diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 9ae9f6b..6930bb0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -20,19 +20,19 @@ jobs:
         dotnet-version: 9.0.x
 
     - name: Restore dependencies
-      run: dotnet restore src/Idmt.sln
+      run: dotnet restore src/Idmt.slnx
 
     - name: Format check
-      run: dotnet format src/Idmt.sln --verify-no-changes --verbosity diagnostic
+      run: dotnet format src/Idmt.slnx --verify-no-changes --verbosity diagnostic
 
     - name: Build
-      run: dotnet build src/Idmt.sln --no-restore --configuration Release /p:TreatWarningsAsErrors=true
+      run: dotnet build src/Idmt.slnx --no-restore --configuration Release /p:TreatWarningsAsErrors=true
     
     - name: Run analyzers
-      run: dotnet build src/Idmt.sln --no-restore --configuration Release /p:RunAnalyzers=true /p:EnforceCodeStyleInBuild=true
+      run: dotnet build src/Idmt.slnx --no-restore --configuration Release /p:RunAnalyzers=true /p:EnforceCodeStyleInBuild=true
 
     - name: Test
-      run: dotnet test src/Idmt.sln --no-build --configuration Release --verbosity normal
+      run: dotnet test src/Idmt.slnx --no-build --configuration Release --verbosity normal
 
     - name: Pack
       run: dotnet pack src/Idmt.Plugin/Idmt.Plugin.csproj --no-build --configuration Release --output .
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index b5dbc19..eec3074 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -16,13 +16,13 @@ jobs:
           dotnet-version: 9.0.x
 
       - name: Restore dependencies
-        run: dotnet restore src/Idmt.sln
+        run: dotnet restore src/Idmt.slnx
 
       - name: Build
-        run: dotnet build src/Idmt.sln --no-restore --configuration Release
+        run: dotnet build src/Idmt.slnx --no-restore --configuration Release
 
       - name: Test
-        run: dotnet test src/Idmt.sln --no-build --configuration Release
+        run: dotnet test src/Idmt.slnx --no-build --configuration Release
 
       - name: Set Version
         id: get_version
diff --git a/.gitignore b/.gitignore
index c6ddfad..3d09d56 100644
--- a/.gitignore
+++ b/.gitignore
@@ -58,3 +58,5 @@ nunit-*.xml
 *.db
 *.db-shm
 *.db-wal
+
+.claude/settings.local.json
diff --git a/src/Idmt.Plugin/Configuration/IdmtEndpointNames.cs b/src/Idmt.Plugin/Configuration/IdmtEndpointNames.cs
new file mode 100644
index 0000000..9783314
--- /dev/null
+++ b/src/Idmt.Plugin/Configuration/IdmtEndpointNames.cs
@@ -0,0 +1,8 @@
+namespace Idmt.Plugin.Configuration;
+
+internal static class IdmtEndpointNames
+{
+    public const string ConfirmEmail = "ConfirmEmail";
+    public const string ConfirmEmailDirect = "ConfirmEmail-direct";
+    public const string PasswordReset = "ResetPassword";
+}
diff --git a/src/Idmt.Plugin/Configuration/IdmtOptions.cs b/src/Idmt.Plugin/Configuration/IdmtOptions.cs
index 34818e6..d50b85e 100644
--- a/src/Idmt.Plugin/Configuration/IdmtOptions.cs
+++ b/src/Idmt.Plugin/Configuration/IdmtOptions.cs
@@ -24,7 +24,7 @@ public class IdmtOptions
     /// <summary>
     /// Identity configuration options
     /// </summary>
-    public AuthOptions Identity { get; set; } = new();
+    public IdmtAuthOptions Identity { get; set; } = new();
 
     /// <summary>
     /// Multi-tenant configuration options
@@ -35,6 +35,32 @@ public class IdmtOptions
     /// Database configuration options
     /// </summary>
     public DatabaseOptions Database { get; set; } = new();
+
+    /// <summary>
+    /// Rate limiting configuration options for auth endpoints
+    /// </summary>
+    public RateLimitingOptions RateLimiting { get; set; } = new();
+
+}
+
+/// <summary>
+/// Controls how email confirmation links behave.
+/// </summary>
+public enum EmailConfirmationMode
+{
+    /// <summary>
+    /// Email link points to GET /auth/confirm-email on the server, which confirms
+    /// the email directly (like Microsoft's reference implementation).
+    /// No client-side form needed for email confirmation.
+    /// </summary>
+    ServerConfirm,
+
+    /// <summary>
+    /// Email link points to ClientUrl/ConfirmEmailFormPath on the client app.
+    /// The client reads the token from the URL and calls POST /auth/confirm-email.
+    /// Default for SPA/mobile apps.
+    /// </summary>
+    ClientForm
 }
 
 /// <summary>
@@ -42,8 +68,12 @@ public class IdmtOptions
 /// </summary>
 public class ApplicationOptions
 {
-    public const string PasswordResetEndpointName = "ResetPassword";
-    public const string ConfirmEmailEndpointName = "ConfirmEmail";
+    /// <summary>
+    /// URI prefix applied to all IDMT endpoint groups (/auth, /manage, /admin, /health).
+    /// Defaults to "/api/v1". Set to "" to restore the legacy unprefixed behavior.
+    /// Examples: "/api/v1", "/v2", "/api/v2", ""
+    /// </summary>
+    public string ApiPrefix { get; set; } = "/api/v1";
 
     /// <summary>
     /// Base URL of the client application, if any (e.g. "https://myapp.com")
@@ -57,12 +87,19 @@ public class ApplicationOptions
 
     public string ResetPasswordFormPath { get; set; } = "/reset-password";
     public string ConfirmEmailFormPath { get; set; } = "/confirm-email";
+
+    /// <summary>
+    /// Controls how email confirmation links are generated.
+    /// ServerConfirm: link hits GET /auth/confirm-email which confirms directly.
+    /// ClientForm: link points to ClientUrl/ConfirmEmailFormPath for SPA handling.
+    /// </summary>
+    public EmailConfirmationMode EmailConfirmationMode { get; set; } = EmailConfirmationMode.ClientForm;
 }
 
 /// <summary>
 /// ASP.NET Core Identity configuration
 /// </summary>
-public class AuthOptions
+public class IdmtAuthOptions
 {
     public const string CookieOrBearerScheme = "CookieOrBearer";
 
@@ -75,7 +112,7 @@ public class AuthOptions
     /// <summary>
     /// Password requirements
     /// </summary>
-    public PasswordOptions Password { get; set; } = new();
+    public IdmtPasswordOptions Password { get; set; } = new();
 
