIn: string
+}
+
+/**
+ * POST /api/auth/refresh.
+ * Returns { token, expiresIn } if refresh succeeded.
+ * Returns null if too early (server returns 425) or endpoint not deployed (404).
+ * Throws on 401 / 5xx / network errors.
+ */
+export async function refreshToken(currentToken: string): Promise<RefreshResponse | null> {
+  const res = await fetch(`${BASE}/api/auth/refresh`, {
+    method: 'POST',
+    headers: { Authorization: `Bearer ${currentToken}` },
+  })
+
+  if (res.ok) return res.json()
+  if (res.status === 425) return null
+  if (res.status === 404) return null
+  if (res.status === 401) {
+    const err = await res.json().catch(() => ({}))
+    const message = (err as { error?: { message?: string } | string }).error
+    if (typeof message === 'string') throw new Error(message)
+    if (message && typeof message === 'object' && typeof message.message === 'string') {
+      throw new Error(message.message)
+    }
+    throw new Error('Token invalid; full re-sign required')
+  }
+  throw new Error(`Refresh failed: ${res.status}`)
+}
diff --git a/app/src/api/sse.ts b/app/src/api/sse.ts
index 53aa308..1209ffc 100644
--- a/app/src/api/sse.ts
+++ b/app/src/api/sse.ts
@@ -4,7 +4,7 @@ const API_URL = import.meta.env.VITE_API_URL ?? ''
 
 /**
  * Exchange a JWT for a short-lived, one-time SSE ticket.
- * Falls back to null if the endpoint is unavailable (legacy server).
+ * Returns null if the endpoint is unavailable (legacy server) or rejects.
  */
 async function fetchSseTicket(jwt: string): Promise<string | null> {
   try {
@@ -24,20 +24,32 @@ async function fetchSseTicket(jwt: string): Promise<string | null> {
 }
 
 /**
- * Create an SSE EventSource using a short-lived ticket (preferred)
- * or falling back to raw JWT query param (legacy).
+ * Pure URL-picker for the SSE stream. Production must never put the raw
+ * JWT in a URL — query params leak into browser history, server access
+ * logs, and Referer headers. DEV keeps the JWT-in-URL fallback as a
+ * convenience for local development against an old server build that
+ * doesn't expose /api/auth/sse-ticket yet.
  */
+export function pickSseUrl(
+  token: string,
+  ticket: string | null,
+  baseUrl: string,
+  isDev: boolean,
+): string {
+  if (ticket) return `${baseUrl}/api/stream?ticket=${encodeURIComponent(ticket)}`
+  if (isDev) return `${baseUrl}/api/stream?token=${encodeURIComponent(token)}`
+  throw new Error(
+    'SSE ticket exchange failed; JWT-in-URL fallback is disabled in production builds',
+  )
+}
+
 export async function connectSSE(
   token: string,
   onEvent: SSEHandler,
-  onError?: (err: Event) => void
+  onError?: (err: Event) => void,
 ): Promise<EventSource> {
-  // Try ticket exchange first — keeps JWT out of URLs
   const ticket = await fetchSseTicket(token)
-
-  const url = ticket
-    ? `${API_URL}/api/stream?ticket=${encodeURIComponent(ticket)}`
-    : `${API_URL}/api/stream?token=${encodeURIComponent(token)}`
+  const url = pickSseUrl(token, ticket, API_URL, import.meta.env.DEV === true)
 
   const source = new EventSource(url)
   source.addEventListener('activity', onEvent)
diff --git a/app/src/components/BottomNav.tsx b/app/src/components/BottomNav.tsx
index fafe2f8..c56a566 100644
--- a/app/src/components/BottomNav.tsx
+++ b/app/src/components/BottomNav.tsx
@@ -1,5 +1,4 @@
 import { useState } from 'react'
-import { useWallet } from '@solana/wallet-adapter-react'
 import {
   ChartBar,
   Vault,
@@ -10,7 +9,8 @@ import {
   SignOut,
 } from '@phosphor-icons/react'
 import { useAppStore, type View } from '../stores/app'
-import { useIsAdmin } from '../hooks/useIsAdmin'
+import { useAuthState } from '../hooks/useAuthState'
+import { useToast } from '../providers/ToastProvider'
 
 interface TabDef {
   id: View
@@ -27,10 +27,16 @@ const TABS: TabDef[] = [
 export default function BottomNav() {
   const activeView = useAppStore((s) => s.activeView)
   const setActiveView = useAppStore((s) => s.setActiveView)
-  const isAdmin = useIsAdmin()
-  const { disconnect } = useWallet()
+  const { isAdmin, disconnect } = useAuthState()
+  const { show: showToast } = useToast()
   const [moreOpen, setMoreOpen] = useState(false)
 
+  const handleDisconnect = async () => {
+    setMoreOpen(false)
+    await disconnect()
+    showToast({ message: 'Disconnected', kind: 'info', durationMs: 3000 })
+  }
+
   return (
     <>
       <nav className="flex md:hidden border-t border-border bg-bg pb-[env(safe-area-inset-bottom)]">
@@ -98,10 +104,7 @@ export default function BottomNav() {
                 </>
               )}
               <button
-                onClick={() => {
-                  disconnect()
-                  setMoreOpen(false)
-                }}
+                onClick={handleDisconnect}
                 className="flex items-center gap-3 px-3 py-3 rounded-lg text-red hover:bg-red/10 transition-colors"
               >
                 <SignOut size={20} />
diff --git a/app/src/components/ChatSidebar.tsx b/app/src/components/ChatSidebar.tsx
index b012828..0b14252 100644
--- a/app/src/components/ChatSidebar.tsx
+++ b/app/src/components/ChatSidebar.tsx
@@ -1,7 +1,10 @@
 import { useRef, useEffect, useState, useCallback } from 'react'
 import { PaperPlaneTilt, CircleNotch, Wrench } from '@phosphor-icons/react'
 import { useAppStore, type ChatMessage } from '../stores/app'
+import { useAuthState } from '../hooks/useAuthState'
+import { useToast } from '../providers/ToastProvider'
 import { sanitizeArgs } from '../lib/sanitize-args'
+import { isAuthError } from '../lib/auth-errors'
 import ToolTimeline from './ToolTimeline'
 import SentinelConfirm from './SentinelConfirm'
 
@@ -12,7 +15,8 @@ interface Props {
 }
 
 export default function ChatSidebar({ fullScreen }: Props) {
-  const token = useAppStore((s) => s.token)
+  const { token } = useAuthState()
+  const { show: showToast } = useToast()
   const messages = useAppStore((s) => s.messages)
   const chatLoading = useAppStore((s) => s.chatLoading)
   const addMessage = useAppStore((s) => s.addMessage)
@@ -114,14 +118,19 @@ export default function ChatSidebar({ fullScreen }: Props) {
         }
       }
     } catch (err) {
-      const msg = err instanceof Error ? err.message : 'Unknown error'
-      appendToLast(msg || 'Connection failed')
+      const msg = err instanceof Error ? err.message : 'Connection failed'
+      // 401-class errors flow through the global apiFetch interceptor's
+      // session-expired toast; suppress here so we don't double-notify or
+      // paint the raw token-error text into the assistant's bubble.
+      if (!isAuthError(msg)) {
+        showToast({ message: msg, kind: 'error', durationMs: 6000 })
+      }
     } finally {
       finishStreaming()
       setChatLoading(false)
       setActiveTool(null)
     }
-  }, [input, token, chatLoading, messages, addMessage, appendToLast, finishStreaming, setChatLoading, appendTool, completeTool])
+  }, [input, token, chatLoading, messages, addMessage, appendToLast, finishStreaming, setChatLoading, appendTool, completeTool, showToast])
 
   // Consume seedChat prompt on mount/change
   useEffect(() => {
@@ -157,7 +166,6 @@ export default function ChatSidebar({ fullScreen }: Props) {
                 <div className="max-w-[90%] w-full">
                   <SentinelConfirm
                     flagId={meta.flagId ?? ''}
-                    token={token}
                     action={meta.action ?? 'Action'}
                     amount={meta.amount ?? ''}
                     description={meta.description}
diff --git a/app/src/components/Header.tsx b/app/src/components/Header.tsx
index 8ef4a5f..d5e3d53 100644
--- a/app/src/components/Header.tsx
+++ b/app/src/components/Header.tsx
@@ -1,5 +1,3 @@
-import { useWallet } from '@solana/wallet-adapter-react'
-import { useWalletModal } from '@solana/wallet-adapter-react-ui'
 import {
   ChartBar,
   Vault,
@@ -8,9 +6,10 @@ import {
   ChatCircle,
 } from '@phosphor-icons/react'
 import { useAppStore, type View } from '../stores/app'
-import { useAuth } from '../hooks/useAuth'
+import { useAuthState } from '../hooks/useAuthState'
+import { useToast } from '../providers/ToastProvider'
 import AgentDot from './AgentDot'
-import { truncateAddress } from '../lib/format'
+import { WalletDropdown } from './WalletDropdown'
 import { useNetworkConfigStore } from '../lib/networkConfig'
 
 interface Tab {
@@ -30,9 +29,8 @@ const TABS: Tab[] = [
 ]
 
 export default function Header() {
-  const { publicKey, connected } = useWallet()
-  const { setVisible } = useWalletModal()
-  const { isAuthenticated, authenticate, isAdmin } = useAuth()
+  const { status, publicKey, authenticate, disconnect, isAdmin } = useAuthState()
+  const { show: showToast } = useToast()
   const activeView = useAppStore((s) => s.activeView)
   const setActiveView = useAppStore((s) => s.setActiveView)
   const network = useNetworkConfigStore((s) => s.config?.network ?? 'mainnet')
@@ -42,6 +40,24 @@ export default function Header() {
     return true
   })
 
+  const handleConnectOrSignIn = () => {
+    authenticate().catch((err: unknown) => {
+      const message = err instanceof Error ? err.message : 'Sign-in failed'
+      showToast({ message, kind: 'error' })
+    })
+  }
+
+  const handleCopy = async () => {
+    if (!publicKey) return
+    await navigator.clipboard.writeText(publicKey)
+    showToast({ message: 'Address copied', kind: 'success', durationMs: 3000 })
+  }
+
+  const handleDisconnect = async () => {
+    await disconnect()
+    showToast({ message: 'Disconnected', kind: 'info', durationMs: 3000 })
+  }
+
   return (
     <header className="hidden md:flex h-12 border-b border-border items-center justify-between px-4 bg-bg shrink-0 z-10">
       <div className="flex items-center gap-1">
@@ -81,23 +97,24 @@ export default function Header() {
           {network}
         </span>
 
-        {connected && publicKey ? (
+        {status === 'authed' && publicKey ? (
+          <WalletDropdown
+            address={publicKey}
+            onCopy={handleCopy}
+            onReSignIn={handleConnectOrSignIn}
+            onDisconnect={handleDisconnect}
+          />
+        ) : status === 'expired' ? (
           <button
-            onClick={isAuthenticated ? undefined : authenticate}
-            className="flex items-center gap-2 bg-card border border-border px-2.5 py-1 rounded-lg hover:bg-elevated transition-colors"
+            onClick={handleConnectOrSignIn}
+            title="Session expired — sign in to continue"
+            className="bg-amber-500/10 border border-amber-500/30 px-3 py-1 rounded-lg text-[11px] text-amber-400 font-medium hover:bg-amber-500/20 transition-colors"
           >
-            <span className="text-[11px] font-mono text-text-secondary">
-              {truncateAddress(publicKey.toBase58())}
-            </span>
-            <div className="w-5 h-5 rounded-full bg-accent flex items-center justify-center">
-              <span className="text-[9px] font-bold text-white">
-                {publicKey.toBase58()[0]}
-              </span>
-            </div>
+            Re-sign in
           </button>
         ) : (
           <button
-            onClick={() => setVisible(true)}
+            onClick={handleConnectOrSignIn}
             className="bg-accent/10 border border-accent/20 px-3 py-1 rounded-lg text-[11px] text-accent font-medium hover:bg-accent/20 transition-colors"
           >
             Connect
diff --git a/app/src/components/SentinelConfirm.tsx b/app/src/components/SentinelConfirm.tsx
index e8ecf5b..f5f0969 100644
--- a/app/src/components/SentinelConfirm.tsx
+++ b/app/src/components/SentinelConfirm.tsx
@@ -1,19 +1,19 @@
 import { useState } from 'react'
+import { apiFetch } from '../api/client'
+import { useAuthState } from '../hooks/useAuthState'
+import { isAuthError } from '../lib/auth-errors'
 import ConfirmCard from './ConfirmCard'
 
