diff --git a/.env.local.example b/.env.local.example
new file mode 100644
index 0000000..5c215b9
--- /dev/null
+++ b/.env.local.example
@@ -0,0 +1,20 @@
+# York Factory OAuth (Doorkeeper) — draft preview mode
+# Run `bin/rails db:seed` in york_factory to create the TradingPost OAuth
+# application and print the client_id / client_secret.
+#
+# Local development values:
+YF_OAUTH_URL=http://localhost:3000
+YF_OAUTH_CLIENT_ID=your-client-id
+YF_OAUTH_CLIENT_SECRET=your-client-secret
+YF_OAUTH_CALLBACK_URL=http://localhost:5050/api/auth/callback
+#
+# Production values (set in the buildcanada.com deployment env):
+#   YF_OAUTH_URL=https://auth.buildcanada.com
+#   YF_OAUTH_CLIENT_ID=<from york_factory db:seed>
+#   YF_OAUTH_CLIENT_SECRET=<from york_factory db:seed>
+#   YF_OAUTH_CALLBACK_URL=https://www.buildcanada.com/api/auth/callback
+
+# York Factory API base URL (data API — memos, posts, etc.)
+# Local: http://localhost:3000/api/v1
+# Production: https://yorkfactory.buildcanada.com/api/v1
+YORK_FACTORY_API_URL=http://localhost:3000/api/v1
diff --git a/src/app/api/auth/callback/route.ts b/src/app/api/auth/callback/route.ts
new file mode 100644
index 0000000..8e6569d
--- /dev/null
+++ b/src/app/api/auth/callback/route.ts
@@ -0,0 +1,66 @@
+import { NextRequest, NextResponse } from "next/server";
+import {
+  oauthConfig,
+  safeRedirectPath,
+  setSessionCookies,
+  type TokenResponse,
+} from "@/lib/oauth";
+
+export async function GET(request: NextRequest) {
+  const { url, callbackUrl, clientId, clientSecret } = oauthConfig();
+  const { searchParams } = request.nextUrl;
+  const code = searchParams.get("code");
+  const state = searchParams.get("state");
+  const error = searchParams.get("error");
+
+  const siteUrl = new URL(request.url).origin;
+
+  if (error) {
+    return NextResponse.redirect(`${siteUrl}/?preview_error=oauth_denied`);
+  }
+
+  if (!code || !state) {
+    return NextResponse.redirect(`${siteUrl}/?preview_error=invalid_callback`);
+  }
+
+  const storedState = request.cookies.get("oauth_state")?.value;
+  const redirectTo = safeRedirectPath(
+    request.cookies.get("oauth_redirect")?.value,
+  );
+
+  if (!storedState || state !== storedState) {
+    return NextResponse.redirect(`${siteUrl}/?preview_error=state_mismatch`);
+  }
+
+  const tokenRes = await fetch(`${url}/oauth/token`, {
+    method: "POST",
+    headers: { "Content-Type": "application/x-www-form-urlencoded" },
+    body: new URLSearchParams({
+      grant_type: "authorization_code",
+      code,
+      redirect_uri: callbackUrl,
+      client_id: clientId,
+      client_secret: clientSecret,
+    }).toString(),
+    cache: "no-store",
+  });
+
+  if (!tokenRes.ok) {
+    return NextResponse.redirect(
+      `${siteUrl}/?preview_error=token_exchange_failed`,
+    );
+  }
+
+  const tokenData = (await tokenRes.json()) as TokenResponse;
+
+  const response = NextResponse.redirect(`${siteUrl}${redirectTo}`);
+  response.cookies.delete("oauth_state");
+  response.cookies.delete("oauth_redirect");
+
+  // Store the access token (+ refresh token for silent renewal). Identity and
+  // admin status are resolved live from /me when needed (see lib/auth.ts) —
+  // never baked into a cookie that could go stale.