     /// <summary>
     /// User requirements
@@ -90,7 +127,7 @@ public class AuthOptions
     /// <summary>
     /// Cookie configuration options
     /// </summary>
-    public CookieOptions Cookie { get; set; } = new();
+    public IdmtCookieOptions Cookie { get; set; } = new();
 
     /// <summary>
     /// Bearer token configuration options
@@ -106,13 +143,13 @@ public class AuthOptions
 /// <summary>
 /// Password configuration options
 /// </summary>
-public class PasswordOptions
+public class IdmtPasswordOptions
 {
     public bool RequireDigit { get; set; } = true;
     public bool RequireLowercase { get; set; } = true;
     public bool RequireUppercase { get; set; } = true;
     public bool RequireNonAlphanumeric { get; set; } = false;
-    public int RequiredLength { get; set; } = 6;
+    public int RequiredLength { get; set; } = 8;
     public int RequiredUniqueChars { get; set; } = 1;
 }
 
@@ -130,19 +167,34 @@ public class UserOptions
 /// </summary>
 public class SignInOptions
 {
-    public bool RequireConfirmedEmail { get; set; } = false;
+    public bool RequireConfirmedEmail { get; set; } = true;
     public bool RequireConfirmedPhoneNumber { get; set; } = false;
 }
 
 /// <summary>
 /// Cookie configuration options
 /// </summary>
-public class CookieOptions
+public class IdmtCookieOptions
 {
     public string Name { get; set; } = ".Idmt.Application";
     public bool HttpOnly { get; set; } = true;
-    public Microsoft.AspNetCore.Http.CookieSecurePolicy SecurePolicy { get; set; } = Microsoft.AspNetCore.Http.CookieSecurePolicy.SameAsRequest;
-    public Microsoft.AspNetCore.Http.SameSiteMode SameSite { get; set; } = Microsoft.AspNetCore.Http.SameSiteMode.Lax;
+    public Microsoft.AspNetCore.Http.CookieSecurePolicy SecurePolicy { get; set; } = Microsoft.AspNetCore.Http.CookieSecurePolicy.Always;
+
+    /// <summary>
+    /// Controls the SameSite attribute of the authentication cookie.
+    /// Defaults to <see cref="Microsoft.AspNetCore.Http.SameSiteMode.Strict"/>, which means the
+    /// browser will never send the cookie on cross-site requests (neither top-level navigations
+    /// nor sub-resource loads). This is the strongest available CSRF protection at the cookie
+    /// layer and removes the need for anti-forgery tokens on state-mutating endpoints that rely
+    /// solely on cookie authentication.
+    ///
+    /// Change to <see cref="Microsoft.AspNetCore.Http.SameSiteMode.Lax"/> only if your
+    /// application requires cookie preservation on top-level cross-site GET navigations (e.g.
+    /// OAuth / OIDC redirect flows), and compensate with explicit anti-forgery validation on
+    /// every state-mutating endpoint.
+    /// </summary>
+    public Microsoft.AspNetCore.Http.SameSiteMode SameSite { get; set; } = Microsoft.AspNetCore.Http.SameSiteMode.Strict;
+
     public TimeSpan ExpireTimeSpan { get; set; } = TimeSpan.FromDays(14);
     public bool SlidingExpiration { get; set; } = true;
     public bool IsRedirectEnabled { get; set; } = false;
@@ -191,7 +243,7 @@ public class MultiTenantOptions
     /// </summary>
     public const string DefaultTenantIdentifier = "system-tenant";
 
-    public string DefaultTenantDisplayName { get; set; } = "System Tenant";
+    public string DefaultTenantName { get; set; } = "System Tenant";
 
     /// <summary>
     /// Tenant resolution strategy (header, subdomain, etc.)
@@ -204,18 +256,65 @@ public class MultiTenantOptions
     public Dictionary<string, string> StrategyOptions { get; set; } = [];
 }
 
+/// <summary>
+/// Controls how the IDMT database schema is initialized on startup.
+/// </summary>
+public enum DatabaseInitializationMode
+{
+    /// <summary>
+    /// Use EF Core Migrations. Consumers must create and apply migrations themselves.
+    /// Recommended for production. Default.
+    /// </summary>
+    Migrate,
+
+    /// <summary>
+    /// Use EnsureCreated for quick setup. Not compatible with migrations.
+    /// Suitable for development, testing, and prototyping only.
+    /// </summary>
+    EnsureCreated,
+
+    /// <summary>
+    /// Skip automatic database initialization. Consumer manages the database schema externally.
+    /// </summary>
+    None
+}
+
 /// <summary>
 /// Database configuration options
 /// </summary>
 public class DatabaseOptions
 {
     /// <summary>
-    /// Connection string template with placeholder for tenant's properties
+    /// Controls how the database schema is initialized on startup.
+    /// <see cref="DatabaseInitializationMode.Migrate"/> runs EF Core migrations and is the
+    /// default for production use. <see cref="DatabaseInitializationMode.EnsureCreated"/> is
+    /// suitable for development, testing, and prototyping where migrations are not used.
+    /// <see cref="DatabaseInitializationMode.None"/> skips initialization entirely and leaves
+    /// schema management to the consumer.
+    /// </summary>
+    public DatabaseInitializationMode DatabaseInitialization { get; set; } = DatabaseInitializationMode.Migrate;
+}
+
+/// <summary>
+/// Rate limiting configuration for IDMT auth endpoints.
+/// When enabled, a fixed-window limiter named "idmt-auth" is registered and applied
+/// to all authentication endpoints (login, token, forgot-password, etc.) to protect
+/// against brute-force and email-flooding attacks.
+/// </summary>
+public class RateLimitingOptions
+{
+    /// <summary>
+    /// Enable built-in rate limiting for auth endpoints. Default: true.
+    /// </summary>
+    public bool Enabled { get; set; } = true;
+
+    /// <summary>
+    /// Maximum number of requests allowed per window for auth endpoints. Default: 10.
     /// </summary>
-    public string ConnectionStringTemplate { get; set; } = string.Empty;
+    public int PermitLimit { get; set; } = 10;
 