-const API_URL = import.meta.env.VITE_API_URL ?? ''
-
 interface Props {
   flagId: string
-  /** Owner JWT — endpoints require requireOwner middleware on the server. */
-  token: string
   action: string
   amount: string
   description?: string
   onResolved: (decision: 'resolve' | 'reject') => void
 }
 
-export default function SentinelConfirm({ flagId, token, action, amount, description, onResolved }: Props) {
+export default function SentinelConfirm({ flagId, action, amount, description, onResolved }: Props) {
+  const { token } = useAuthState()
   const [busy, setBusy] = useState(false)
   const [error, setError] = useState<string | null>(null)
 
@@ -23,22 +23,18 @@ export default function SentinelConfirm({ flagId, token, action, amount, descrip
     setError(null)
     let success = false
     try {
-      const res = await fetch(`${API_URL}/api/sentinel/promise-gate/${encodeURIComponent(flagId)}/${verb}`, {
+      await apiFetch(`/api/sentinel/promise-gate/${encodeURIComponent(flagId)}/${verb}`, {
         method: 'POST',
-        headers: { Authorization: `Bearer ${token}` },
+        token: token ?? undefined,
       })
-      if (!res.ok) {
-        let message = `Action failed (${res.status})`
-        try {
-          const body = await res.json()
-          if (body?.error?.message) message = String(body.error.message)
-        } catch { /* fall back to status */ }
+      success = true
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Network error — try again'
+      // 401-class errors fire the global interceptor's session-expired toast;
+      // skip the inline display so the user sees one consistent message.
+      if (!isAuthError(message)) {
         setError(message)
-        return
       }
-      success = true
-    } catch {
-      setError('Network error — try again')
     } finally {
       setBusy(false)
     }
diff --git a/app/src/components/Toast.tsx b/app/src/components/Toast.tsx
new file mode 100644
index 0000000..b688102
--- /dev/null
+++ b/app/src/components/Toast.tsx
@@ -0,0 +1,48 @@
+import { X } from '@phosphor-icons/react'
+
+export interface ToastInput {
+  message: string
+  kind?: 'info' | 'warn' | 'error' | 'success'
+  durationMs?: number
+  action?: { label: string; onClick: () => void }
+}
+
+const kindStyles: Record<NonNullable<ToastInput['kind']>, string> = {
+  info: 'bg-elevated border-border text-text',
+  warn: 'bg-amber-950/90 border-amber-700 text-amber-100',
+  error: 'bg-red-950/90 border-red-700 text-red-100',
+  success: 'bg-emerald-950/90 border-emerald-700 text-emerald-100',
+}
+
+export function Toast({ toast, onDismiss }: { toast: ToastInput; onDismiss: () => void }) {
+  const styles = kindStyles[toast.kind ?? 'info']
+  return (
+    <div
+      className={`border rounded px-3 py-2 text-sm shadow-lg ${styles}`}
+      role="status"
+      aria-live="polite"
+    >
+      <div className="flex items-start gap-2">
+        <span className="flex-1">{toast.message}</span>
+        <button
+          onClick={onDismiss}
+          aria-label="Dismiss"
+          className="opacity-70 hover:opacity-100"
+        >
+          <X size={14} />
+        </button>
+      </div>
+      {toast.action && (
+        <button
+          onClick={() => {
+            toast.action!.onClick()
+            onDismiss()
+          }}
+          className="mt-2 px-2 py-1 bg-text/10 hover:bg-text/20 rounded text-xs"
+        >
+          {toast.action.label}
+        </button>
+      )}
+    </div>
+  )
+}
diff --git a/app/src/components/WalletDropdown.tsx b/app/src/components/WalletDropdown.tsx
new file mode 100644
index 0000000..73e496b
--- /dev/null
+++ b/app/src/components/WalletDropdown.tsx
@@ -0,0 +1,82 @@
+import { useEffect, useRef, useState } from 'react'
+import { Copy, ArrowsClockwise, Plug, CaretDown } from '@phosphor-icons/react'
+
+interface Props {
+  address: string
+  onCopy: () => void
+  onReSignIn: () => void
+  onDisconnect: () => void
+}
+
+export function WalletDropdown({ address, onCopy, onReSignIn, onDisconnect }: Props) {
+  const [open, setOpen] = useState(false)
+  const ref = useRef<HTMLDivElement>(null)
+  const short = `${address.slice(0, 4)}...${address.slice(-4)}`
+
+  useEffect(() => {
+    if (!open) return
+    const onMouseDown = (e: MouseEvent) => {
+      if (ref.current && !ref.current.contains(e.target as Node)) setOpen(false)
+    }
+    const onKey = (e: KeyboardEvent) => {
+      if (e.key === 'Escape') setOpen(false)
+    }
+    document.addEventListener('mousedown', onMouseDown)
+    document.addEventListener('keydown', onKey)
+    return () => {
+      document.removeEventListener('mousedown', onMouseDown)
+      document.removeEventListener('keydown', onKey)
+    }
+  }, [open])
+
+  const handleAction = (cb: () => void) => () => {
+    cb()
+    setOpen(false)
+  }
+
+  return (
+    <div ref={ref} className="relative">
+      <button
+        type="button"
+        onClick={() => setOpen((o) => !o)}
+        className="flex items-center gap-1 px-2 py-1 bg-elevated border border-border rounded text-xs text-text hover:bg-text/5"
+        aria-haspopup="menu"
+        aria-expanded={open}
+      >
+        <span>{short}</span>
+        <CaretDown size={10} className={`transition-transform ${open ? 'rotate-180' : ''}`} />
+      </button>
+      {open && (
+        <div
+          role="menu"
+          className="absolute right-0 mt-1 w-48 bg-elevated border border-border rounded shadow-lg overflow-hidden z-50"
+        >
+          <button
+            type="button"
+            role="menuitem"
+            onClick={handleAction(onCopy)}
+            className="w-full flex items-center gap-2 px-3 py-2 text-xs text-text hover:bg-text/5"
+          >
+            <Copy size={14} /> Copy address
+          </button>
+          <button
+            type="button"
+            role="menuitem"
+            onClick={handleAction(onReSignIn)}
+            className="w-full flex items-center gap-2 px-3 py-2 text-xs text-text hover:bg-text/5"
+          >
+            <ArrowsClockwise size={14} /> Re-sign in
+          </button>
+          <button
+            type="button"
+            role="menuitem"
+            onClick={handleAction(onDisconnect)}
+            className="w-full flex items-center gap-2 px-3 py-2 text-xs text-text hover:bg-text/5 border-t border-border"
+          >
+            <Plug size={14} /> Disconnect
+          </button>
+        </div>
+      )}
+    </div>
+  )
+}
diff --git a/app/src/components/__tests__/ChatSidebar.test.tsx b/app/src/components/__tests__/ChatSidebar.test.tsx
index cd83763..e482e25 100644
--- a/app/src/components/__tests__/ChatSidebar.test.tsx
+++ b/app/src/components/__tests__/ChatSidebar.test.tsx
@@ -3,6 +3,34 @@ import { render, screen, fireEvent, waitFor } from '@testing-library/react'
 import { useAppStore } from '../../stores/app'
 import ChatSidebar from '../ChatSidebar'
 
+const mockToastShow = vi.fn(() => 'toast-id')
+const mockToastDismiss = vi.fn()
+
+vi.mock('../../providers/ToastProvider', () => ({
+  useToast: () => ({ show: mockToastShow, dismiss: mockToastDismiss }),
+}))
+
+vi.mock('../../hooks/useAuthState', async () => {
+  const { useAppStore: store } = await vi.importActual<
+    typeof import('../../stores/app')
+  >('../../stores/app')
+  return {
+    useAuthState: () => {
+      const t = store.getState().token
+      return {
+        status: t ? ('authed' as const) : ('unauthed' as const),
+        token: t,
+        expiresAt: null,
+        isAdmin: store.getState().isAdmin,
+        publicKey: null,
+        authenticate: () => Promise.resolve(),
+        disconnect: () => Promise.resolve(),
+        error: null,
+      }
+    },
+  }
+})
+
 function resetStore() {
   useAppStore.setState({
     token: null,
@@ -17,6 +45,8 @@ function resetStore() {
 describe('ChatSidebar', () => {
   beforeEach(() => {
     resetStore()
+    mockToastShow.mockClear()
+    mockToastDismiss.mockClear()
   })
 
   afterEach(() => {
@@ -93,4 +123,53 @@ describe('ChatSidebar', () => {
       expect(screen.getByText('Hi')).toBeInTheDocument()
     })
   })
+
+  it('shows error toast for non-auth failure and skips inline paint', async () => {
+    useAppStore.setState({ token: 'test-jwt', isAdmin: true })
+    vi.stubGlobal(
+      'fetch',
+      vi.fn().mockResolvedValue(
+        new Response(JSON.stringify({ error: 'rate limited' }), {
+          status: 429,
+          headers: { 'content-type': 'application/json' },
+        })
+      )
+    )
+
+    render(<ChatSidebar />)
+    const input = screen.getByPlaceholderText('Message SIPHER...') as HTMLInputElement
+    fireEvent.change(input, { target: { value: 'hello' } })
+    fireEvent.click(screen.getByRole('button', { name: 'Send' }))
+
+    await waitFor(() => {
+      expect(mockToastShow).toHaveBeenCalledWith(
+        expect.objectContaining({ message: 'rate limited', kind: 'error' })
+      )
+    })
+    expect(screen.queryByText('rate limited')).not.toBeInTheDocument()
+  })
+
+  it('does NOT toast on 401-class errors (handled by global interceptor)', async () => {
+    useAppStore.setState({ token: 'test-jwt', isAdmin: true })
+    vi.stubGlobal(
+      'fetch',
+      vi.fn().mockResolvedValue(
+        new Response(JSON.stringify({ error: 'invalid or expired token' }), {
+          status: 401,
+          headers: { 'content-type': 'application/json' },
+        })
+      )
+    )
+
+    render(<ChatSidebar />)
+    const input = screen.getByPlaceholderText('Message SIPHER...') as HTMLInputElement
+    fireEvent.change(input, { target: { value: 'hello' } })
+    fireEvent.click(screen.getByRole('button', { name: 'Send' }))
+
+    await waitFor(() => {
+      expect(useAppStore.getState().chatLoading).toBe(false)
+    })
+    expect(mockToastShow).not.toHaveBeenCalled()
+    expect(screen.queryByText(/invalid or expired token/)).not.toBeInTheDocument()
+  })
 })
diff --git a/app/src/components/__tests__/Header.test.tsx b/app/src/components/__tests__/Header.test.tsx
new file mode 100644
index 0000000..1cc67c5
--- /dev/null
+++ b/app/src/components/__tests__/Header.test.tsx
@@ -0,0 +1,138 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest'
+import { render, screen, fireEvent } from '@testing-library/react'
+import Header from '../Header'
+import type { AuthState, AuthStatus } from '../../hooks/useAuthState'
+import { useAppStore } from '../../stores/app'
+
+const mockAuthenticate = vi.fn()
+const mockDisconnect = vi.fn()
+const mockToastShow = vi.fn(() => 'toast-id')
+const mockClipboardWrite = vi.fn()
+
+let currentAuth: AuthState = {
+  status: 'unauthed',
+  token: null,
+  expiresAt: null,
+  isAdmin: false,
+  publicKey: null,
+  authenticate: mockAuthenticate,
+  disconnect: mockDisconnect,
+  error: null,
+}
+
+vi.mock('../../hooks/useAuthState', () => ({
+  useAuthState: () => currentAuth,
+}))
+
+vi.mock('../../providers/ToastProvider', () => ({
+  useToast: () => ({ show: mockToastShow, dismiss: vi.fn() }),
+}))
+
+vi.mock('../../lib/networkConfig', () => ({
+  useNetworkConfigStore: <T,>(selector: (s: { config: { network: string } }) => T) =>
+    selector({ config: { network: 'devnet' } }),
+}))
+
+const FULL = 'HciZTd6rR7YsaS5ZNThx9KdgqSimxwMzJgs2j98U25En'
+
+function setAuth(partial: Partial<AuthState> & { status: AuthStatus }) {
+  currentAuth = {
+    ...currentAuth,
+    ...partial,
+    authenticate: mockAuthenticate,
+    disconnect: mockDisconnect,
+  }
+}
+
+beforeEach(() => {
+  mockAuthenticate.mockReset()
+  mockAuthenticate.mockResolvedValue(undefined)
+  mockDisconnect.mockReset()
+  mockDisconnect.mockResolvedValue(undefined)
+  mockToastShow.mockReset()
+  mockClipboardWrite.mockReset()
+  Object.assign(navigator, {
+    clipboard: { writeText: mockClipboardWrite.mockResolvedValue(undefined) },
+  })
+  useAppStore.setState({ activeView: 'dashboard' }, false)
+  setAuth({ status: 'unauthed', publicKey: null, isAdmin: false })
+})
+
+describe('Header — auth pill', () => {
+  it('renders Connect button when unauthed', () => {
+    setAuth({ status: 'unauthed', publicKey: null })
+    render(<Header />)
+    const btn = screen.getByRole('button', { name: 'Connect' })
+    expect(btn).toBeInTheDocument()
+  })
+
+  it('Connect click calls authenticate', () => {
+    setAuth({ status: 'unauthed', publicKey: null })
+    render(<Header />)
+    fireEvent.click(screen.getByRole('button', { name: 'Connect' }))
+    expect(mockAuthenticate).toHaveBeenCalledTimes(1)
+  })
+
+  it('renders Re-sign in button when expired', () => {
+    setAuth({ status: 'expired', publicKey: FULL })
+    render(<Header />)
+    expect(screen.getByRole('button', { name: /Re-sign in/i })).toBeInTheDocument()
+  })
+
+  it('Re-sign click calls authenticate', () => {
+    setAuth({ status: 'expired', publicKey: FULL })
+    render(<Header />)
+    fireEvent.click(screen.getByRole('button', { name: /Re-sign in/i }))
+    expect(mockAuthenticate).toHaveBeenCalledTimes(1)
+  })
+
+  it('renders WalletDropdown when authed with publicKey', () => {
+    setAuth({ status: 'authed', publicKey: FULL, token: 'tok' })
+    render(<Header />)
+    expect(screen.getByRole('button', { name: /HciZ\.\.\.25En/ })).toBeInTheDocument()
+  })
+
+  it('WalletDropdown Disconnect calls disconnect + shows toast', async () => {
+    setAuth({ status: 'authed', publicKey: FULL, token: 'tok' })
+    render(<Header />)
+    fireEvent.click(screen.getByRole('button', { name: /HciZ\.\.\.25En/ }))
+    fireEvent.click(screen.getByText('Disconnect'))
+    await Promise.resolve()
+    await Promise.resolve()
+    expect(mockDisconnect).toHaveBeenCalledTimes(1)
+  })
+
+  it('WalletDropdown Copy writes address to clipboard', async () => {
+    setAuth({ status: 'authed', publicKey: FULL, token: 'tok' })
+    render(<Header />)
+    fireEvent.click(screen.getByRole('button', { name: /HciZ\.\.\.25En/ }))
+    fireEvent.click(screen.getByText('Copy address'))
+    await Promise.resolve()
+    expect(mockClipboardWrite).toHaveBeenCalledWith(FULL)
+  })
+})
+
+describe('Header — tabs', () => {
+  it('hides admin-only tabs when isAdmin is false', () => {
+    setAuth({ status: 'authed', publicKey: FULL, token: 'tok', isAdmin: false })
+    render(<Header />)
+    expect(screen.getByRole('button', { name: /Dashboard/i })).toBeInTheDocument()
+    expect(screen.getByRole('button', { name: /Vault/i })).toBeInTheDocument()
+    expect(screen.queryByRole('button', { name: /Herald/i })).not.toBeInTheDocument()
+    expect(screen.queryByRole('button', { name: /Squad/i })).not.toBeInTheDocument()
+  })
+
+  it('shows admin-only tabs when isAdmin is true', () => {
+    setAuth({ status: 'authed', publicKey: FULL, token: 'tok', isAdmin: true })
+    render(<Header />)
+    expect(screen.getByRole('button', { name: /Herald/i })).toBeInTheDocument()
+    expect(screen.getByRole('button', { name: /Squad/i })).toBeInTheDocument()
+  })
+
+  it('clicking a tab calls setActiveView', () => {
+    setAuth({ status: 'authed', publicKey: FULL, token: 'tok' })
+    render(<Header />)
+    fireEvent.click(screen.getByRole('button', { name: /Vault/i }))
+    expect(useAppStore.getState().activeView).toBe('vault')
+  })
+})
diff --git a/app/src/components/__tests__/SentinelConfirm.test.tsx b/app/src/components/__tests__/SentinelConfirm.test.tsx
index 400af1c..f3d632b 100644
--- a/app/src/components/__tests__/SentinelConfirm.test.tsx
+++ b/app/src/components/__tests__/SentinelConfirm.test.tsx
@@ -1,10 +1,33 @@
 import { describe, it, expect, beforeEach, vi } from 'vitest'
 import { render, screen } from '@testing-library/react'
 import userEvent from '@testing-library/user-event'
+import { useAppStore } from '../../stores/app'
 import SentinelConfirm from '../SentinelConfirm'
 