+  setSessionCookies(response, tokenData);
+
+  return response;
+}
diff --git a/src/app/api/auth/login/route.ts b/src/app/api/auth/login/route.ts
new file mode 100644
index 0000000..09c2273
--- /dev/null
+++ b/src/app/api/auth/login/route.ts
@@ -0,0 +1,42 @@
+import { randomBytes } from "crypto";
+import { NextRequest, NextResponse } from "next/server";
+import { oauthConfig, safeRedirectPath } from "@/lib/oauth";
+
+export async function GET(request: NextRequest) {
+  const { url, callbackUrl, clientId } = oauthConfig();
+
+  if (!clientId) {
+    return NextResponse.json({ error: "OAuth not configured" }, { status: 503 });
+  }
+
+  const state = randomBytes(16).toString("hex");
+  const redirectTo = safeRedirectPath(
+    request.nextUrl.searchParams.get("redirect"),
+  );
+
+  const authorizeUrl = new URL(`${url}/oauth/authorize`);
+  authorizeUrl.searchParams.set("client_id", clientId);
+  authorizeUrl.searchParams.set("redirect_uri", callbackUrl);
+  authorizeUrl.searchParams.set("response_type", "code");
+  authorizeUrl.searchParams.set("state", state);
+
+  const isSecure = process.env.NODE_ENV === "production";
+  const response = NextResponse.redirect(authorizeUrl.toString());
+
+  response.cookies.set("oauth_state", state, {
+    httpOnly: true,
+    secure: isSecure,
+    sameSite: "lax",
+    maxAge: 60 * 10,
+    path: "/",
+  });
+  response.cookies.set("oauth_redirect", redirectTo, {
+    httpOnly: true,
+    secure: isSecure,
+    sameSite: "lax",
+    maxAge: 60 * 10,
+    path: "/",
+  });
+
+  return response;
+}
diff --git a/src/app/api/auth/logout/route.ts b/src/app/api/auth/logout/route.ts
new file mode 100644
index 0000000..5be087b
--- /dev/null
+++ b/src/app/api/auth/logout/route.ts
@@ -0,0 +1,50 @@
+import { NextRequest, NextResponse } from "next/server";
+import {
+  ACCESS_TOKEN_COOKIE,
+  REFRESH_TOKEN_COOKIE,
+  clearSessionCookies,
+  oauthConfig,
+} from "@/lib/oauth";
+
+export async function POST(request: NextRequest) {
+  const { url, clientId, clientSecret } = oauthConfig();
+  const siteUrl = new URL(request.url).origin;
+
+  // CSRF guard: a same-origin form POST sends an Origin header matching our own
+  // origin. Reject anything cross-site so logout can't be forced from another
+  // site. (Logout is POST-only for the same reason — no GET vector.)
+  const origin = request.headers.get("origin");
+  if (origin && origin !== siteUrl) {
+    return NextResponse.json({ error: "Forbidden" }, { status: 403 });
+  }
+
+  // Revoke both tokens server-side so logout isn't just a client-side cookie
+  // drop — a leaked token shouldn't outlive the session.
+  if (clientId && clientSecret) {
+    const tokens = [
+      request.cookies.get(ACCESS_TOKEN_COOKIE)?.value,
+      request.cookies.get(REFRESH_TOKEN_COOKIE)?.value,
+    ].filter(Boolean) as string[];
+
+    await Promise.all(
+      tokens.map((token) =>
+        fetch(`${url}/oauth/revoke`, {
+          method: "POST",
+          headers: { "Content-Type": "application/x-www-form-urlencoded" },
+          body: new URLSearchParams({
+            token,
+            client_id: clientId,
+            client_secret: clientSecret,
+          }).toString(),
+          cache: "no-store",
+        }).catch(() => {}),
+      ),
+    );
+  }
+
+  // 303 See Other so the browser issues a GET to /memos after the POST.
+  const response = NextResponse.redirect(`${siteUrl}/memos`, 303);
+  clearSessionCookies(response);
+
+  return response;
+}
diff --git a/src/app/api/auth/me/route.ts b/src/app/api/auth/me/route.ts
new file mode 100644
index 0000000..9024276
--- /dev/null
+++ b/src/app/api/auth/me/route.ts
@@ -0,0 +1,13 @@
+import { NextResponse } from "next/server";
+import { getCurrentUser } from "@/lib/auth";
+
+// Surfaces the signed-in user's identity to the browser for PostHog identify.
+// The access token stays httpOnly on the server; only non-sensitive identity
+// fields cross to the client. Returns { user: null } when not signed in.