     /// <summary>
-    /// Auto-migrate database on startup
+    /// Duration of the sliding window in seconds. Default: 60.
     /// </summary>
-    public bool AutoMigrate { get; set; } = false;
+    public int WindowInSeconds { get; set; } = 60;
 }
\ No newline at end of file
diff --git a/src/Idmt.Plugin/Configuration/IdmtOptionsValidator.cs b/src/Idmt.Plugin/Configuration/IdmtOptionsValidator.cs
new file mode 100644
index 0000000..6974467
--- /dev/null
+++ b/src/Idmt.Plugin/Configuration/IdmtOptionsValidator.cs
@@ -0,0 +1,95 @@
+using Microsoft.Extensions.Options;
+
+namespace Idmt.Plugin.Configuration;
+
+/// <summary>
+/// Validates <see cref="IdmtOptions"/> at application startup so that
+/// misconfigured options are reported immediately rather than causing
+/// unexpected failures at runtime.
+/// </summary>
+public sealed class IdmtOptionsValidator : IValidateOptions<IdmtOptions>
+{
+    /// <inheritdoc />
+    public ValidateOptionsResult Validate(string? name, IdmtOptions options)
+    {
+        var failures = new List<string>();
+
+        ValidateApplicationOptions(options.Application, failures);
+        ValidateMultiTenantOptions(options.MultiTenant, failures);
+
+        return failures.Count > 0
+            ? ValidateOptionsResult.Fail(failures)
+            : ValidateOptionsResult.Success;
+    }
+
+    private static void ValidateApplicationOptions(ApplicationOptions application, List<string> failures)
+    {
+        // Rule 1: ApiPrefix must not be null or empty.
+        // An empty string is the documented opt-out for legacy unprefixed behavior,
+        // but null indicates the property was explicitly cleared and is misconfigured.
+        if (application.ApiPrefix is null)
+        {
+            failures.Add(
+                $"{nameof(IdmtOptions.Application)}.{nameof(ApplicationOptions.ApiPrefix)} must not be null. " +
+                "Use an empty string \"\" to disable the prefix or provide a value such as \"/api/v1\".");
+        }
+
+        // Rule 2: When EmailConfirmationMode is ClientForm, ClientUrl is required.
+        if (application.EmailConfirmationMode == EmailConfirmationMode.ClientForm &&
+            string.IsNullOrWhiteSpace(application.ClientUrl))
+        {
+            failures.Add(
+                $"{nameof(IdmtOptions.Application)}.{nameof(ApplicationOptions.ClientUrl)} must not be null or empty " +
+                $"when {nameof(ApplicationOptions.EmailConfirmationMode)} is {nameof(EmailConfirmationMode.ClientForm)}.");
+        }
+
+        // Rule 3: When ClientUrl is set, the client-side form paths must also be configured.
+        if (!string.IsNullOrWhiteSpace(application.ClientUrl))
+        {
+            if (string.IsNullOrWhiteSpace(application.ConfirmEmailFormPath))
+            {
+                failures.Add(
+                    $"{nameof(IdmtOptions.Application)}.{nameof(ApplicationOptions.ConfirmEmailFormPath)} must not be null or empty " +
+                    $"when {nameof(ApplicationOptions.ClientUrl)} is set.");
+            }
+
+            if (string.IsNullOrWhiteSpace(application.ResetPasswordFormPath))
+            {
+                failures.Add(
+                    $"{nameof(IdmtOptions.Application)}.{nameof(ApplicationOptions.ResetPasswordFormPath)} must not be null or empty " +
+                    $"when {nameof(ApplicationOptions.ClientUrl)} is set.");
+            }
+        }
+    }
+
+    private static void ValidateMultiTenantOptions(MultiTenantOptions multiTenant, List<string> failures)
+    {
+        // Rule 4: The constant DefaultTenantIdentifier is a compile-time value and cannot be
+        // null or empty. Validate it defensively so that any future refactor to an instance
+        // property is caught immediately.
+        if (string.IsNullOrWhiteSpace(MultiTenantOptions.DefaultTenantIdentifier))
+        {
+            failures.Add(
+                $"{nameof(IdmtOptions.MultiTenant)}.{nameof(MultiTenantOptions.DefaultTenantIdentifier)} must not be null or empty.");
+        }
+
+        // Rule 5: DefaultTenantName is configurable and must not be null or empty.
+        if (string.IsNullOrWhiteSpace(multiTenant.DefaultTenantName))
+        {
+            failures.Add(
+                $"{nameof(IdmtOptions.MultiTenant)}.{nameof(MultiTenantOptions.DefaultTenantName)} must not be null or empty.");
+        }
+
+        // Rule 6: At least one tenant resolution strategy must be configured.
+        // The Strategies array controls which strategies (header, claim, route, basepath) are
+        // active. An empty array means no tenant can ever be resolved, which is always a
+        // misconfiguration. StrategyOptions holds per-strategy overrides and may be empty.
+        if (multiTenant.Strategies.Length == 0)
+        {
+            failures.Add(
+                $"{nameof(IdmtOptions.MultiTenant)}.{nameof(MultiTenantOptions.Strategies)} must contain at least one entry. " +
+                $"Supported values: {IdmtMultiTenantStrategy.Header}, {IdmtMultiTenantStrategy.Claim}, " +
+                $"{IdmtMultiTenantStrategy.Route}, {IdmtMultiTenantStrategy.BasePath}.");
+        }
+    }
+}
diff --git a/src/Idmt.Plugin/Constants/AuditAction.cs b/src/Idmt.Plugin/Constants/AuditAction.cs
new file mode 100644
index 0000000..7180927
--- /dev/null
+++ b/src/Idmt.Plugin/Constants/AuditAction.cs
@@ -0,0 +1,8 @@
+namespace Idmt.Plugin.Constants;
+
+public enum AuditAction
+{
+    Created,
+    Modified,
+    Deleted
+}
diff --git a/src/Idmt.Plugin/Constants/IdmtClaimTypes.cs b/src/Idmt.Plugin/Constants/IdmtClaimTypes.cs
new file mode 100644
index 0000000..940b050
--- /dev/null
+++ b/src/Idmt.Plugin/Constants/IdmtClaimTypes.cs
@@ -0,0 +1,6 @@
+namespace Idmt.Plugin.Constants;
+
+public static class IdmtClaimTypes
+{
+    public const string IsActive = "is_active";
+}
diff --git a/src/Idmt.Plugin/DT.cs b/src/Idmt.Plugin/DT.cs
deleted file mode 100644
index 0c5a7b5..0000000
--- a/src/Idmt.Plugin/DT.cs
+++ /dev/null
@@ -1,10 +0,0 @@
-namespace Idmt.Plugin;
-
-/// <summary>
-/// DateTime substiute to guarantee UTC timezone
-/// </summary>
-public static class DT
-{
-    public static DateTime UtcNow => DateTime.UtcNow;
-    public static DateTimeOffset UtcNowOffset => DateTimeOffset.UtcNow;
-}
\ No newline at end of file
diff --git a/src/Idmt.Plugin/Errors/IdmtErrors.cs b/src/Idmt.Plugin/Errors/IdmtErrors.cs
new file mode 100644
index 0000000..48d667a
--- /dev/null
+++ b/src/Idmt.Plugin/Errors/IdmtErrors.cs
@@ -0,0 +1,153 @@
+using ErrorOr;
+
+namespace Idmt.Plugin.Errors;
+
+public static class IdmtErrors
+{
+    public static class Auth
+    {
+        public static Error Unauthorized => Error.Unauthorized(
+            code: "Auth.Unauthorized",