+vi.mock('../../hooks/useAuthState', async () => {
+  const { useAppStore: store } = await vi.importActual<
+    typeof import('../../stores/app')
+  >('../../stores/app')
+  return {
+    useAuthState: () => {
+      const t = store.getState().token
+      return {
+        status: t ? ('authed' as const) : ('unauthed' as const),
+        token: t,
+        expiresAt: null,
+        isAdmin: store.getState().isAdmin,
+        publicKey: null,
+        authenticate: () => Promise.resolve(),
+        disconnect: () => Promise.resolve(),
+        error: null,
+      }
+    },
+  }
+})
+
 describe('SentinelConfirm', () => {
   beforeEach(() => {
+    useAppStore.setState({ token: 't', isAdmin: false })
     global.fetch = vi.fn().mockResolvedValue(new Response(null, { status: 204 })) as typeof fetch
   })
 
@@ -12,7 +35,6 @@ describe('SentinelConfirm', () => {
     render(
       <SentinelConfirm
         flagId="abc"
-        token="t"
         action="Send"
         amount="5 SOL"
         description="Risk: blacklisted address"
@@ -28,7 +50,6 @@ describe('SentinelConfirm', () => {
     render(
       <SentinelConfirm
         flagId="abc"
-        token="t"
         action="Send"
         amount="5 SOL"
         description="x"
@@ -48,7 +69,6 @@ describe('SentinelConfirm', () => {
     render(
       <SentinelConfirm
         flagId="abc"
-        token="t"
         action="Send"
         amount="5 SOL"
         description="x"
@@ -70,7 +90,6 @@ describe('SentinelConfirm', () => {
     render(
       <SentinelConfirm
         flagId="abc"
-        token="t"
         action="Send"
         amount="5 SOL"
         description="x"
@@ -92,7 +111,6 @@ describe('SentinelConfirm', () => {
     render(
       <SentinelConfirm
         flagId="abc"
-        token="t"
         action="Send"
         amount="5 SOL"
         description="x"
@@ -112,7 +130,6 @@ describe('SentinelConfirm', () => {
     render(
       <SentinelConfirm
         flagId="abc"
-        token="t"
         action="Send"
         amount="5 SOL"
         description="x"
@@ -121,6 +138,6 @@ describe('SentinelConfirm', () => {
     )
     await userEvent.click(screen.getByRole('button', { name: /override & send/i }))
     expect(onResolved).not.toHaveBeenCalled()
-    expect(await screen.findByText(/Action failed \(500\)/)).toBeInTheDocument()
+    expect(await screen.findByText(/API error 500/)).toBeInTheDocument()
   })
 })
diff --git a/app/src/components/__tests__/WalletDropdown.test.tsx b/app/src/components/__tests__/WalletDropdown.test.tsx
new file mode 100644
index 0000000..56b44f3
--- /dev/null
+++ b/app/src/components/__tests__/WalletDropdown.test.tsx
@@ -0,0 +1,143 @@
+import { describe, it, expect, vi } from 'vitest'
+import { render, screen, fireEvent } from '@testing-library/react'
+import { WalletDropdown } from '../WalletDropdown'
+
+const FULL = 'HciZTd6rR7YsaS5ZNThx9KdgqSimxwMzJgs2j98U25En'
+
+describe('WalletDropdown', () => {
+  it('renders pill with shortened address', () => {
+    render(
+      <WalletDropdown
+        address={FULL}
+        onCopy={vi.fn()}
+        onReSignIn={vi.fn()}
+        onDisconnect={vi.fn()}
+      />,
+    )
+    expect(screen.getByText('HciZ...25En')).toBeInTheDocument()
+  })
+
+  it('opens dropdown on click and shows three actions', () => {
+    render(
+      <WalletDropdown
+        address={FULL}
+        onCopy={vi.fn()}
+        onReSignIn={vi.fn()}
+        onDisconnect={vi.fn()}
+      />,
+    )
+    fireEvent.click(screen.getByRole('button', { name: /HciZ\.\.\.25En/ }))
+    expect(screen.getByText('Copy address')).toBeInTheDocument()
+    expect(screen.getByText(/Re-sign in/i)).toBeInTheDocument()
+    expect(screen.getByText('Disconnect')).toBeInTheDocument()
+  })
+
+  it('toggles closed when pill clicked again', () => {
+    render(
+      <WalletDropdown
+        address={FULL}
+        onCopy={vi.fn()}
+        onReSignIn={vi.fn()}
+        onDisconnect={vi.fn()}
+      />,
+    )
+    const pill = screen.getByRole('button', { name: /HciZ\.\.\.25En/ })
+    fireEvent.click(pill)
+    expect(screen.getByText('Copy address')).toBeInTheDocument()
+    fireEvent.click(pill)
+    expect(screen.queryByText('Copy address')).not.toBeInTheDocument()
+  })
+
+  it('closes on action click and invokes callback', () => {
+    const onDisconnect = vi.fn()
+    render(
+      <WalletDropdown
+        address={FULL}
+        onCopy={vi.fn()}
+        onReSignIn={vi.fn()}
+        onDisconnect={onDisconnect}
+      />,
+    )
+    fireEvent.click(screen.getByRole('button', { name: /HciZ\.\.\.25En/ }))
+    fireEvent.click(screen.getByText('Disconnect'))
+    expect(onDisconnect).toHaveBeenCalledOnce()
+    expect(screen.queryByText('Copy address')).not.toBeInTheDocument()
+  })
+
+  it('Copy action invokes onCopy', () => {
+    const onCopy = vi.fn()
+    render(
+      <WalletDropdown
+        address={FULL}
+        onCopy={onCopy}
+        onReSignIn={vi.fn()}
+        onDisconnect={vi.fn()}
+      />,
+    )
+    fireEvent.click(screen.getByRole('button', { name: /HciZ\.\.\.25En/ }))
+    fireEvent.click(screen.getByText('Copy address'))
+    expect(onCopy).toHaveBeenCalledOnce()
+  })
+
+  it('Re-sign action invokes onReSignIn', () => {
+    const onReSignIn = vi.fn()
+    render(
+      <WalletDropdown
+        address={FULL}
+        onCopy={vi.fn()}
+        onReSignIn={onReSignIn}
+        onDisconnect={vi.fn()}
+      />,
+    )
+    fireEvent.click(screen.getByRole('button', { name: /HciZ\.\.\.25En/ }))
+    fireEvent.click(screen.getByText(/Re-sign in/i))
+    expect(onReSignIn).toHaveBeenCalledOnce()
+  })
+
+  it('closes on outside mousedown', () => {
+    render(
+      <div>
+        <WalletDropdown
+          address={FULL}
+          onCopy={vi.fn()}
+          onReSignIn={vi.fn()}
+          onDisconnect={vi.fn()}
+        />
+        <button>outside</button>
+      </div>,
+    )
+    fireEvent.click(screen.getByRole('button', { name: /HciZ\.\.\.25En/ }))
+    expect(screen.getByText('Copy address')).toBeInTheDocument()
+    fireEvent.mouseDown(screen.getByText('outside'))
+    expect(screen.queryByText('Copy address')).not.toBeInTheDocument()
+  })
+
+  it('closes on Escape key', () => {
+    render(
+      <WalletDropdown
+        address={FULL}
+        onCopy={vi.fn()}
+        onReSignIn={vi.fn()}
+        onDisconnect={vi.fn()}
+      />,
+    )
+    fireEvent.click(screen.getByRole('button', { name: /HciZ\.\.\.25En/ }))
+    fireEvent.keyDown(document, { key: 'Escape' })
+    expect(screen.queryByText('Copy address')).not.toBeInTheDocument()
+  })
+
+  it('aria-expanded reflects open state', () => {
+    render(
+      <WalletDropdown
+        address={FULL}
+        onCopy={vi.fn()}
+        onReSignIn={vi.fn()}
+        onDisconnect={vi.fn()}
+      />,
+    )
+    const pill = screen.getByRole('button', { name: /HciZ\.\.\.25En/ })
+    expect(pill).toHaveAttribute('aria-expanded', 'false')
+    fireEvent.click(pill)
+    expect(pill).toHaveAttribute('aria-expanded', 'true')
+  })
+})
diff --git a/app/src/hooks/useAuth.ts b/app/src/hooks/useAuth.ts
index 62bb5af..5d00c8b 100644
--- a/app/src/hooks/useAuth.ts
+++ b/app/src/hooks/useAuth.ts
@@ -1,40 +1,3 @@
-import { useState, useCallback } from 'react'
-import { useWallet } from '@solana/wallet-adapter-react'
-import { requestNonce, verifySignature } from '../api/auth'
-import { useAppStore } from '../stores/app'
-
-export function useAuth() {
-  const { publicKey, signMessage } = useWallet()
-  const [loading, setLoading] = useState(false)
-  const [error, setError] = useState<string | null>(null)
-  const token = useAppStore((s) => s.token)
-  const isAdmin = useAppStore((s) => s.isAdmin)
-  const setAuth = useAppStore((s) => s.setAuth)
-  const clearAuth = useAppStore((s) => s.clearAuth)
-
-  const authenticate = useCallback(async () => {
-    if (!publicKey || !signMessage) return null
-    setLoading(true)
-    setError(null)
-    try {
-      const wallet = publicKey.toBase58()
-      const { nonce, message } = await requestNonce(wallet)
-      const encoded = new TextEncoder().encode(message)
-      const sig = await signMessage(encoded)
-      const sigHex = Array.from(sig)
-        .map((b) => b.toString(16).padStart(2, '0'))
-        .join('')
-      const result = await verifySignature(wallet, nonce, sigHex)
-      setAuth(result.token, result.isAdmin ?? false)
-      return result.token
-    } catch (err) {
-      const msg = err instanceof Error ? err.message : 'Authentication failed'
-      setError(msg)
-      return null
-    } finally {
-      setLoading(false)
-    }
-  }, [publicKey, signMessage, setAuth])
-
-  return { token, isAdmin, authenticate, loading, error, isAuthenticated: !!token, clearAuth }
-}
+// Legacy export kept so any straggler importer still resolves cleanly.
+// New code should pull useAuthState from './useAuthState' directly.
+export { useAuthSyncContext as useAuth } from '../providers/AuthSyncProvider'
diff --git a/app/src/hooks/useAuthState.ts b/app/src/hooks/useAuthState.ts
new file mode 100644
index 0000000..e724608
--- /dev/null
+++ b/app/src/hooks/useAuthState.ts
@@ -0,0 +1,2 @@
+export { useAuthSyncContext as useAuthState } from '../providers/AuthSyncProvider'
+export type { AuthState, AuthStatus } from '../providers/AuthSyncProvider'
diff --git a/app/src/hooks/useSSE.ts b/app/src/hooks/useSSE.ts
index 2a2cce5..8e2c36d 100644
--- a/app/src/hooks/useSSE.ts
+++ b/app/src/hooks/useSSE.ts
@@ -1,5 +1,6 @@
 import { useEffect, useRef, useState } from 'react'
 import { connectSSE } from '../api/sse'
+import { useAuthState } from './useAuthState'
 