+export async function GET() {
+  const user = await getCurrentUser();
+  return NextResponse.json(
+    { user },
+    { headers: { "Cache-Control": "no-store" } },
+  );
+}
diff --git a/src/app/layout.tsx b/src/app/layout.tsx
index d52d8d3..5406e6a 100644
--- a/src/app/layout.tsx
+++ b/src/app/layout.tsx
@@ -7,6 +7,7 @@ import ScrollToTop from "@/components/ScrollToTop";
 import ThemeShell from "@/components/ThemeShell";
 import { Toaster } from "sonner";
 import { SubscribeModal } from "@/components/subscribe";
+import { IdentifyUser } from "@/components/auth/IdentifyUser";
 
 const GA_ID = process.env.NEXT_PUBLIC_GA_MEASUREMENT_ID;
 
@@ -73,6 +74,7 @@ export default function RootLayout({
         </ThemeShell>
         <Toaster position="bottom-right" />
         <SubscribeModal />
+        <IdentifyUser />
       </body>
     </html>
   );
diff --git a/src/app/memos/[slug]/DraftPreviewBanner.tsx b/src/app/memos/[slug]/DraftPreviewBanner.tsx
new file mode 100644
index 0000000..65f2d41
--- /dev/null
+++ b/src/app/memos/[slug]/DraftPreviewBanner.tsx
@@ -0,0 +1,47 @@
+type BannerState = "viewing-draft" | "draft-not-found";
+
+interface DraftPreviewBannerProps {
+  state: BannerState;
+  slug: string;
+}
+
+// Logout is a POST form (not a link) so it can't be triggered cross-site via
+// <img>/<a>. Combined with the route's same-origin check, this prevents CSRF
+// force-logout. display:contents keeps the form transparent to the flex layout
+// so the button behaves like the link it replaces.
+function ExitPreviewButton({
+  className,
+  label,
+}: {
+  className: string;
+  label: string;
+}) {
+  return (
+    <form action="/api/auth/logout" method="post" className="contents">
+      <button
+        type="submit"
+        className={`${className} [font:inherit] text-inherit cursor-pointer border-0 bg-transparent p-0`}
+      >
+        {label}
+      </button>
+    </form>
+  );
+}
+
+export function DraftPreviewBanner({ state }: DraftPreviewBannerProps) {
+  if (state === "viewing-draft") {
+    return (
+      <div className="w-full bg-amber-500 text-white text-sm px-4 py-2 flex items-center justify-between">
+        <span className="font-medium">DRAFT — not yet published</span>
+        <ExitPreviewButton className="underline" label="Exit preview" />
+      </div>
+    );
+  }
+
+  return (
+    <div className="w-full border border-amber-400 bg-amber-50 text-amber-900 text-sm px-4 py-3 flex items-center gap-2">
+      <span>No draft found for this slug.</span>
+      <ExitPreviewButton className="underline ml-auto" label="Exit preview mode" />
+    </div>
+  );
+}
diff --git a/src/app/memos/[slug]/page.tsx b/src/app/memos/[slug]/page.tsx
index 25f96c5..2a02bdb 100644
--- a/src/app/memos/[slug]/page.tsx
+++ b/src/app/memos/[slug]/page.tsx
@@ -10,6 +10,20 @@ import { buildGraph } from "@/lib/schemas/graph";
 import { generateArticleSchema } from "@/lib/schemas/generators/article";
 import { generateBreadcrumbSchema } from "@/lib/schemas/generators/breadcrumb";
 import { generateOrganizationSchema } from "@/lib/schemas/generators/organization";
+import { DraftPreviewBanner } from "./DraftPreviewBanner";
+import { setAccessToken } from "@/lib/auth-token";
+import { getCurrentUser, getAccessTokenCookie } from "@/lib/auth";
+
+// Draft preview is gated on the signed-in user actually being an admin (live
+// from /me), never on a baked cookie. When they are, we hand apiFetch the
+// access token so it fetches drafts; otherwise the request store stays empty
+// and only published content is returned.
+async function resolveAccessToken(): Promise<string | undefined> {
+  const user = await getCurrentUser();
+  const token = user?.admin ? await getAccessTokenCookie() : undefined;
+  setAccessToken(token);
+  return token;
+}
 
 export async function generateStaticParams() {
   try {
@@ -26,6 +40,8 @@ export async function generateMetadata({
   params: Promise<{ slug: string }>;
 }): Promise<Metadata> {
   const { slug } = await params;
+  // Prime the request-scoped token so draft metadata resolves for admins.