+            description: "Unauthorized");
+
+        public static Error Forbidden => Error.Forbidden(
+            code: "Auth.Forbidden",
+            description: "Forbidden");
+
+        public static Error UserDeactivated => Error.Forbidden(
+            code: "Auth.UserDeactivated",
+            description: "User is deactivated");
+
+        public static Error TwoFactorRequired => Error.Custom(
+            type: 42,
+            code: "Auth.TwoFactorRequired",
+            description: "Two-factor authentication is required");
+
+        public static Error InvalidCredentials => Error.Unauthorized(
+            code: "Auth.InvalidCredentials",
+            description: "Invalid credentials");
+
+        public static Error LockedOut => Error.Custom(
+            type: 43,
+            code: "Auth.LockedOut",
+            description: "Account is locked out due to too many failed attempts");
+    }
+
+    public static class Tenant
+    {
+        public static Error NotFound => Error.NotFound(
+            code: "Tenant.NotFound",
+            description: "Tenant not found");
+
+        public static Error Inactive => Error.Forbidden(
+            code: "Tenant.Inactive",
+            description: "Tenant is not active");
+
+        public static Error NotResolved => Error.Validation(
+            code: "Tenant.NotResolved",
+            description: "Tenant not resolved");
+
+        public static Error CannotDeleteDefault => Error.Forbidden(
+            code: "Tenant.CannotDeleteDefault",
+            description: "Cannot delete the default tenant");
+
+        public static Error CreationFailed => Error.Failure(
+            code: "Tenant.CreationFailed",
+            description: "Failed to create tenant");
+
+        public static Error UpdateFailed => Error.Failure(
+            code: "Tenant.UpdateFailed",
+            description: "Failed to update tenant");
+
+        public static Error DeletionFailed => Error.Failure(
+            code: "Tenant.DeletionFailed",
+            description: "Failed to delete tenant");
+
+        public static Error RoleSeedFailed => Error.Failure(
+            code: "Tenant.RoleSeedFailed",
+            description: "Failed to guarantee tenant roles");
+
+        public static Error AccessError => Error.Failure(
+            code: "Tenant.AccessError",
+            description: "An error occurred while managing tenant access");
+
+        public static Error AlreadyExists => Error.Conflict(
+            code: "Tenant.AlreadyExists",
+            description: "A tenant with this identifier already exists");
+
+        public static Error AccessNotFound => Error.NotFound(
+            code: "Tenant.AccessNotFound",
+            description: "No tenant access record found for this user");
+    }
+
+    public static class User
+    {
+        public static Error NotFound => Error.NotFound(
+            code: "User.NotFound",
+            description: "User not found");
+
+        public static Error CreationFailed => Error.Failure(
+            code: "User.CreationFailed",
+            description: "Failed to create user");
+
+        public static Error UpdateFailed => Error.Failure(
+            code: "User.UpdateFailed",
+            description: "Failed to update user");
+
+        public static Error RoleNotFound => Error.Validation(
+            code: "User.RoleNotFound",
+            description: "Role not found");
+
+        public static Error InsufficientPermissions => Error.Forbidden(
+            code: "User.InsufficientPermissions",
+            description: "Insufficient permissions");
+
+        public static Error NoRolesAssigned => Error.Validation(
+            code: "User.NoRolesAssigned",
+            description: "User has no roles assigned");
+
+        public static Error ClaimsNotFound => Error.Validation(
+            code: "User.ClaimsNotFound",
+            description: "User claims not found");
+
+        public static Error Inactive => Error.Forbidden(
+            code: "User.Inactive",
+            description: "User is not active");
+
+        public static Error DeletionFailed => Error.Failure(
+            code: "User.DeletionFailed",
+            description: "Failed to delete user");
+    }
+
+    public static class Token
+    {
+        public static Error Invalid => Error.Validation(
+            code: "Token.Invalid",
+            description: "Invalid token");
+
+        public static Error Revoked => Error.Unauthorized(
+            code: "Token.Revoked",
+            description: "Token has been revoked");
+    }
+
+    public static class Email
+    {
+        public static Error ConfirmationFailed => Error.Failure(
+            code: "Email.ConfirmationFailed",
+            description: "Unable to confirm email");
+    }
+
+    public static class Password
+    {
+        public static Error ResetFailed => Error.Failure(
+            code: "Password.ResetFailed",
+            description: "Unable to reset password");
+    }
+
+    public static class General
+    {
+        public static Error Unexpected => Error.Unexpected(
+            code: "General.Unexpected",
+            description: "An unexpected error occurred");
+    }
+}
diff --git a/src/Idmt.Plugin/Extensions/ApplicationBuilderExtensions.cs b/src/Idmt.Plugin/Extensions/ApplicationBuilderExtensions.cs
index 4cd2a27..7a2ba63 100644
--- a/src/Idmt.Plugin/Extensions/ApplicationBuilderExtensions.cs
+++ b/src/Idmt.Plugin/Extensions/ApplicationBuilderExtensions.cs
@@ -1,4 +1,3 @@
-using System.Reflection;
 using Finbuckle.MultiTenant.AspNetCore.Extensions;
 using Idmt.Plugin.Configuration;
 using Idmt.Plugin.Features;
@@ -23,12 +22,15 @@ namespace Idmt.Plugin.Extensions;
 public static class ApplicationBuilderExtensions
 {
     /// <summary>
-    /// Middleware pipeline for security before calling UseIdmt()
+    /// Adds IDMT middleware to the application pipeline, including security headers.
     /// </summary>
-    /// <param name="app">The web application</param>
-    /// <returns>The web application</returns>
-    public static IApplicationBuilder UseIdmtSecurity(this WebApplication app)
+    /// <param name="app">The application builder</param>
+    /// <returns>The application builder</returns>
+    public static IApplicationBuilder UseIdmt(this IApplicationBuilder app)
     {
+        var idmtOptions = app.ApplicationServices.GetRequiredService<IOptions<IdmtOptions>>().Value;
+
+        // Security headers
         app.Use(async (context, next) =>
         {
             context.Response.Headers.XContentTypeOptions = "nosniff";
@@ -38,16 +40,13 @@ public static IApplicationBuilder UseIdmtSecurity(this WebApplication app)
             await next();
         });
 