 export interface ActivityEvent {
   id: string
@@ -10,7 +11,8 @@ export interface ActivityEvent {
   timestamp: string
 }
 
-export function useSSE(token: string | null) {
+export function useSSE() {
+  const { token } = useAuthState()
   const [events, setEvents] = useState<ActivityEvent[]>([])
   const [connected, setConnected] = useState(false)
   const sourceRef = useRef<EventSource | null>(null)
diff --git a/app/src/lib/__tests__/jwt.test.ts b/app/src/lib/__tests__/jwt.test.ts
new file mode 100644
index 0000000..f025c73
--- /dev/null
+++ b/app/src/lib/__tests__/jwt.test.ts
@@ -0,0 +1,43 @@
+import { describe, it, expect } from 'vitest'
+import { decodeJwtPayload, isJwtExpired, getJwtExpiresAt } from '../jwt'
+
+describe('jwt helpers', () => {
+  // Valid JWT: { wallet: 'TestWallet', iat: 1700000000, exp: 1700003600 }
+  // (signature is irrelevant for client-side decode)
+  const validToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ3YWxsZXQiOiJUZXN0V2FsbGV0IiwiaWF0IjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwMDM2MDB9.fake-sig'
+
+  it('decodes payload', () => {
+    const payload = decodeJwtPayload(validToken)
+    expect(payload).toEqual({ wallet: 'TestWallet', iat: 1700000000, exp: 1700003600 })
+  })
+
+  it('returns null for malformed token', () => {
+    expect(decodeJwtPayload('not.a.jwt')).toBeNull()
+    expect(decodeJwtPayload('only-one-part')).toBeNull()
+    expect(decodeJwtPayload('')).toBeNull()
+  })
+
+  it('isJwtExpired returns true for expired token', () => {
+    expect(isJwtExpired(validToken, 1700004000)).toBe(true)
+  })
+
+  it('isJwtExpired returns false for valid token', () => {
+    expect(isJwtExpired(validToken, 1700001800)).toBe(false)
+  })
+
+  it('isJwtExpired returns true at exact expiry second (>=)', () => {
+    expect(isJwtExpired(validToken, 1700003600)).toBe(true)
+  })
+
+  it('isJwtExpired returns true for malformed token (defensive)', () => {
+    expect(isJwtExpired('not.a.jwt', 1700001800)).toBe(true)
+  })
+
+  it('getJwtExpiresAt returns exp claim in seconds', () => {
+    expect(getJwtExpiresAt(validToken)).toBe(1700003600)
+  })
+
+  it('getJwtExpiresAt returns null for malformed', () => {
+    expect(getJwtExpiresAt('not.a.jwt')).toBeNull()
+  })
+})
diff --git a/app/src/lib/auth-errors.ts b/app/src/lib/auth-errors.ts
new file mode 100644
index 0000000..87f619b
--- /dev/null
+++ b/app/src/lib/auth-errors.ts
@@ -0,0 +1,16 @@
+// Pattern for error messages that originate from a 401-class auth failure
+// the global apiFetch interceptor already surfaces via toast. Components
+// that catch their own errors use this to suppress double-display so the
+// user sees one Session-expired toast, not a toast plus an inline string.
+//
+// Tightened on purpose: the bare word "expired" is NOT a match, because
+// non-auth endpoints reuse it (e.g. "flag not found or expired" from a
+// promise-gate 404). Match the specific phrasings the agent + auth
+// middleware actually emit.
+export const AUTH_ERROR_PATTERN =
+  /\b401\b|invalid (or expired )?token|expired token|token (has )?expired|session expired|unauthori[sz]ed|authentication required/i
+
+export function isAuthError(message: string | null | undefined): boolean {
+  if (!message) return false
+  return AUTH_ERROR_PATTERN.test(message)
+}
diff --git a/app/src/lib/jwt.ts b/app/src/lib/jwt.ts
new file mode 100644
index 0000000..2910dde
--- /dev/null
+++ b/app/src/lib/jwt.ts
@@ -0,0 +1,36 @@
+// app/src/lib/jwt.ts
+
+export interface JwtPayload {
+  wallet: string
+  iat: number
+  exp: number
+  isAdmin?: boolean
+}
+
+export function decodeJwtPayload(token: string): JwtPayload | null {
+  const parts = token.split('.')
+  if (parts.length !== 3) return null
+  try {
+    const padded = parts[1] + '='.repeat((4 - (parts[1].length % 4)) % 4)
+    const json = atob(padded.replace(/-/g, '+').replace(/_/g, '/'))
+    const obj = JSON.parse(json)
+    if (typeof obj !== 'object' || obj === null) return null
+    if (typeof obj.wallet !== 'string') return null
+    if (typeof obj.iat !== 'number') return null
+    if (typeof obj.exp !== 'number') return null
+    return obj as JwtPayload
+  } catch {
+    return null
+  }
+}
+
+export function getJwtExpiresAt(token: string): number | null {
+  const payload = decodeJwtPayload(token)
+  return payload?.exp ?? null
+}
+
+export function isJwtExpired(token: string, nowSeconds = Math.floor(Date.now() / 1000)): boolean {
+  const exp = getJwtExpiresAt(token)
+  if (exp === null) return true // defensive: treat malformed as expired
+  return nowSeconds >= exp
+}
diff --git a/app/src/providers/AuthSyncProvider.tsx b/app/src/providers/AuthSyncProvider.tsx
new file mode 100644
index 0000000..d3bfcc6
--- /dev/null
+++ b/app/src/providers/AuthSyncProvider.tsx
@@ -0,0 +1,366 @@
+import { createContext, useContext, useEffect, useMemo, useRef, useState, ReactNode } from 'react'
+import { useWallet } from '@solana/wallet-adapter-react'
+import { useWalletModal } from '@solana/wallet-adapter-react-ui'
+import { useAppStore } from '../stores/app'
+import { decodeJwtPayload, isJwtExpired } from '../lib/jwt'
+import { requestNonce, verifySignature } from '../api/auth'
+import { refreshToken } from '../api/refresh'
+import { registerAuthInterceptor } from '../api/client'
+import { useToast } from './ToastProvider'
+
+export type AuthStatus = 'connecting' | 'unauthed' | 'authed' | 'expired' | 'error'
+
+export interface AuthState {
+  status: AuthStatus
+  token: string | null
+  expiresAt: number | null
+  isAdmin: boolean
+  publicKey: string | null
+  authenticate: () => Promise<void>
+  disconnect: () => Promise<void>
+  error: string | null
+}
+
+const AuthSyncContext = createContext<AuthState | null>(null)
+
+export function useAuthSyncContext(): AuthState {
+  const ctx = useContext(AuthSyncContext)
+  if (!ctx) throw new Error('useAuthSyncContext must be used within AuthSyncProvider')
+  return ctx
+}
+
+export function AuthSyncProvider({ children }: { children: ReactNode }) {
+  const { connected, publicKey, wallet, signMessage, disconnect: walletDisconnect } = useWallet()
+  const { setVisible } = useWalletModal()
+  const { show: showToast } = useToast()
+  const token = useAppStore((s) => s.token)
+  const isAdmin = useAppStore((s) => s.isAdmin)
+  const expiresAt = useAppStore((s) => s.expiresAt)
+  const setAuth = useAppStore((s) => s.setAuth)
+  const clearAuth = useAppStore((s) => s.clearAuth)
+
+  const [error, setError] = useState<string | null>(null)
+  const [authenticating, setAuthenticating] = useState(false)
+  const lastWalletRef = useRef<string | null>(null)
+  // Tracks whether the wallet was ever connected during this provider's
+  // lifetime. We only treat `connected: false` as an external-disconnect
+  // signal AFTER we've seen `connected: true` at least once — otherwise the
+  // initial mount race (Zustand hydrates the persisted token before Phantom's
+  // autoConnect resolves) would clear auth on every page load.
+  const wasConnectedRef = useRef(false)
+  const authenticateRef = useRef<() => Promise<void>>(() => Promise.resolve())
+
+  // Track wallet identity across renders; clear auth when the wallet changes.
+  useEffect(() => {
+    const currentWallet = publicKey?.toBase58() ?? null
+    if (
+      currentWallet &&
+      lastWalletRef.current &&
+      currentWallet !== lastWalletRef.current
+    ) {
+      clearAuth()
+    }
+    if (currentWallet) lastWalletRef.current = currentWallet
+    if (!connected) lastWalletRef.current = null
+  }, [publicKey, connected, clearAuth])
+
+  // Validate that the persisted JWT was issued for the currently-connected
+  // wallet. Catches loading a stale token under a different wallet without
+  // a wallet-switch event (e.g. cold reload after wallet swap).
+  useEffect(() => {
+    if (!connected || !publicKey || !token) return
+    const payload = decodeJwtPayload(token)
+    if (!payload || payload.wallet !== publicKey.toBase58()) {
+      clearAuth()
+    }
+  }, [connected, publicKey, token, clearAuth])
+
+  // Auto-clear when the wallet disconnects externally (user clicks
+  // Disconnect in their Phantom extension, locks their hardware wallet,
+  // browser wipes wallet-adapter state, etc.). The other reconciliation
+  // effects only fire when `connected` is true, so they can't catch this.
+  //
+  // Gated on wasConnectedRef so that the initial-mount race where Zustand
+  // hydrates the persisted token before wallet-adapter's autoConnect
+  // resolves doesn't trigger a phantom clear.
+  useEffect(() => {
+    if (connected) {
+      wasConnectedRef.current = true
+      return
+    }
+    if (wasConnectedRef.current && (token !== null || isAdmin)) {
+      clearAuth()
+      lastWalletRef.current = null
+      wasConnectedRef.current = false
+    }
+  }, [connected, token, isAdmin, clearAuth])
+
+  // Expiry watcher: schedule a preemptive refresh inside the last 5min of
+  // the JWT lifetime, plus a cleanup timer that fires at exact expiry to
+  // ensure the store doesn't keep a stale token if refresh failed.
+  useEffect(() => {
+    if (!token || !expiresAt) return
+
+    const nowSec = Math.floor(Date.now() / 1000)
+    const remainingSec = expiresAt - nowSec
+    const fiveMinSec = 5 * 60
+
+    const clearTimer = setTimeout(
+      () => {
+        clearAuth()
+      },
+      Math.max(0, remainingSec) * 1000,
+    )
+
+    let refreshTimer: ReturnType<typeof setTimeout> | null = null
+
+    const attemptRefresh = async (currentToken: string) => {
+      try {
+        const result = await refreshToken(currentToken)
+        if (result) {
+          const newExp = parseExpiryToEpoch(result.expiresIn)
+          setAuth(result.token, isAdmin, newExp)
+        }
+      } catch {
+        // Refresh failed — let the clearTimer handle expiry. We don't
+        // surface this error: the 401 interceptor will catch the next
+        // outgoing request and trigger UI re-auth.
+      }
+    }
+
+    if (remainingSec > fiveMinSec) {
+      refreshTimer = setTimeout(
+        () => {
+          void attemptRefresh(token)
+        },
+        (remainingSec - fiveMinSec) * 1000,
+      )
+    } else if (remainingSec > 0) {
+      void attemptRefresh(token)
+    }
+
+    return () => {
+      clearTimeout(clearTimer)
+      if (refreshTimer) clearTimeout(refreshTimer)
+    }
+  }, [token, expiresAt, isAdmin, clearAuth, setAuth])
+
+  const status: AuthStatus = useMemo(() => {
+    if (authenticating) return 'connecting'
+    if (!connected || !publicKey) return 'unauthed'
+    if (!token) return 'unauthed'
+    if (isJwtExpired(token)) return 'expired'
+    return 'authed'
+  }, [authenticating, connected, publicKey, token])
+
+  const authenticate = async () => {
+    if (!connected || !publicKey) {
+      setVisible(true)
+      return
+    }
+    if (!signMessage && !walletSupportsSignIn(wallet)) {
+      const message =
+        "This wallet doesn't support sign-in. Try Phantom, Solflare, or another wallet-standard wallet."
+      setError(message)
+      throw new Error(message)
+    }
+
+    setAuthenticating(true)
+    setError(null)
+    try {
+      const wallet58 = publicKey.toBase58()
+      const { nonce, message } = await requestNonce(wallet58)
+
+      const siwsResult = await trySiws(wallet, wallet58, nonce)
+      let verifyResult: VerifyResult
+      if (siwsResult) {
+        try {
+          verifyResult = await verifySignature(wallet58, nonce, siwsResult.signatureHex, {
+            signedMessage: siwsResult.signedMessageBase64,
+          })
+        } catch (err) {
+          // Server may not yet support the SIWS verify path; gracefully fall
+          // back to signMessage. Re-throws below if signMessage isn't
+          // available.
+          if (!signMessage) throw err
+          verifyResult = await runSignMessageFlow(signMessage, wallet58, nonce, message)
+        }
+      } else {
+        if (!signMessage) {
+          throw new Error(
+            "This wallet doesn't support sign-in. Try Phantom, Solflare, or another wallet-standard wallet.",
+          )
+        }
+        verifyResult = await runSignMessageFlow(signMessage, wallet58, nonce, message)
+      }
+
+      const expiresAtSec = parseExpiryToEpoch(verifyResult.expiresIn)
+      setAuth(verifyResult.token, verifyResult.isAdmin, expiresAtSec)