+  await resolveAccessToken();
   let memo;
   try {
     memo = await fetchMemo(slug);
@@ -64,11 +80,27 @@ export default async function MemoDetailPage({
   params: Promise<{ slug: string }>;
 }) {
   const { slug } = await params;
+
+  const accessToken = await resolveAccessToken();
+
   let memo;
   try {
     memo = await fetchMemo(slug);
   } catch {
-    notFound();
+    if (!accessToken) notFound();
+
+    return (
+      <div className="mx-[10px] my-[10px] border border-border-light bg-bg">
+        <div className="max-w-[720px] mx-auto px-[5vw] md:px-[10vw] py-24 flex flex-col items-center gap-8 text-center">
+          <p className="type-label text-text-secondary">404</p>
+          <h1 className="type-title">Memo not found</h1>
+          <p className="type-body text-text-secondary">
+            This memo doesn&apos;t exist or hasn&apos;t been published yet.
+          </p>
+          <DraftPreviewBanner state="draft-not-found" slug={slug} />
+        </div>
+      </div>
+    );
   }
 
   if (memo.slug !== slug) {
@@ -141,6 +173,9 @@ export default async function MemoDetailPage({
 
   return (
     <div className="mx-[10px] my-[10px] border border-border-light bg-bg">
+      {accessToken && (
+        <DraftPreviewBanner state="viewing-draft" slug={slug} />
+      )}
       <script
         type="application/ld+json"
         dangerouslySetInnerHTML={{ __html: JSON.stringify(jsonLd) }}
diff --git a/src/components/auth/IdentifyUser.tsx b/src/components/auth/IdentifyUser.tsx
new file mode 100644
index 0000000..9c39682
--- /dev/null
+++ b/src/components/auth/IdentifyUser.tsx
@@ -0,0 +1,53 @@
+"use client";
+
+import { useEffect } from "react";
+import posthog from "posthog-js";
+
+// Sentinel recording which user (by email) we've already identified this
+// browser session, so identify fires once per session rather than once per
+// page load.
+const SESSION_KEY = "yf_identified";
+
+// Bridges the httpOnly session to PostHog: asks the server who the user is
+// (token never leaves the server) and identifies them in PostHog on login,
+// resets on logout. Rendered once in the root layout; returns no UI.
+export function IdentifyUser() {
+  useEffect(() => {
+    let cancelled = false;
+
+    (async () => {
+      try {
+        const res = await fetch("/api/auth/me", { cache: "no-store" });
+        if (!res.ok || cancelled) return;
+
+        const { user } = await res.json();
+        if (cancelled) return;
+
+        if (user) {
+          if (sessionStorage.getItem(SESSION_KEY) !== user.email) {
+            posthog.identify(user.email, {
+              email: user.email,
+              name: user.name,
+              role: user.role,
+              is_admin: user.admin,
+            });
+            sessionStorage.setItem(SESSION_KEY, user.email);
+          }
+        } else if (sessionStorage.getItem(SESSION_KEY)) {
+          // Was identified, now signed out → reset so the next anonymous
+          // visitor isn't conflated with the previous user.
+          posthog.reset();
+          sessionStorage.removeItem(SESSION_KEY);
+        }
+      } catch {
+        // Best-effort: analytics identification must never break the page.
+      }
+    })();
+
+    return () => {
+      cancelled = true;
+    };
+  }, []);
+
+  return null;
+}
diff --git a/src/lib/api/client.ts b/src/lib/api/client.ts
index b3c8882..70732de 100644
--- a/src/lib/api/client.ts
+++ b/src/lib/api/client.ts
@@ -1,10 +1,15 @@
+import { getAccessToken } from "@/lib/auth-token";
+
 export const API_URL =
   process.env.YORK_FACTORY_API_URL ||
   "https://yorkfactory.buildcanada.com/api/v1";
 
 export async function apiFetch<T>(
   path: string,
-  options?: { revalidate?: number; params?: Record<string, string> },
+  options?: {
+    revalidate?: number;
+    params?: Record<string, string>;
+  },
 ): Promise<T> {
   const url = new URL(`${API_URL}${path}`);
   if (options?.params) {
@@ -15,8 +20,17 @@ export async function apiFetch<T>(
     }
   }
 
+  const headers: Record<string, string> = {};
+  const accessToken = getAccessToken();
+  if (accessToken) {
+    headers["Authorization"] = `Bearer ${accessToken}`;
+  }
+
   const res = await fetch(url.toString(), {
-    next: { revalidate: options?.revalidate ?? 60 },
+    headers,
+    next: accessToken
+      ? { revalidate: 0 }
+      : { revalidate: options?.revalidate ?? 60 },
   });
 
   if (!res.ok) {
diff --git a/src/lib/auth-token.ts b/src/lib/auth-token.ts
new file mode 100644
index 0000000..61114ba
--- /dev/null
+++ b/src/lib/auth-token.ts
@@ -0,0 +1,17 @@
+import { cache } from "react";
+
+type Store = { value: string | undefined };
+
+// Request-scoped holder for the caller's OAuth access token. A server component
+// sets it (when the signed-in user may access non-public data) and apiFetch
+// reads it to attach the Authorization header. React.cache keeps it isolated
+// per request.