-        return app;
-    }
+        // Rate limiting must be added before authentication so rejected requests
+        // never reach identity processing. Only registered when the feature is enabled.
+        if (idmtOptions.RateLimiting.Enabled)
+        {
+            app.UseRateLimiter();
+        }
 
-    /// <summary>
-    /// Adds IDMT middleware to the application pipeline
-    /// </summary>
-    /// <param name="app">The application builder</param>
-    /// <returns>The application builder</returns>
-    public static IApplicationBuilder UseIdmt(this IApplicationBuilder app)
-    {
         // Add multi-tenant middleware - must come before authentication
         app.UseMultiTenant();
 
@@ -66,31 +65,65 @@ public static IApplicationBuilder UseIdmt(this IApplicationBuilder app)
     }
 
     /// <summary>
-    /// Maps the IDMT endpoints. In case of route or basepath strategy, it's up
-    /// to the caller to pass an adequate endpoint route builder.
+    /// Maps the IDMT endpoints under the configured API prefix. In case of route or
+    /// basepath strategy, it's up to the caller to pass an adequate endpoint route builder.
     /// For example, if using the route strategy, the caller should pass the
     /// endpoint route builder for the tenant, e.g. `/{__tenant__?}`.
+    ///
+    /// The API prefix (e.g. "/api/v1") is read from
+    /// <see cref="ApplicationOptions.ApiPrefix"/> and defaults to "/api/v1".
+    /// Set it to an empty string to restore the legacy unprefixed behavior.
     /// </summary>
     /// <param name="endpoints">The endpoint route builder</param>
     /// <returns>The endpoint route builder</returns>
+    /// <remarks>
+    /// <para><b>OpenAPI security scheme</b></para>
+    /// <para>
+    /// IDMT does not configure OpenAPI itself. To expose the Bearer token scheme in the
+    /// OpenAPI document generated by the host application, register an
+    /// <c>IOpenApiDocumentTransformer</c> before calling <c>app.MapOpenApi()</c>.
+    /// See the XML documentation on <c>AddIdmt</c> in
+    /// <see cref="ServiceCollectionExtensions"/> for a complete code example.
+    /// </para>
+    /// </remarks>
     public static IEndpointRouteBuilder MapIdmtEndpoints(this IEndpointRouteBuilder endpoints)
     {
-        endpoints.MapAuthEndpoints();
-        endpoints.MapAuthManageEndpoints();
-        endpoints.MapAdminEndpoints();
-        endpoints.MapHealthChecks("/healthz").RequireAuthorization(AuthOptions.RequireSysUserPolicy);
+        var options = endpoints.ServiceProvider.GetRequiredService<IOptions<IdmtOptions>>();
+        var apiPrefix = options.Value.Application.ApiPrefix ?? string.Empty;
+
+        // Wrap all endpoint groups under the versioned prefix.
+        // When apiPrefix is "" the group is effectively a pass-through.
+        var prefixed = endpoints.MapGroup(apiPrefix);
+
+        prefixed.MapAuthEndpoints();
+        prefixed.MapAuthManageEndpoints();
+        prefixed.MapAdminEndpoints();
+        prefixed.MapHealthChecks("/healthz").RequireAuthorization(IdmtAuthOptions.RequireSysUserPolicy);
         return endpoints;
     }
 
     /// <summary>
-    /// Ensures the database is created and optionally migrated.
-    /// Only IdmtDbContext is used for migrations since it owns all table configurations.
-    /// IdmtTenantStoreDbContext shares the same database but doesn't manage schema.
+    /// Initializes the IDMT database schema according to the configured
+    /// <see cref="DatabaseOptions.DatabaseInitialization"/> mode.
+    ///
+    /// Only <see cref="IdmtDbContext"/> is used here because it owns all table
+    /// configurations. <see cref="IdmtTenantStoreDbContext"/> shares the same
+    /// physical database and connection, so no separate initialization is needed for it.
+    ///
+    /// <list type="bullet">
+    ///   <item><see cref="DatabaseInitializationMode.Migrate"/> — applies pending EF Core migrations.
+    ///   Recommended for production. Requires migrations to have been generated and added to
+    ///   the consuming project.</item>
+    ///   <item><see cref="DatabaseInitializationMode.EnsureCreated"/> — creates the schema without
+    ///   a migrations history table. Suitable for development, testing, and prototyping.
+    ///   Not compatible with migrations.</item>
+    ///   <item><see cref="DatabaseInitializationMode.None"/> — skips all automatic initialization.
+    ///   The consumer is responsible for managing the schema externally.</item>
+    /// </list>
     /// </summary>
     /// <param name="app">The application builder</param>
-    /// <param name="autoMigrate">Whether to automatically run migrations</param>
-    /// <returns>The application builder</returns>
-    public static async Task EnsureIdmtDatabaseAsync(this IApplicationBuilder app, bool autoMigrate = false)
+    /// <returns>A task that completes when database initialization is done</returns>
+    public static async Task EnsureIdmtDatabaseAsync(this IApplicationBuilder app)
     {
         using var scope = app.ApplicationServices.CreateScope();
         var services = scope.ServiceProvider;
@@ -98,36 +131,20 @@ public static async Task EnsureIdmtDatabaseAsync(this IApplicationBuilder app, b
         var options = services.GetRequiredService<IOptions<IdmtOptions>>();
         var context = services.GetRequiredService<IdmtDbContext>();
 
-        try
+        switch (options.Value.Database.DatabaseInitialization)
         {
-            var shouldMigrate = autoMigrate || options.Value.Database.AutoMigrate;
-
-            if (shouldMigrate)
-            {
-                // Try to migrate, fall back to EnsureCreated if migrations not supported
-                try
-                {
-                    await context.Database.MigrateAsync();
-                }
-                catch (InvalidOperationException)
-                {
-                    // Migrations not supported (e.g., in-memory database)
-                    await context.Database.EnsureCreatedAsync();
-                }
-            }
-            else
-            {
+            case DatabaseInitializationMode.Migrate:
+                await context.Database.MigrateAsync();
+                break;
+            case DatabaseInitializationMode.EnsureCreated:
                 await context.Database.EnsureCreatedAsync();
-            }
-
-            // NOTE: IdmtTenantStoreDbContext shares the same database/connection
-            // No separate initialization needed - it accesses tables created above
-        }
-        catch (Exception ex)
-        {
-            Console.Error.WriteLine($"Database initialization failed: {ex.Message}");
-            throw;
+                break;
+            case DatabaseInitializationMode.None:
+                break;
         }
+
+        // NOTE: IdmtTenantStoreDbContext shares the same database/connection.
+        // No separate initialization needed — it accesses tables created above.
     }
 