+      lastWalletRef.current = wallet58
+    } catch (err) {
+      const message = err instanceof Error ? err.message : 'Sign-in failed'
+      setError(message)
+      throw err instanceof Error ? err : new Error(message)
+    } finally {
+      setAuthenticating(false)
+    }
+  }
+
+  const disconnect = async () => {
+    try {
+      await walletDisconnect()
+    } finally {
+      clearAuth()
+      lastWalletRef.current = null
+    }
+  }
+
+  authenticateRef.current = authenticate
+
+  // Wire the global 401 interceptor: any apiFetch that returns 401 clears
+  // the token and surfaces a "Session expired — Sign in" toast with a CTA
+  // that re-runs authenticate().
+  useEffect(() => {
+    registerAuthInterceptor(() => {
+      clearAuth()
+      showToast({
+        message: 'Session expired — please sign in again.',
+        kind: 'warn',
+        durationMs: 12_000,
+        action: {
+          label: 'Sign in',
+          onClick: () => {
+            authenticateRef.current().catch(() => {
+              // Errors already surfaced via setError + toast on failure;
+              // swallow here so the toast click doesn't bubble.
+            })
+          },
+        },
+      })
+    })
+    return () => registerAuthInterceptor(null)
+  }, [clearAuth, showToast])
+
+  const value: AuthState = {
+    status,
+    token,
+    expiresAt,
+    isAdmin,
+    publicKey: publicKey?.toBase58() ?? null,
+    authenticate,
+    disconnect,
+    error,
+  }
+
+  return <AuthSyncContext.Provider value={value}>{children}</AuthSyncContext.Provider>
+}
+
+function bytesToHex(bytes: Uint8Array): string {
+  return Array.from(bytes)
+    .map((b) => b.toString(16).padStart(2, '0'))
+    .join('')
+}
+
+function bytesToBase64(bytes: Uint8Array): string {
+  let binary = ''
+  for (let i = 0; i < bytes.length; i++) binary += String.fromCharCode(bytes[i])
+  return btoa(binary)
+}
+
+// Convert "24h" / "1h" / "300s" / "7d" relative TTL to absolute epoch seconds.
+// Falls back to now+1h for unparseable input rather than throwing — verify
+// already succeeded so we shouldn't drop the token over a parsing edge case.
+function parseExpiryToEpoch(expiresIn: string): number {
+  const match = expiresIn.match(/^(\d+)\s*(s|m|h|d)$/i)
+  const now = Math.floor(Date.now() / 1000)
+  if (!match) return now + 3600
+  const n = parseInt(match[1], 10)
+  const unit = match[2].toLowerCase() as 's' | 'm' | 'h' | 'd'
+  const mul = { s: 1, m: 60, h: 3600, d: 86400 }[unit]
+  return now + n * mul
+}
+
+interface VerifyResult {
+  token: string
+  isAdmin: boolean
+  expiresIn: string
+}
+
+interface SiwsSignResult {
+  signatureHex: string
+  signedMessageBase64: string
+}
+
+interface WalletAdapterWithSignIn {
+  signIn?: (input: {
+    domain: string
+    address: string
+    statement?: string
+    nonce: string
+  }) => Promise<{
+    signature?: Uint8Array
+    signedMessage?: Uint8Array
+  }>
+}
+
+interface WalletWithAdapter {
+  adapter?: unknown
+}
+
+function getSignInAdapter(
+  wallet: unknown,
+): WalletAdapterWithSignIn['signIn'] | null {
+  const adapter = (wallet as WalletWithAdapter | null)?.adapter as
+    | WalletAdapterWithSignIn
+    | undefined
+  if (!adapter || typeof adapter.signIn !== 'function') return null
+  return adapter.signIn.bind(adapter)
+}
+
+function walletSupportsSignIn(wallet: unknown): boolean {
+  return getSignInAdapter(wallet) !== null
+}
+
+function isUserRejection(err: unknown): boolean {
+  if (!(err instanceof Error)) return false
+  if (/reject|denied|user.*declin|cancel/i.test(err.message)) return true
+  const name = (err as { name?: string }).name
+  return Boolean(name && /reject|user/i.test(name))
+}
+
+async function trySiws(
+  wallet: unknown,
+  wallet58: string,
+  nonce: string,
+): Promise<SiwsSignResult | null> {
+  const signIn = getSignInAdapter(wallet)
+  if (!signIn) return null
+  try {
+    const result = await signIn({
+      domain: typeof window !== 'undefined' ? window.location.host : 'sipher.sip-protocol.org',
+      address: wallet58,
+      statement: 'Sign in to Sipher',
+      nonce,
+    })
+    if (!result?.signature || !result.signedMessage) return null
+    if (result.signature.length === 0 || result.signedMessage.length === 0) return null
+    return {
+      signatureHex: bytesToHex(result.signature),
+      signedMessageBase64: bytesToBase64(result.signedMessage),
+    }
+  } catch (err) {
+    if (isUserRejection(err)) throw err
+    return null
+  }
+}
+
+async function runSignMessageFlow(
+  signMessage: (message: Uint8Array) => Promise<Uint8Array>,
+  wallet58: string,
+  nonce: string,
+  message: string,
+): Promise<VerifyResult> {
+  const sig = await signMessage(new TextEncoder().encode(message))
+  const sigHex = bytesToHex(sig)
+  return verifySignature(wallet58, nonce, sigHex)
+}
diff --git a/app/src/providers/ToastProvider.tsx b/app/src/providers/ToastProvider.tsx
new file mode 100644
index 0000000..b711320
--- /dev/null
+++ b/app/src/providers/ToastProvider.tsx
@@ -0,0 +1,69 @@
+import { createContext, useCallback, useContext, useEffect, useRef, useState, ReactNode } from 'react'
+import { Toast, ToastInput } from '../components/Toast'
+
+interface ToastWithId extends ToastInput {
+  id: string
+}
+
+interface ToastContextValue {
+  show: (input: ToastInput) => string
+  dismiss: (id: string) => void
+}
+
+const ToastContext = createContext<ToastContextValue | null>(null)
+
+export function useToast(): ToastContextValue {
+  const ctx = useContext(ToastContext)
+  if (!ctx) throw new Error('useToast must be used within ToastProvider')
+  return ctx
+}
+
+export function ToastProvider({ children }: { children: ReactNode }) {
+  const [toasts, setToasts] = useState<ToastWithId[]>([])
+  const timersRef = useRef<Map<string, ReturnType<typeof setTimeout>>>(new Map())
+
+  const dismiss = useCallback((id: string) => {
+    const timer = timersRef.current.get(id)
+    if (timer) {
+      clearTimeout(timer)
+      timersRef.current.delete(id)
+    }
+    setToasts((prev) => prev.filter((t) => t.id !== id))
+  }, [])
+
+  const show = useCallback(
+    (input: ToastInput) => {
+      const id = crypto.randomUUID()
+      setToasts((prev) => [...prev, { ...input, id }])
+      const duration = input.durationMs ?? 7000
+      if (duration > 0) {
+        const timer = setTimeout(() => {
+          timersRef.current.delete(id)
+          setToasts((prev) => prev.filter((t) => t.id !== id))
+        }, duration)
+        timersRef.current.set(id, timer)
+      }
+      return id
+    },
+    [],
+  )
+
+  useEffect(() => {
+    const timers = timersRef.current
+    return () => {
+      for (const timer of timers.values()) clearTimeout(timer)
+      timers.clear()
+    }
+  }, [])
+
+  return (
+    <ToastContext.Provider value={{ show, dismiss }}>
+      {children}
+      <div className="fixed bottom-4 right-4 z-50 flex flex-col gap-2 max-w-sm">
+        {toasts.map((t) => (
+          <Toast key={t.id} toast={t} onDismiss={() => dismiss(t.id)} />
+        ))}
+      </div>
+    </ToastContext.Provider>
+  )
+}
diff --git a/app/src/providers/__tests__/AuthSyncProvider.test.tsx b/app/src/providers/__tests__/AuthSyncProvider.test.tsx
new file mode 100644
index 0000000..3d16615
--- /dev/null
+++ b/app/src/providers/__tests__/AuthSyncProvider.test.tsx
@@ -0,0 +1,837 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+import { render, screen, act } from '@testing-library/react'
+import { AuthSyncProvider } from '../AuthSyncProvider'
+import { useAuthState, type AuthState } from '../../hooks/useAuthState'
+import { useAppStore } from '../../stores/app'
+
+const mockToastShow = vi.fn(() => 'toast-id')
+const mockToastDismiss = vi.fn()
+vi.mock('../ToastProvider', () => ({
+  useToast: () => ({ show: mockToastShow, dismiss: mockToastDismiss }),
+  ToastProvider: ({ children }: { children: React.ReactNode }) => children,
+}))
+
+const mockSetVisible = vi.fn()
+
+vi.mock('@solana/wallet-adapter-react', () => ({
+  useWallet: vi.fn(),
+}))
+vi.mock('@solana/wallet-adapter-react-ui', () => ({
+  useWalletModal: () => ({ setVisible: mockSetVisible, visible: false }),
+}))
+
+import { useWallet } from '@solana/wallet-adapter-react'
+
+const mockedUseWallet = useWallet as unknown as ReturnType<typeof vi.fn>
+
+function TestConsumer() {
+  const auth = useAuthState()
+  return (
+    <>
+      <span data-testid="status">{auth.status}</span>
+      <span data-testid="token">{auth.token ?? 'null'}</span>
+      <span data-testid="publicKey">{auth.publicKey ?? 'null'}</span>
+      <span data-testid="isAdmin">{auth.isAdmin ? 'yes' : 'no'}</span>
+    </>
+  )
+}
+
+function makeJwtForTest(payload: { wallet: string; exp: number; isAdmin?: boolean }): string {
+  const header = btoa(JSON.stringify({ alg: 'HS256', typ: 'JWT' }))
+  const body = btoa(JSON.stringify({ iat: payload.exp - 3600, ...payload }))
+  return `${header}.${body}.testsig`
+}
+
+describe('AuthSyncProvider — status machine', () => {
+  beforeEach(() => {
+    useAppStore.setState({ token: null, isAdmin: false, expiresAt: null }, false)
+    mockedUseWallet.mockReset()
+  })
+
+  it('reports status=unauthed when no wallet, no token', () => {
+    mockedUseWallet.mockReturnValue({
+      connected: false,
+      publicKey: null,
+      wallet: null,
+      disconnect: vi.fn(),
+    })
+    render(
+      <AuthSyncProvider>
+        <TestConsumer />
+      </AuthSyncProvider>,
+    )
+    expect(screen.getByTestId('status').textContent).toBe('unauthed')
+    expect(screen.getByTestId('token').textContent).toBe('null')
+  })
+
+  it('reports status=unauthed when wallet connected but no token', () => {
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: null,
+      disconnect: vi.fn(),
+    })
+    render(
+      <AuthSyncProvider>
+        <TestConsumer />
+      </AuthSyncProvider>,
+    )
+    expect(screen.getByTestId('status').textContent).toBe('unauthed')
+  })
+
+  it('reports status=expired when persisted token is expired (and matches wallet)', () => {
+    const expiredToken = makeJwtForTest({ wallet: 'W', exp: 1000 })
+    useAppStore.setState({ token: expiredToken, isAdmin: false, expiresAt: 1000 }, false)
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: null,
+      disconnect: vi.fn(),
+    })
+    render(
+      <AuthSyncProvider>
+        <TestConsumer />
+      </AuthSyncProvider>,
+    )
+    expect(screen.getByTestId('status').textContent).toBe('expired')
+  })
+
+  it('reports status=authed when wallet+token both valid and matching', () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const validToken = makeJwtForTest({ wallet: 'W', exp: futureExp })
+    useAppStore.setState({ token: validToken, isAdmin: false, expiresAt: futureExp }, false)
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: null,
+      disconnect: vi.fn(),
+    })
+    render(
+      <AuthSyncProvider>
+        <TestConsumer />
+      </AuthSyncProvider>,
+    )
+    expect(screen.getByTestId('status').textContent).toBe('authed')
+    expect(screen.getByTestId('token').textContent).toBe(validToken)
+  })
+
+  it('clears token if persisted wallet ≠ current wallet', () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const tokenForA = makeJwtForTest({ wallet: 'WalletA', exp: futureExp })
+    useAppStore.setState({ token: tokenForA, isAdmin: false, expiresAt: futureExp }, false)
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'WalletB' },
+      wallet: null,
+      disconnect: vi.fn(),
+    })
+    render(
+      <AuthSyncProvider>
+        <TestConsumer />
+      </AuthSyncProvider>,
+    )
+    expect(screen.getByTestId('token').textContent).toBe('null')
+    expect(screen.getByTestId('status').textContent).toBe('unauthed')
+  })
+
+  it('exposes isAdmin from store', () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const validToken = makeJwtForTest({ wallet: 'W', exp: futureExp, isAdmin: true })
+    useAppStore.setState({ token: validToken, isAdmin: true, expiresAt: futureExp }, false)
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: null,
+      disconnect: vi.fn(),
+    })
+    render(
+      <AuthSyncProvider>
+        <TestConsumer />
+      </AuthSyncProvider>,
+    )
+    expect(screen.getByTestId('isAdmin').textContent).toBe('yes')
+  })
+