+const _store = cache((): Store => ({ value: undefined }));
+
+export function setAccessToken(token: string | undefined): void {
+  _store().value = token;
+}
+
+export function getAccessToken(): string | undefined {
+  return _store().value;
+}
diff --git a/src/lib/auth.ts b/src/lib/auth.ts
new file mode 100644
index 0000000..77d5007
--- /dev/null
+++ b/src/lib/auth.ts
@@ -0,0 +1,61 @@
+import { cache } from "react";
+import { cookies } from "next/headers";
+import { API_URL } from "@/lib/api/client";
+import { ACCESS_TOKEN_COOKIE } from "@/lib/oauth";
+
+export interface YfUser {
+  email: string;
+  name: string | null;
+  role: string | null;
+  avatarUrl: string | null;
+  admin: boolean;
+}
+
+// Reads the signed-in user's OAuth access token from the httpOnly cookie.
+export async function getAccessTokenCookie(): Promise<string | undefined> {
+  const store = await cookies();
+  return store.get(ACCESS_TOKEN_COOKIE)?.value;
+}
+
+// Resolves the current user from York Factory's /me endpoint using the access
+// token cookie. Returns null when there's no token or the token is invalid /
+// expired. React.cache dedupes this to a single /me call per server request
+// (e.g. generateMetadata + the page component share one result). It is
+// intentionally NOT cached across requests: /me is per-user authenticated data,
+// so a shared TTL cache could serve one user's identity to another and would
+// also let a revoked admin keep access until the entry expired.
+export const getCurrentUser = cache(async (): Promise<YfUser | null> => {
+  const token = await getAccessTokenCookie();
+  if (!token) return null;
+
+  try {
+    const res = await fetch(`${API_URL}/me`, {
+      headers: { Authorization: `Bearer ${token}` },
+      cache: "no-store",
+    });
+
+    if (res.ok) {
+      const data = await res.json();
+      return {
+        email: data.email,
+        name: data.name ?? null,
+        role: data.role ?? null,
+        avatarUrl: data.avatar_url ?? null,
+        admin: data.admin === true,
+      };
+    }
+
+    // 401/403 means the token is genuinely invalid/expired → signed out (quiet).
+    // Anything else means York Factory is unhealthy; log it so a transient
+    // outage isn't silently misread as "every admin lost access."
+    if (res.status !== 401 && res.status !== 403) {
+      console.warn(
+        `[auth] /me returned ${res.status}; treating user as signed out`,
+      );
+    }
+    return null;
+  } catch (err) {
+    console.warn("[auth] /me request failed; treating user as signed out", err);
+    return null;
+  }
+});
diff --git a/src/lib/oauth.ts b/src/lib/oauth.ts
new file mode 100644
index 0000000..29f16ad
--- /dev/null
+++ b/src/lib/oauth.ts
@@ -0,0 +1,107 @@
+import { NextResponse } from "next/server";
+
+const isProd = process.env.NODE_ENV === "production";
+
+// Resolves a required OAuth env var. In production we refuse to fall back to a
+// localhost default — a missing var should fail loudly rather than silently
+// send auth codes to a non-existent local callback.
+function resolve(name: string, devFallback: string): string {
+  const value = process.env[name];
+  if (value) return value;
+  if (isProd) {
+    throw new Error(
+      `Missing required OAuth env var ${name}; refusing to fall back to a localhost default in production.`,
+    );
+  }
+  return devFallback;
+}
+
+export function oauthConfig() {
+  return {
+    url: resolve("YF_OAUTH_URL", "http://localhost:3000"),
+    callbackUrl: resolve(
+      "YF_OAUTH_CALLBACK_URL",
+      "http://localhost:5050/api/auth/callback",
+    ),
+    clientId: process.env.YF_OAUTH_CLIENT_ID ?? "",
+    clientSecret: process.env.YF_OAUTH_CLIENT_SECRET ?? "",
+  };
+}
+
+export const ACCESS_TOKEN_COOKIE = "yf_access_token";
+export const REFRESH_TOKEN_COOKIE = "yf_refresh_token";
+
+// Refresh tokens outlive the short access token so middleware can renew the
+// session silently. 30 days bounds how long an idle session can be revived.