     /// <summary>
@@ -140,21 +157,13 @@ public static async Task<IApplicationBuilder> SeedIdmtDataAsync(this IApplicatio
     {
         using var scope = app.ApplicationServices.CreateScope();
         var services = scope.ServiceProvider;
-        try
-        {
-            // Run default seeding
-            await SeedDefaultDataAsync(services);
-
-            // Run custom seeding if provided
-            if (seedAction != null)
-            {
-                await seedAction(services);
-            }
-        }
-        catch (Exception ex)
+        // Run default seeding
+        await SeedDefaultDataAsync(services);
+
+        // Run custom seeding if provided
+        if (seedAction != null)
         {
-            Console.Error.WriteLine($"Data seeding failed: {ex.Message}");
-            throw;
+            await seedAction(services);
         }
 
         return app;
@@ -166,79 +175,20 @@ private static async Task SeedDefaultDataAsync(IServiceProvider services)
         var createTenantHandler = services.GetRequiredService<CreateTenant.ICreateTenantHandler>();
         await createTenantHandler.HandleAsync(new CreateTenant.CreateTenantRequest(
             MultiTenantOptions.DefaultTenantIdentifier,
-            MultiTenantOptions.DefaultTenantIdentifier,
-            options.Value.MultiTenant.DefaultTenantDisplayName));
+            options.Value.MultiTenant.DefaultTenantName));
     }
 
     private static void VerifyUserStoreSupportsEmail(IApplicationBuilder app)
     {
-        // Check if the service is registered without resolving it to avoid circular dependencies
-        var serviceProvider = app.ApplicationServices;
-
-        // Fallback: Use reflection to access service descriptors for older .NET versions
-        var serviceDescriptors = GetServiceDescriptors(serviceProvider);
-        var userStoreDescriptor = serviceDescriptors.FirstOrDefault(sd => sd.ServiceType == typeof(IUserStore<IdmtUser>))
-            ?? throw new InvalidOperationException("No IUserStore<IdmtUser> is registered. Ensure Identity is configured before calling UseIdmt().");
-
-        // Check if the implementation type implements IUserEmailStore<IdmtUser>
-        var implementationType = userStoreDescriptor.ImplementationType;
-        if (implementationType == null)
-        {
-            // If using a factory or instance, we can't verify without resolving
-            // EntityFrameworkStores always implements IUserEmailStore, so we assume it's correct
-            return;
-        }
-
-        // Verify the implementation type implements IUserEmailStore<IdmtUser>
-        var emailStoreType = typeof(IUserEmailStore<IdmtUser>);
-        if (!emailStoreType.IsAssignableFrom(implementationType))
-        {
-            throw new NotSupportedException($"Idmt.Plugin requires a user store that implements IUserEmailStore<IdmtUser> (email support). Found: {implementationType.FullName}");
-        }
-    }
-
-    private static IEnumerable<ServiceDescriptor> GetServiceDescriptors(IServiceProvider serviceProvider)
-    {
-        // Use reflection to access the internal CallSiteFactory which contains the service descriptors
-        // This avoids resolving services and prevents circular dependency issues
-        object? callSiteFactory = null;
-
-        var field = serviceProvider.GetType().GetField("_serviceProvider", BindingFlags.NonPublic | BindingFlags.Instance)
-            ?? serviceProvider.GetType().GetField("_callSiteFactory", BindingFlags.NonPublic | BindingFlags.Instance);
-
-        if (field != null)
-        {
-            callSiteFactory = field.GetValue(serviceProvider);
-        }
-        else
-        {
-            var property = serviceProvider.GetType().GetProperty("CallSiteFactory", BindingFlags.NonPublic | BindingFlags.Instance);
-            if (property != null)
-            {
-                callSiteFactory = property.GetValue(serviceProvider);
-            }
-        }
-
-        if (callSiteFactory == null)
-        {
-            return [];
-        }
-
-        // Access the descriptors from the call site factory
-        var descriptorsProperty = callSiteFactory.GetType().GetProperty("Descriptors", BindingFlags.Public | BindingFlags.NonPublic | BindingFlags.Instance);
-        if (descriptorsProperty != null)
+        using var scope = app.ApplicationServices.CreateScope();
+        var userStore = scope.ServiceProvider.GetService<IUserStore<IdmtUser>>();
+        if (userStore is null)
         {
-            var descriptors = descriptorsProperty.GetValue(callSiteFactory) as IEnumerable<ServiceDescriptor>;
-            return descriptors ?? Enumerable.Empty<ServiceDescriptor>();
+            throw new InvalidOperationException("No IUserStore<IdmtUser> is registered. Ensure Identity is configured before calling UseIdmt().");
         }
-
-        var descriptorsField = callSiteFactory.GetType().GetField("_descriptors", BindingFlags.NonPublic | BindingFlags.Instance);
-        if (descriptorsField != null)
+        if (userStore is not IUserEmailStore<IdmtUser>)
         {
-            var descriptors = descriptorsField.GetValue(callSiteFactory) as IEnumerable<ServiceDescriptor>;
-            return descriptors ?? Enumerable.Empty<ServiceDescriptor>();
+            throw new NotSupportedException("Idmt.Plugin requires a user store that supports email (IUserEmailStore<IdmtUser>).");
         }
-
-        return [];
     }
 }
\ No newline at end of file
diff --git a/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs b/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs
index b179378..a97c943 100644
--- a/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs
+++ b/src/Idmt.Plugin/Extensions/ServiceCollectionExtensions.cs
@@ -13,11 +13,16 @@
 using Microsoft.AspNetCore.Authentication.BearerToken;
 using Microsoft.AspNetCore.Authentication.Cookies;
 using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Identity;
+using System.Threading.RateLimiting;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
+using FluentValidation;
 using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Options;
 
 namespace Idmt.Plugin.Extensions;
 
@@ -39,6 +44,41 @@ public static class ServiceCollectionExtensions
     /// <param name="configureDb">Optional action to configure the DbContext</param>
     /// <param name="configureOptions">Optional action to configure IDMT options</param>
     /// <returns>The service collection for method chaining</returns>
+    /// <remarks>
+    /// <para><b>OpenAPI / Swagger security scheme</b></para>
+    /// <para>
+    /// This library does not configure OpenAPI itself — the host application owns that
+    /// concern. To make the Bearer token visible in the generated OpenAPI document and
+    /// in Swagger UI, add a security scheme transformer in the host's service registration.
+    /// </para>
+    /// <para>
+    /// Example using the .NET 10 <c>IOpenApiDocumentTransformer</c> pattern:
+    /// <code>
+    /// // In Program.cs / Startup.cs of the host application:
+    /// builder.Services.AddOpenApi(options =>
+    /// {
+    ///     options.AddDocumentTransformer((document, context, cancellationToken) =>
+    ///     {
+    ///         document.Components ??= new OpenApiComponents();
+    ///         document.Components.SecuritySchemes ??= new Dictionary&lt;string, OpenApiSecurityScheme&gt;();
+    ///         document.Components.SecuritySchemes["Bearer"] = new OpenApiSecurityScheme
+    ///         {
+    ///             Type = SecuritySchemeType.Http,
+    ///             Scheme = "bearer",
+    ///             BearerFormat = "opaque",
+    ///             Description = "Enter the bearer token obtained from POST /auth/login/token"
+    ///         };
+    ///         return Task.CompletedTask;
+    ///     });
+    /// });
+    /// </code>
+    /// </para>
+    /// <para>
+    /// Alternatively, implement <c>IOpenApiDocumentTransformer</c> in a dedicated class and
+    /// register it with <c>options.AddDocumentTransformer&lt;YourTransformer&gt;()</c> for
+    /// better testability and separation of concerns.
+    /// </para>
+    /// </remarks>
     public static IServiceCollection AddIdmt<TDbContext>(
         this IServiceCollection services,
         IConfiguration configuration,
@@ -53,29 +93,30 @@ public static IServiceCollection AddIdmt<TDbContext>(
         // 2. Configure Database Contexts
         ConfigureDatabase<TDbContext>(services, configureDb, idmtOptions);
 