+  it('preserves auth on initial mount when wallet has not connected yet (autoConnect race)', () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const validToken = makeJwtForTest({ wallet: 'W', exp: futureExp })
+
+    // Persisted token is hydrated by Zustand before wallet-adapter has a
+    // chance to autoConnect. `connected` is false on first render — but
+    // we have NOT seen a connected→disconnected transition, so the auto-
+    // clear effect must NOT fire.
+    mockedUseWallet.mockReturnValue({
+      connected: false,
+      publicKey: null,
+      wallet: null,
+      signMessage: undefined,
+      disconnect: vi.fn(),
+    })
+    useAppStore.setState({ token: validToken, isAdmin: false, expiresAt: futureExp }, false)
+
+    render(
+      <AuthSyncProvider>
+        <div />
+      </AuthSyncProvider>,
+    )
+
+    expect(useAppStore.getState().token).toBe(validToken)
+    expect(useAppStore.getState().expiresAt).toBe(futureExp)
+  })
+
+  it('clears auth automatically when wallet disconnects externally', () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const validToken = makeJwtForTest({ wallet: 'W', exp: futureExp })
+
+    // Start connected with a valid token
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: { adapter: {} },
+      signMessage: vi.fn(),
+      disconnect: vi.fn(),
+    })
+    useAppStore.setState({ token: validToken, isAdmin: false, expiresAt: futureExp }, false)
+
+    const { rerender } = render(
+      <AuthSyncProvider>
+        <div />
+      </AuthSyncProvider>,
+    )
+    expect(useAppStore.getState().token).toBe(validToken)
+
+    // Simulate external disconnect
+    mockedUseWallet.mockReturnValue({
+      connected: false,
+      publicKey: null,
+      wallet: null,
+      signMessage: undefined,
+      disconnect: vi.fn(),
+    })
+    rerender(
+      <AuthSyncProvider>
+        <div />
+      </AuthSyncProvider>,
+    )
+
+    expect(useAppStore.getState().token).toBeNull()
+    expect(useAppStore.getState().isAdmin).toBe(false)
+    expect(useAppStore.getState().expiresAt).toBeNull()
+  })
+
+  it('throws when useAuthState used outside provider', () => {
+    const errSpy = vi.spyOn(console, 'error').mockImplementation(() => {})
+    function Bad() {
+      useAuthState()
+      return null
+    }
+    expect(() => render(<Bad />)).toThrow(/useAuthSyncContext must be used within AuthSyncProvider/)
+    errSpy.mockRestore()
+  })
+})
+
+describe('AuthSyncProvider — expiry watcher', () => {
+  const originalFetch = global.fetch
+
+  beforeEach(() => {
+    vi.useFakeTimers()
+    useAppStore.setState({ token: null, isAdmin: false, expiresAt: null }, false)
+    mockedUseWallet.mockReset()
+    global.fetch = vi.fn() as unknown as typeof fetch
+  })
+
+  afterEach(() => {
+    vi.useRealTimers()
+    global.fetch = originalFetch
+  })
+
+  it('clears token when expiry timer fires', () => {
+    const expiresInSec = 60
+    const exp = Math.floor(Date.now() / 1000) + expiresInSec
+    const tok = makeJwtForTest({ wallet: 'W', exp })
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: { adapter: {} },
+      signMessage: vi.fn(),
+      disconnect: vi.fn(),
+    })
+    useAppStore.setState({ token: tok, isAdmin: false, expiresAt: exp }, false)
+
+    render(
+      <AuthSyncProvider>
+        <div />
+      </AuthSyncProvider>,
+    )
+    expect(useAppStore.getState().token).toBe(tok)
+
+    act(() => {
+      vi.advanceTimersByTime(expiresInSec * 1000 + 1000)
+    })
+
+    expect(useAppStore.getState().token).toBeNull()
+  })
+
+  it('attempts immediate refresh when already within 5min window', async () => {
+    const expiresInSec = 60
+    const exp = Math.floor(Date.now() / 1000) + expiresInSec
+    const oldTok = makeJwtForTest({ wallet: 'W', exp })
+    const newExp = Math.floor(Date.now() / 1000) + 86400
+    const newTok = makeJwtForTest({ wallet: 'W', exp: newExp })
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: { adapter: {} },
+      signMessage: vi.fn(),
+      disconnect: vi.fn(),
+    })
+    // Only the FIRST refresh succeeds; subsequent calls (triggered by the
+    // re-effect after token swap schedules another refresh in the future)
+    // would only fire if we advanced the clock by 23h55m, which we don't.
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: true,
+      json: async () => ({ token: newTok, expiresIn: '24h' }),
+    })
+    useAppStore.setState({ token: oldTok, isAdmin: false, expiresAt: exp }, false)
+
+    render(
+      <AuthSyncProvider>
+        <div />
+      </AuthSyncProvider>,
+    )
+
+    // Drain microtasks for the IIFE refresh promise chain (no time advance —
+    // the new long-window timers from the post-refresh re-effect must not
+    // fire in this test).
+    await act(async () => {
+      for (let i = 0; i < 10; i++) await Promise.resolve()
+    })
+
+    expect(global.fetch).toHaveBeenCalledWith(
+      '/api/auth/refresh',
+      expect.objectContaining({ method: 'POST' }),
+    )
+    expect(useAppStore.getState().token).toBe(newTok)
+  })
+
+  it('schedules refresh near expiry when JWT has more than 5min remaining', async () => {
+    const expiresInSec = 24 * 3600
+    const exp = Math.floor(Date.now() / 1000) + expiresInSec
+    const oldTok = makeJwtForTest({ wallet: 'W', exp })
+    const newExp = Math.floor(Date.now() / 1000) + expiresInSec + 24 * 3600
+    const newTok = makeJwtForTest({ wallet: 'W', exp: newExp })
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: { adapter: {} },
+      signMessage: vi.fn(),
+      disconnect: vi.fn(),
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValue({
+      ok: true,
+      json: async () => ({ token: newTok, expiresIn: '24h' }),
+    })
+    useAppStore.setState({ token: oldTok, isAdmin: false, expiresAt: exp }, false)
+
+    render(
+      <AuthSyncProvider>
+        <div />
+      </AuthSyncProvider>,
+    )
+
+    // Should NOT refresh yet — we're far from expiry
+    await act(async () => {
+      await vi.advanceTimersByTimeAsync(60_000)
+    })
+    expect(global.fetch).not.toHaveBeenCalled()
+
+    // Advance to within the 5-minute window
+    await act(async () => {
+      await vi.advanceTimersByTimeAsync((expiresInSec - 5 * 60 - 60) * 1000 + 1000)
+    })
+    expect(global.fetch).toHaveBeenCalledWith(
+      '/api/auth/refresh',
+      expect.objectContaining({ method: 'POST' }),
+    )
+  })
+
+  it('clears token if refresh fails and expiry passes', async () => {
+    const expiresInSec = 30
+    const exp = Math.floor(Date.now() / 1000) + expiresInSec
+    const tok = makeJwtForTest({ wallet: 'W', exp })
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: { adapter: {} },
+      signMessage: vi.fn(),
+      disconnect: vi.fn(),
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValue({
+      ok: false,
+      status: 401,
+      json: async () => ({ error: 'invalid' }),
+    })
+    useAppStore.setState({ token: tok, isAdmin: false, expiresAt: exp }, false)
+
+    render(
+      <AuthSyncProvider>
+        <div />
+      </AuthSyncProvider>,
+    )
+
+    await act(async () => {
+      await vi.advanceTimersByTimeAsync(expiresInSec * 1000 + 1000)
+    })
+
+    expect(useAppStore.getState().token).toBeNull()
+  })
+})
+
+describe('AuthSyncProvider — authenticate', () => {
+  const originalFetch = global.fetch
+
+  beforeEach(() => {
+    useAppStore.setState({ token: null, isAdmin: false, expiresAt: null }, false)
+    mockedUseWallet.mockReset()
+    global.fetch = vi.fn() as unknown as typeof fetch
+  })
+
+  afterEach(() => {
+    global.fetch = originalFetch
+  })
+
+  function captureAuth() {
+    const captured: { current: AuthState | null } = { current: null }
+    function Capture() {
+      captured.current = useAuthState()
+      return null
+    }
+    return { Capture, captured }
+  }
+
+  it('opens wallet modal when called with no wallet connected', async () => {
+    mockSetVisible.mockReset()
+    mockedUseWallet.mockReturnValue({
+      connected: false,
+      publicKey: null,
+      signMessage: undefined,
+      disconnect: vi.fn(),
+    })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+    await act(async () => {
+      await captured.current!.authenticate()
+    })
+    expect(mockSetVisible).toHaveBeenCalledWith(true)
+  })
+
+  it('signMessage happy path: nonce → sign → verify → setAuth', async () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 86400
+    const issuedToken = makeJwtForTest({ wallet: 'WalletA', exp: futureExp })
+    const mockSignMessage = vi.fn().mockResolvedValue(new Uint8Array([1, 2, 3, 4]))
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'WalletA' },
+      signMessage: mockSignMessage,
+      disconnect: vi.fn(),
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>)
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ nonce: 'abc', message: 'sipher.sip-protocol.org wants you to sign in.\n\nNonce: abc' }),
+      })
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ token: issuedToken, isAdmin: false, expiresIn: '24h' }),
+      })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+
+    await act(async () => {
+      await captured.current!.authenticate()
+    })
+
+    expect(mockSignMessage).toHaveBeenCalledOnce()
+    const state = useAppStore.getState()
+    expect(state.token).toBe(issuedToken)
+    expect(state.isAdmin).toBe(false)
+    expect(state.expiresAt).toBeGreaterThan(Math.floor(Date.now() / 1000))
+  })
+
+  it('passes through isAdmin=true from server', async () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const adminToken = makeJwtForTest({ wallet: 'AdminWallet', exp: futureExp, isAdmin: true })
+    const mockSignMessage = vi.fn().mockResolvedValue(new Uint8Array([1, 2, 3, 4]))
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'AdminWallet' },
+      signMessage: mockSignMessage,
+      disconnect: vi.fn(),
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>)
+      .mockResolvedValueOnce({ ok: true, json: async () => ({ nonce: 'a', message: 'm' }) })
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ token: adminToken, isAdmin: true, expiresIn: '1h' }),
+      })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+    await act(async () => {
+      await captured.current!.authenticate()
+    })
+    expect(useAppStore.getState().isAdmin).toBe(true)
+  })
+
+  it('throws when wallet has no signMessage', async () => {
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      signMessage: undefined,
+      disconnect: vi.fn(),
+    })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+
+    await expect(
+      act(async () => {
+        await captured.current!.authenticate()
+      }),
+    ).rejects.toThrow(/doesn't support sign-in/i)
+    expect(useAppStore.getState().token).toBeNull()
+  })
+
+  it('propagates user-rejection from signMessage', async () => {
+    const rejectErr = new Error('User rejected the request')
+    const mockSignMessage = vi.fn().mockRejectedValue(rejectErr)
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      signMessage: mockSignMessage,
+      disconnect: vi.fn(),
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: true,
+      json: async () => ({ nonce: 'abc', message: 'm' }),
+    })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+
+    await expect(
+      act(async () => {
+        await captured.current!.authenticate()
+      }),
+    ).rejects.toThrow(/User rejected/i)
+    expect(useAppStore.getState().token).toBeNull()
+  })
+
+  it('uses SIWS when wallet exposes signIn and server accepts', async () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const issuedToken = makeJwtForTest({ wallet: 'PhantomWallet', exp: futureExp })
+    const mockSignIn = vi.fn().mockResolvedValue({
+      signature: new Uint8Array([1, 2, 3, 4]),
+      signedMessage: new TextEncoder().encode('siwsmsg'),
+    })
+    const mockSignMessage = vi.fn()
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'PhantomWallet' },
+      wallet: { adapter: { signIn: mockSignIn } },
+      signMessage: mockSignMessage,
+      disconnect: vi.fn(),
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>)
+      .mockResolvedValueOnce({ ok: true, json: async () => ({ nonce: 'n', message: 'm' }) })
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ token: issuedToken, isAdmin: false, expiresIn: '24h' }),