+const REFRESH_TOKEN_MAX_AGE = 60 * 60 * 24 * 30;
+
+export interface TokenResponse {
+  access_token: string;
+  token_type: string;
+  expires_in: number;
+  scope?: string;
+  refresh_token?: string;
+}
+
+// Only allow same-site, path-absolute redirects. Rejects absolute URLs and
+// protocol-relative values like "//evil.com" that browsers treat as external.
+export function safeRedirectPath(input: string | null | undefined): string {
+  return input && /^\/(?!\/)/.test(input) ? input : "/memos";
+}
+
+// Persists session tokens as httpOnly cookies. The access token cookie expires
+// with the token; the refresh token lives longer so it can renew the session.
+export function setSessionCookies(
+  response: NextResponse,
+  tokenData: TokenResponse,
+): void {
+  const secure = isProd;
+  response.cookies.set(ACCESS_TOKEN_COOKIE, tokenData.access_token, {
+    httpOnly: true,
+    secure,
+    sameSite: "lax",
+    maxAge: tokenData.expires_in,
+    path: "/",
+  });
+  if (tokenData.refresh_token) {
+    response.cookies.set(REFRESH_TOKEN_COOKIE, tokenData.refresh_token, {
+      httpOnly: true,
+      secure,
+      sameSite: "lax",
+      maxAge: REFRESH_TOKEN_MAX_AGE,
+      path: "/",
+    });
+  }
+}
+
+export function clearSessionCookies(response: NextResponse): void {
+  response.cookies.delete(ACCESS_TOKEN_COOKIE);
+  response.cookies.delete(REFRESH_TOKEN_COOKIE);
+}
+
+// Exchanges a refresh token for a fresh access token (and, with rotation, a new
+// refresh token). Returns null on any failure so callers fail closed.
+export async function refreshAccessToken(
+  refreshToken: string,
+): Promise<TokenResponse | null> {
+  const { url, clientId, clientSecret } = oauthConfig();
+  if (!clientId || !clientSecret) return null;
+
+  try {
+    const res = await fetch(`${url}/oauth/token`, {
+      method: "POST",
+      headers: { "Content-Type": "application/x-www-form-urlencoded" },
+      body: new URLSearchParams({
+        grant_type: "refresh_token",
+        refresh_token: refreshToken,
+        client_id: clientId,
+        client_secret: clientSecret,
+      }).toString(),
+      cache: "no-store",
+    });
+    if (!res.ok) return null;
+    return (await res.json()) as TokenResponse;
+  } catch {
+    return null;
+  }
+}
diff --git a/src/middleware.ts b/src/middleware.ts
new file mode 100644
index 0000000..9a525d1
--- /dev/null
+++ b/src/middleware.ts
@@ -0,0 +1,41 @@
+import { NextRequest, NextResponse } from "next/server";
+import {
+  ACCESS_TOKEN_COOKIE,
+  REFRESH_TOKEN_COOKIE,
+  clearSessionCookies,
+  refreshAccessToken,
+  setSessionCookies,
+} from "@/lib/oauth";
+
+// Silently renews the session. When the short-lived access token cookie has
+// expired but a refresh token is still present, exchange it for a new access
+// token (and rotated refresh token). Runs only on routes that actually consume
+// the token (memo pages for draft preview, and the identity proxy), never on
+// static assets.
+export async function middleware(request: NextRequest) {
+  const hasAccess = request.cookies.has(ACCESS_TOKEN_COOKIE);
+  const refreshToken = request.cookies.get(REFRESH_TOKEN_COOKIE)?.value;
+
+  if (hasAccess || !refreshToken) return NextResponse.next();
+
+  const tokenData = await refreshAccessToken(refreshToken);
+
+  if (!tokenData) {
+    // Refresh token is dead/revoked — clear it so we stop retrying every request.
+    const response = NextResponse.next();
+    clearSessionCookies(response);
+    return response;
+  }
+
+  // Make the fresh token visible to the current request (so this very render /
+  // API call already sees the renewed session)…
+  request.cookies.set(ACCESS_TOKEN_COOKIE, tokenData.access_token);
+  const response = NextResponse.next({ request: { headers: request.headers } });
+  // …and persist it on the browser for subsequent requests.
+  setSessionCookies(response, tokenData);
+  return response;
+}
+
+export const config = {
+  matcher: ["/memos/:path*", "/api/auth/me"],
+};