-        // 3. Configure MultiTenant
-        // ConfigureMultiTenant(services, idmtOptions);
-
-        // 4. Configure Identity
+        // 3. Configure Identity
         ConfigureIdentity(services, idmtOptions);
 
-        // 5. Configure Authentication
+        // 4. Configure Authentication
         ConfigureAuthentication(services, idmtOptions, customizeAuthentication);
 
-        // 6. Configure Authorization
+        // 5. Configure Authorization
         ConfigureAuthorization(services, customizeAuthorization);
 
+        // 6. Configure MultiTenant
         ConfigureMultiTenant(services, idmtOptions);
 
-        // 6. Register Application Services
+        // 7. Register Application Services
         RegisterApplicationServices(services);
 
-        // 7. Register Feature Handlers
+        // 8. Register Feature Handlers
         RegisterFeatures(services);
 
-        // 8. Register Middleware
+        // 9. Register Middleware
         RegisterMiddleware(services);
 
+        // 10. Configure Rate Limiting (auth endpoints only)
+        ConfigureRateLimiting(services, idmtOptions);
+
         return services;
     }
 
@@ -86,9 +127,11 @@ public static IServiceCollection AddIdmt(
         this IServiceCollection services,
         IConfiguration configuration,
         Action<DbContextOptionsBuilder>? configureDb = null,
-        Action<IdmtOptions>? configureOptions = null)
+        Action<IdmtOptions>? configureOptions = null,
+        CustomizeAuthentication? customizeAuthentication = null,
+        CustomizeAuthorization? customizeAuthorization = null)
     {
-        return services.AddIdmt<IdmtDbContext>(configuration, configureDb, configureOptions);
+        return services.AddIdmt<IdmtDbContext>(configuration, configureDb, configureOptions, customizeAuthentication, customizeAuthorization);
     }
 
     #region Private Configuration Methods
@@ -100,37 +143,45 @@ private static IdmtOptions ConfigureIdmtOptions(
     {
         var idmtSection = configuration.GetSection("Idmt");
 
-        // If section doesn't exist and no custom configuration, return defaults
-        if (!idmtSection.Exists() && configureOptions == null)
+        // Register the startup validator so misconfigured options surface immediately
+        // at application startup rather than on the first resolve of IOptions<IdmtOptions>.
+        services.AddSingleton<IValidateOptions<IdmtOptions>, IdmtOptionsValidator>();
+
+        // Build the canonical IdmtOptions instance exactly once.
+        // Previously, configureOptions was invoked twice: once here to build the local snapshot
+        // used during service registration, and again inside a services.Configure<IdmtOptions>
+        // lambda when IOptions<IdmtOptions> was first resolved. Registering via Options.Create
+        // wraps the fully-configured instance in a snapshot so both callers see the same object
+        // with no further binding or delegate invocations at resolve time.
+        var idmtOptions = idmtSection.Exists() ? new IdmtOptions() : IdmtOptions.Default;
+
+        if (idmtSection.Exists())
         {
-            var defaultOptions = IdmtOptions.Default;
-            services.Configure<IdmtOptions>(opts => { });
-            return defaultOptions;
+            idmtSection.Bind(idmtOptions);
         }
 
-        var idmtOptions = new IdmtOptions();
-        idmtSection.Bind(idmtOptions);
-
         // Apply defaults for empty arrays (which means they weren't configured)
         if (idmtOptions.MultiTenant.Strategies.Length == 0)
         {
             idmtOptions.MultiTenant.Strategies = IdmtOptions.Default.MultiTenant.Strategies;
         }
 
+        // The caller's delegate runs exactly once against the canonical instance.
         configureOptions?.Invoke(idmtOptions);
 
-        services.Configure<IdmtOptions>(opts =>
+        // Validate the fully-configured options eagerly. This runs during service registration
+        // (not deferred to first resolve) so misconfigurations surface immediately at startup.
+        var validator = new IdmtOptionsValidator();
+        var validationResult = validator.Validate(null, idmtOptions);
+        if (validationResult.Failed)
         {
-            idmtSection.Bind(opts);
-
-            // Apply defaults for empty arrays (which means they weren't configured)
-            if (opts.MultiTenant.Strategies.Length == 0)
-            {
-                opts.MultiTenant.Strategies = IdmtOptions.Default.MultiTenant.Strategies;
-            }
+            throw new OptionsValidationException(nameof(IdmtOptions), typeof(IdmtOptions),
+                validationResult.Failures ?? [validationResult.FailureMessage]);
+        }
 
-            configureOptions?.Invoke(opts);
-        });
+        // Register the fully-configured snapshot. Every call to IOptions<IdmtOptions>.Value
+        // returns this identical object — no re-binding or second delegate invocation occurs.
+        services.AddSingleton(Options.Create(idmtOptions));
 
         return idmtOptions;
     }
@@ -250,7 +301,7 @@ private static void ConfigureIdentity(IServiceCollection services, IdmtOptions i
         })
         .AddRoles<IdmtRole>()
         .AddEntityFrameworkStores<IdmtDbContext>()
-        .AddSignInManager<BetterSignInManager>()
+        .AddSignInManager()
         .AddClaimsPrincipalFactory<IdmtUserClaimsPrincipalFactory>()
         .AddDefaultTokenProviders();
     }
@@ -263,8 +314,8 @@ private static void ConfigureAuthentication(
         // Configure authentication with both cookie and bearer token support
         var authenticationBuilder = services.AddAuthentication(options =>
         {
-            options.DefaultScheme = AuthOptions.CookieOrBearerScheme;
-            options.DefaultChallengeScheme = AuthOptions.CookieOrBearerScheme;
+            options.DefaultScheme = IdmtAuthOptions.CookieOrBearerScheme;
+            options.DefaultChallengeScheme = IdmtAuthOptions.CookieOrBearerScheme;
         });
 