+      })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+    await act(async () => {
+      await captured.current!.authenticate()
+    })
+
+    expect(mockSignIn).toHaveBeenCalledOnce()
+    expect(mockSignMessage).not.toHaveBeenCalled()
+
+    const verifyCall = (global.fetch as unknown as ReturnType<typeof vi.fn>).mock.calls[1]
+    const verifyBody = JSON.parse(verifyCall[1].body as string)
+    expect(verifyBody.signedMessage).toBeTruthy()
+    expect(typeof verifyBody.signedMessage).toBe('string')
+    expect(useAppStore.getState().token).toBe(issuedToken)
+  })
+
+  it('falls back to signMessage when SIWS server returns 4xx (legacy server)', async () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const issuedToken = makeJwtForTest({ wallet: 'PhantomWallet', exp: futureExp })
+    const mockSignIn = vi.fn().mockResolvedValue({
+      signature: new Uint8Array([1, 2, 3, 4]),
+      signedMessage: new TextEncoder().encode('siwsmsg'),
+    })
+    const mockSignMessage = vi.fn().mockResolvedValue(new Uint8Array([9, 9, 9]))
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'PhantomWallet' },
+      wallet: { adapter: { signIn: mockSignIn } },
+      signMessage: mockSignMessage,
+      disconnect: vi.fn(),
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>)
+      .mockResolvedValueOnce({ ok: true, json: async () => ({ nonce: 'n', message: 'm' }) })
+      // First verify call (with signedMessage) returns 401 — legacy server
+      .mockResolvedValueOnce({
+        ok: false,
+        status: 401,
+        json: async () => ({ error: 'signature verification failed' }),
+      })
+      // Second verify call (signMessage path) succeeds
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ token: issuedToken, isAdmin: false, expiresIn: '24h' }),
+      })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+    await act(async () => {
+      await captured.current!.authenticate()
+    })
+
+    expect(mockSignIn).toHaveBeenCalledOnce()
+    expect(mockSignMessage).toHaveBeenCalledOnce()
+    expect(useAppStore.getState().token).toBe(issuedToken)
+  })
+
+  it('falls back to signMessage when SIWS returns no signature', async () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const issuedToken = makeJwtForTest({ wallet: 'JupiterWallet', exp: futureExp })
+    const mockSignIn = vi.fn().mockResolvedValue({})
+    const mockSignMessage = vi.fn().mockResolvedValue(new Uint8Array([7, 8, 9]))
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'JupiterWallet' },
+      wallet: { adapter: { signIn: mockSignIn } },
+      signMessage: mockSignMessage,
+      disconnect: vi.fn(),
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>)
+      .mockResolvedValueOnce({ ok: true, json: async () => ({ nonce: 'n', message: 'm' }) })
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ token: issuedToken, isAdmin: false, expiresIn: '24h' }),
+      })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+    await act(async () => {
+      await captured.current!.authenticate()
+    })
+
+    expect(mockSignIn).toHaveBeenCalledOnce()
+    expect(mockSignMessage).toHaveBeenCalledOnce()
+    expect(useAppStore.getState().token).toBe(issuedToken)
+  })
+
+  it('falls back to signMessage when SIWS throws non-rejection error', async () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const issuedToken = makeJwtForTest({ wallet: 'W', exp: futureExp })
+    const mockSignIn = vi.fn().mockRejectedValue(new Error('signIn not implemented'))
+    const mockSignMessage = vi.fn().mockResolvedValue(new Uint8Array([5, 5, 5]))
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: { adapter: { signIn: mockSignIn } },
+      signMessage: mockSignMessage,
+      disconnect: vi.fn(),
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>)
+      .mockResolvedValueOnce({ ok: true, json: async () => ({ nonce: 'n', message: 'm' }) })
+      .mockResolvedValueOnce({
+        ok: true,
+        json: async () => ({ token: issuedToken, isAdmin: false, expiresIn: '1h' }),
+      })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+    await act(async () => {
+      await captured.current!.authenticate()
+    })
+
+    expect(mockSignMessage).toHaveBeenCalledOnce()
+    expect(useAppStore.getState().token).toBe(issuedToken)
+  })
+
+  it('propagates user rejection from SIWS without falling through', async () => {
+    const rejectErr = new Error('User rejected the request')
+    const mockSignIn = vi.fn().mockRejectedValue(rejectErr)
+    const mockSignMessage = vi.fn()
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: { adapter: { signIn: mockSignIn } },
+      signMessage: mockSignMessage,
+      disconnect: vi.fn(),
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>).mockResolvedValueOnce({
+      ok: true,
+      json: async () => ({ nonce: 'n', message: 'm' }),
+    })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+
+    await expect(
+      act(async () => {
+        await captured.current!.authenticate()
+      }),
+    ).rejects.toThrow(/User rejected/i)
+    expect(mockSignMessage).not.toHaveBeenCalled()
+    expect(useAppStore.getState().token).toBeNull()
+  })
+
+  it('disconnect() calls wallet.disconnect AND clears auth', async () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const validToken = makeJwtForTest({ wallet: 'W', exp: futureExp })
+    useAppStore.setState({ token: validToken, isAdmin: true, expiresAt: futureExp }, false)
+
+    const mockDisconnect = vi.fn().mockResolvedValue(undefined)
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: { adapter: {} },
+      signMessage: vi.fn(),
+      disconnect: mockDisconnect,
+    })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+
+    await act(async () => {
+      await captured.current!.disconnect()
+    })
+
+    expect(mockDisconnect).toHaveBeenCalled()
+    const state = useAppStore.getState()
+    expect(state.token).toBeNull()
+    expect(state.isAdmin).toBe(false)
+    expect(state.expiresAt).toBeNull()
+  })
+
+  it('disconnect() still clears auth when walletDisconnect throws', async () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const validToken = makeJwtForTest({ wallet: 'W', exp: futureExp })
+    useAppStore.setState({ token: validToken, isAdmin: false, expiresAt: futureExp }, false)
+
+    const mockDisconnect = vi.fn().mockRejectedValue(new Error('extension closed'))
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      wallet: { adapter: {} },
+      signMessage: vi.fn(),
+      disconnect: mockDisconnect,
+    })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+
+    await expect(
+      act(async () => {
+        await captured.current!.disconnect()
+      }),
+    ).rejects.toThrow(/extension closed/)
+    expect(useAppStore.getState().token).toBeNull()
+  })
+
+  it('reports status=connecting while authenticate runs', async () => {
+    const futureExp = Math.floor(Date.now() / 1000) + 3600
+    const okToken = makeJwtForTest({ wallet: 'W', exp: futureExp })
+    let resolveSign: ((s: Uint8Array) => void) | null = null
+    const mockSignMessage = vi.fn().mockReturnValue(
+      new Promise<Uint8Array>((resolve) => {
+        resolveSign = resolve
+      }),
+    )
+    mockedUseWallet.mockReturnValue({
+      connected: true,
+      publicKey: { toBase58: () => 'W' },
+      signMessage: mockSignMessage,
+      disconnect: vi.fn(),
+    })
+    ;(global.fetch as unknown as ReturnType<typeof vi.fn>)
+      .mockResolvedValueOnce({ ok: true, json: async () => ({ nonce: 'a', message: 'm' }) })
+      .mockResolvedValueOnce({ ok: true, json: async () => ({ token: okToken, isAdmin: false, expiresIn: '1h' }) })
+
+    const { Capture, captured } = captureAuth()
+    render(
+      <AuthSyncProvider>
+        <Capture />
+      </AuthSyncProvider>,
+    )
+
+    let pending: Promise<void> | null = null
+    await act(async () => {
+      pending = captured.current!.authenticate()
+      await Promise.resolve()
+    })
+    expect(captured.current!.status).toBe('connecting')
+
+    await act(async () => {
+      resolveSign!(new Uint8Array([1, 2, 3]))
+      await pending!
+    })
+    expect(captured.current!.status).toBe('authed')
+  })
+})
diff --git a/app/src/providers/__tests__/ToastProvider.test.tsx b/app/src/providers/__tests__/ToastProvider.test.tsx
new file mode 100644
index 0000000..3e43936
--- /dev/null
+++ b/app/src/providers/__tests__/ToastProvider.test.tsx
@@ -0,0 +1,121 @@
+import { describe, it, expect, vi, afterEach } from 'vitest'
+import { render, screen, fireEvent, act } from '@testing-library/react'
+import { ToastProvider, useToast } from '../ToastProvider'
+
+function TriggerButton({ input }: { input: Parameters<ReturnType<typeof useToast>['show']>[0] }) {
+  const { show } = useToast()
+  return <button onClick={() => show(input)}>Trigger</button>
+}
+
+afterEach(() => {
+  vi.useRealTimers()
+})
+
+describe('ToastProvider', () => {
+  it('renders children', () => {
+    render(
+      <ToastProvider>
+        <span>child</span>
+      </ToastProvider>,
+    )
+    expect(screen.getByText('child')).toBeInTheDocument()
+  })
+
+  it('shows toast when show() called', () => {
+    render(
+      <ToastProvider>
+        <TriggerButton input={{ message: 'Hello world', kind: 'info' }} />
+      </ToastProvider>,
+    )
+    fireEvent.click(screen.getByText('Trigger'))
+    expect(screen.getByText('Hello world')).toBeInTheDocument()
+  })
+
+  it('renders action button if action provided', () => {
+    const onAction = vi.fn()
+    render(
+      <ToastProvider>
+        <TriggerButton
+          input={{
+            message: 'Session expired',
+            kind: 'warn',
+            action: { label: 'Sign in', onClick: onAction },
+          }}
+        />
+      </ToastProvider>,
+    )
+    fireEvent.click(screen.getByText('Trigger'))
+    const actionButton = screen.getByText('Sign in')
+    expect(actionButton).toBeInTheDocument()
+
+    fireEvent.click(actionButton)
+    expect(onAction).toHaveBeenCalledTimes(1)
+    expect(screen.queryByText('Session expired')).not.toBeInTheDocument()
+  })
+
+  it('dismisses toast on close button click', () => {
+    render(
+      <ToastProvider>
+        <TriggerButton input={{ message: 'Bye', kind: 'info' }} />
+      </ToastProvider>,
+    )
+    fireEvent.click(screen.getByText('Trigger'))
+    expect(screen.getByText('Bye')).toBeInTheDocument()
+
+    const dismissBtn = screen.getByLabelText('Dismiss')
+    fireEvent.click(dismissBtn)
+    expect(screen.queryByText('Bye')).not.toBeInTheDocument()
+  })
+
+  it('auto-dismisses after default 7 seconds', () => {
+    vi.useFakeTimers()
+    render(
+      <ToastProvider>
+        <TriggerButton input={{ message: 'Auto', kind: 'info' }} />
+      </ToastProvider>,
+    )
+    fireEvent.click(screen.getByText('Trigger'))
+    expect(screen.getByText('Auto')).toBeInTheDocument()
+
+    act(() => {
+      vi.advanceTimersByTime(7000)
+    })
+    expect(screen.queryByText('Auto')).not.toBeInTheDocument()
+  })
+
+  it('does not auto-dismiss when durationMs is 0', () => {
+    vi.useFakeTimers()
+    render(
+      <ToastProvider>
+        <TriggerButton input={{ message: 'Sticky', kind: 'error', durationMs: 0 }} />
+      </ToastProvider>,
+    )
+    fireEvent.click(screen.getByText('Trigger'))
+
+    act(() => {
+      vi.advanceTimersByTime(60_000)
+    })
+    expect(screen.getByText('Sticky')).toBeInTheDocument()
+  })
+
+  it('uses warn styles for kind=warn', () => {
+    render(
+      <ToastProvider>
+        <TriggerButton input={{ message: 'Warn me', kind: 'warn' }} />
+      </ToastProvider>,
+    )
+    fireEvent.click(screen.getByText('Trigger'))
+    const toast = screen.getByText('Warn me').closest('[role="status"]')
+    expect(toast).toHaveClass('bg-amber-950/90')
+  })
+
+  it('throws when useToast called outside provider', () => {
+    const errSpy = vi.spyOn(console, 'error').mockImplementation(() => {})
+    function Bad() {
+      useToast()
+      return null
+    }
+    expect(() => render(<Bad />)).toThrow(/useToast must be used within ToastProvider/)
+    errSpy.mockRestore()
+  })
+})
diff --git a/app/src/stores/app.ts b/app/src/stores/app.ts
index 84ddb1e..cf07a3f 100644
--- a/app/src/stores/app.ts
+++ b/app/src/stores/app.ts
@@ -30,7 +30,8 @@ interface AppState {
 
   token: string | null
   isAdmin: boolean
-  setAuth: (token: string, isAdmin: boolean) => void
+  expiresAt: number | null
+  setAuth: (token: string, isAdmin: boolean, expiresAt?: number | null) => void
   clearAuth: () => void
 
   messages: ChatMessage[]
@@ -58,8 +59,10 @@ export const useAppStore = create<AppState>()(
 
       token: null,
       isAdmin: false,
-      setAuth: (token, isAdmin) => set({ token, isAdmin }),
-      clearAuth: () => set({ token: null, isAdmin: false, messages: [], activeView: 'dashboard' }),
+      expiresAt: null,
+      setAuth: (token, isAdmin, expiresAt = null) => set({ token, isAdmin, expiresAt }),
+      clearAuth: () =>
+        set({ token: null, isAdmin: false, expiresAt: null, messages: [], activeView: 'dashboard' }),
 
       messages: [],
       chatLoading: false,
@@ -122,8 +125,15 @@ export const useAppStore = create<AppState>()(
     }),
     {
       name: 'sipher-auth',
+      version: 1,
       storage: createJSONStorage(() => localStorage),
-      partialize: (s) => ({ token: s.token, isAdmin: s.isAdmin }),
+      partialize: (s) => ({ token: s.token, isAdmin: s.isAdmin, expiresAt: s.expiresAt }),
+      migrate: (persistedState, fromVersion) => {
+        if (fromVersion === 0) {
+          return { ...(persistedState as object), token: null, isAdmin: false, expiresAt: null }
+        }
+        return persistedState as Partial<AppState>
+      },
     }
   )
 )
diff --git a/app/src/views/DashboardView.tsx b/app/src/views/DashboardView.tsx
index ef2b4ae..28ea50e 100644
--- a/app/src/views/DashboardView.tsx
+++ b/app/src/views/DashboardView.tsx
@@ -8,7 +8,7 @@ import {
 import { apiFetch } from '../api/client'
 import { useAppStore } from '../stores/app'
 import { type ActivityEvent } from '../hooks/useSSE'
-import { useIsAdmin } from '../hooks/useIsAdmin'
+import { useAuthState } from '../hooks/useAuthState'
 import AdminOnly from '../components/AdminOnly'
 import MetricCard from '../components/MetricCard'
 import ActivityEntry from '../components/ActivityEntry'
@@ -58,14 +58,8 @@ function parseDetail(detail: unknown): Record<string, unknown> {
   return (detail as Record<string, unknown>) ?? {}
 }
 
-export default function DashboardView({
-  events,
-  token,
-}: {
-  events: ActivityEvent[]
-  token: string | null
-}) {
-  const isAdmin = useIsAdmin()
+export default function DashboardView({ events }: { events: ActivityEvent[] }) {
+  const { token, isAdmin } = useAuthState()
   const seedChat = useAppStore((s) => s.seedChat)
   const [vault, setVault] = useState<VaultData | null>(null)
   const [health, setHealth] = useState<HealthData | null>(null)
@@ -80,14 +74,12 @@ export default function DashboardView({
   const fetchPrivacyScore = useCallback(async (signal?: AbortSignal) => {
     if (!wallet || !token) return
     try {
-      const res = await fetch(`${import.meta.env.VITE_API_URL ?? ''}/v1/privacy/score`, {
+      const json = await apiFetch<{ data: PrivacyData }>('/v1/privacy/score', {
         method: 'POST',
-        headers: { 'Content-Type': 'application/json', Authorization: `Bearer ${token}` },
+        token,
         body: JSON.stringify({ address: wallet, limit: 100 }),
         signal,
       })
-      if (!res.ok) throw new Error(`HTTP ${res.status}`)
-      const json = await res.json()
       setPrivacyData(json.data)
       setPrivacyError(null)
     } catch (err) {
diff --git a/app/src/views/VaultView.tsx b/app/src/views/VaultView.tsx
index f16c2bf..2d59b76 100644
--- a/app/src/views/VaultView.tsx
+++ b/app/src/views/VaultView.tsx
@@ -16,6 +16,7 @@ import {
 import AmountForm from '../components/AmountForm'
 import ConfirmCard from '../components/ConfirmCard'
 import { useAppStore } from '../stores/app'
+import { useAuthState } from '../hooks/useAuthState'
 
 interface TokenBalance {
   mint: string
@@ -72,7 +73,8 @@ function extractAmount(row: ActivityRow): string {
   return match ? `${match[1]} SOL` : ''
 }
 
-export default function VaultView({ token }: { token: string | null }) {
+export default function VaultView() {
+  const { token } = useAuthState()
   const [data, setData] = useState<VaultData | null>(null)
   const [loading, setLoading] = useState(false)
   const [error, setError] = useState(false)
diff --git a/app/src/views/__tests__/VaultView-actions.test.tsx b/app/src/views/__tests__/VaultView-actions.test.tsx
index b2f8844..11464c8 100644
--- a/app/src/views/__tests__/VaultView-actions.test.tsx
+++ b/app/src/views/__tests__/VaultView-actions.test.tsx
@@ -4,6 +4,27 @@ import userEvent from '@testing-library/user-event'
 import { useAppStore } from '../../stores/app'
 import VaultView from '../VaultView'
 
+vi.mock('../../hooks/useAuthState', async () => {
+  const { useAppStore: store } = await vi.importActual<
+    typeof import('../../stores/app')
+  >('../../stores/app')
+  return {
+    useAuthState: () => {
+      const t = store.getState().token
+      return {
+        status: t ? ('authed' as const) : ('unauthed' as const),
+        token: t,
+        expiresAt: null,
+        isAdmin: store.getState().isAdmin,
+        publicKey: null,
+        authenticate: () => Promise.resolve(),
+        disconnect: () => Promise.resolve(),
+        error: null,
+      }
+    },
+  }
+})
+
 describe('VaultView Deposit/Withdraw flow', () => {
   beforeEach(() => {
     useAppStore.setState({
@@ -26,13 +47,13 @@ describe('VaultView Deposit/Withdraw flow', () => {
   })
 
   it('shows Deposit and Withdraw buttons initially', async () => {
-    render(<VaultView token="test-token" />)
+    render(<VaultView />)
     expect(await screen.findByRole('button', { name: /deposit/i })).toBeInTheDocument()
     expect(screen.getByRole('button', { name: /withdraw/i })).toBeInTheDocument()
   })
 
   it('opens AmountForm on Deposit click', async () => {
-    render(<VaultView token="test-token" />)
+    render(<VaultView />)
     await userEvent.click(await screen.findByRole('button', { name: /deposit/i }))
     expect(screen.getByText(/deposit amount/i)).toBeInTheDocument()
   })
@@ -40,7 +61,7 @@ describe('VaultView Deposit/Withdraw flow', () => {
   it('moves through 3-step flow and calls seedChat on confirm', async () => {
     const seedChat = vi.fn()
     useAppStore.setState({ seedChat })
-    render(<VaultView token="test-token" />)
+    render(<VaultView />)
     await userEvent.click(await screen.findByRole('button', { name: /deposit/i }))
     await userEvent.type(screen.getByRole('spinbutton'), '1')
     await userEvent.click(screen.getByRole('button', { name: /continue/i }))
diff --git a/e2e/fixtures/auth.ts b/e2e/fixtures/auth.ts
index 467df21..b11f994 100644
--- a/e2e/fixtures/auth.ts
+++ b/e2e/fixtures/auth.ts
@@ -22,6 +22,20 @@ export interface LoginResult {
   token: string
   isAdmin: boolean
   wallet: string
+  expiresAt: number | null
+}
+
+function decodeJwtExp(token: string): number | null {
+  const parts = token.split('.')
+  if (parts.length !== 3) return null
+  try {
+    const padded = parts[1] + '='.repeat((4 - (parts[1].length % 4)) % 4)
+    const json = Buffer.from(padded.replace(/-/g, '+').replace(/_/g, '/'), 'base64').toString('utf-8')
+    const payload = JSON.parse(json) as { exp?: number }
+    return typeof payload.exp === 'number' ? payload.exp : null
+  } catch {
+    return null
+  }
 }
 
 export async function mintAdminJwt(
@@ -59,5 +73,5 @@ export async function mintAdminJwt(
     token: string
     isAdmin: boolean
   }
-  return { token, isAdmin, wallet }
+  return { token, isAdmin, wallet, expiresAt: decodeJwtExp(token) }
 }
diff --git a/e2e/global-setup.ts b/e2e/global-setup.ts
index a34fcf3..dd26e56 100644
--- a/e2e/global-setup.ts
+++ b/e2e/global-setup.ts
@@ -18,14 +18,17 @@ export default async function globalSetup(): Promise<void> {
     )
   }
 
-  const { token, isAdmin, wallet } = await mintAdminJwt(keypairPath, BACKEND_BASE)
+  const { token, isAdmin, wallet, expiresAt } = await mintAdminJwt(keypairPath, BACKEND_BASE)
   if (!isAdmin) {
     throw new Error(`Minted JWT for ${wallet} is not admin. Check AUTHORIZED_WALLETS env.`)
   }
 
+  // Match the persist version + shape used by app/src/stores/app.ts. Older
+  // versions are nuked by the v0->v1 migrate, which clears the token and
+  // forces a fresh sign-in — that breaks the authenticated specs.
   const zustandPayload = {
-    state: { token, isAdmin },
-    version: 0,
+    state: { token, isAdmin, expiresAt },
+    version: 1,
   }
 
   const storageState = {