         // Cookie authentication
@@ -273,7 +324,16 @@ private static void ConfigureAuthentication(
         {
             options.Cookie.HttpOnly = idmtOptions.Identity.Cookie.HttpOnly;
             options.Cookie.SecurePolicy = idmtOptions.Identity.Cookie.SecurePolicy;
-            options.Cookie.SameSite = idmtOptions.Identity.Cookie.SameSite;
+
+            // SameSite=Strict is the primary CSRF mitigation for cookie-authenticated endpoints
+            // in this library. The browser will never attach the auth cookie to any cross-site
+            // request, eliminating the CSRF attack surface without requiring explicit anti-forgery
+            // tokens. SameSiteMode.None is explicitly blocked because it would remove all
+            // SameSite-based CSRF protection; the library falls back to Strict in that case.
+            options.Cookie.SameSite = idmtOptions.Identity.Cookie.SameSite == SameSiteMode.None
+                ? SameSiteMode.Strict
+                : idmtOptions.Identity.Cookie.SameSite;
+
             options.ExpireTimeSpan = idmtOptions.Identity.Cookie.ExpireTimeSpan;
             options.SlidingExpiration = idmtOptions.Identity.Cookie.SlidingExpiration;
 
@@ -325,7 +385,7 @@ private static void ConfigureAuthentication(
         });
 
         // PolicyScheme - automatically routes based on request
-        authenticationBuilder.AddPolicyScheme(AuthOptions.CookieOrBearerScheme, "Cookie or Bearer", options =>
+        authenticationBuilder.AddPolicyScheme(IdmtAuthOptions.CookieOrBearerScheme, "Cookie or Bearer", options =>
         {
             options.ForwardDefaultSelector = context =>
             {
@@ -348,34 +408,34 @@ private static void ConfigureAuthorization(IServiceCollection services, Customiz
     {
         // Configure authorization
         var authorizationBuilder = services.AddAuthorizationBuilder()
-            .SetDefaultPolicy(new AuthorizationPolicyBuilder(AuthOptions.CookieOrBearerScheme)
+            .SetDefaultPolicy(new AuthorizationPolicyBuilder(IdmtAuthOptions.CookieOrBearerScheme)
             .RequireAuthenticatedUser()
             .Build())
 
             // Cookie-only policy (rare - for web-specific features)
-            .AddPolicy(AuthOptions.CookieOnlyPolicy, policy => policy
+            .AddPolicy(IdmtAuthOptions.CookieOnlyPolicy, policy => policy
                 .RequireAuthenticatedUser()
                 .AddAuthenticationSchemes(IdentityConstants.ApplicationScheme))
 
             // Bearer-only policy (rare - for strict API endpoints)
-            .AddPolicy(AuthOptions.BearerOnlyPolicy, policy => policy
+            .AddPolicy(IdmtAuthOptions.BearerOnlyPolicy, policy => policy
                 .RequireAuthenticatedUser()
                 .AddAuthenticationSchemes(IdentityConstants.BearerScheme))
 
             // Add system admin policy
-            .AddPolicy(AuthOptions.RequireSysAdminPolicy, policy =>
+            .AddPolicy(IdmtAuthOptions.RequireSysAdminPolicy, policy =>
                 policy.RequireRole(IdmtDefaultRoleTypes.SysAdmin)
-                    .AddAuthenticationSchemes(AuthOptions.CookieOrBearerScheme))
+                    .AddAuthenticationSchemes(IdmtAuthOptions.CookieOrBearerScheme))
 
             // Add system user policy
-            .AddPolicy(AuthOptions.RequireSysUserPolicy, policy =>
+            .AddPolicy(IdmtAuthOptions.RequireSysUserPolicy, policy =>
                 policy.RequireRole(IdmtDefaultRoleTypes.SysAdmin, IdmtDefaultRoleTypes.SysSupport)
-                    .AddAuthenticationSchemes(AuthOptions.CookieOrBearerScheme))
+                    .AddAuthenticationSchemes(IdmtAuthOptions.CookieOrBearerScheme))
 
             // Add tenant admin policy
-            .AddPolicy(AuthOptions.RequireTenantManagerPolicy, policy =>
+            .AddPolicy(IdmtAuthOptions.RequireTenantManagerPolicy, policy =>
                 policy.RequireRole(IdmtDefaultRoleTypes.SysAdmin, IdmtDefaultRoleTypes.SysSupport, IdmtDefaultRoleTypes.TenantAdmin)
-                    .AddAuthenticationSchemes(AuthOptions.CookieOrBearerScheme));
+                    .AddAuthenticationSchemes(IdmtAuthOptions.CookieOrBearerScheme));
 
         customizeAuthorization?.Invoke(authorizationBuilder);
     }
@@ -385,9 +445,24 @@ private static void RegisterApplicationServices(IServiceCollection services)
         // Register scoped services for per-request context
         services.AddScoped<ICurrentUserService, CurrentUserService>();
         services.AddScoped<ITenantAccessService, TenantAccessService>();
+        services.AddScoped<ITenantOperationService, TenantOperationService>();
+        services.AddScoped<ITokenRevocationService, TokenRevocationService>();
+        services.AddHostedService<TokenRevocationCleanupService>();
         services.AddScoped<IIdmtLinkGenerator, IdmtLinkGenerator>();
         services.AddTransient<IEmailSender<IdmtUser>, IdmtEmailSender>();
 
+        // Issue 23 fix: warn at startup if the stub email sender is still registered.
+        // If the consumer replaces IEmailSender<IdmtUser> with a real implementation before or
+        // after calling AddIdmt, ASP.NET Core DI resolves the last-registered descriptor, so the
+        // hosted service will resolve the custom sender and the warning will not be emitted.
+        services.AddHostedService<IdmtEmailSenderStartupCheck>();
+
+        // Register TimeProvider for testable time access
+        services.TryAddSingleton(TimeProvider.System);
+
+        // Register FluentValidation validators
+        services.AddValidatorsFromAssemblyContaining<IdmtOptions>(ServiceLifetime.Scoped);
+
         // Register HTTP context accessor for service access to HTTP context
         services.AddHttpContextAccessor();
     }
@@ -431,5 +506,27 @@ private static void RegisterMiddleware(IServiceCollection services)
         services.AddScoped<ValidateBearerTokenTenantMiddleware>();
     }
 
+    private static void ConfigureRateLimiting(IServiceCollection services, IdmtOptions idmtOptions)
+    {
+        if (!idmtOptions.RateLimiting.Enabled)
+        {
+            return;
+        }
+
+        services.AddRateLimiter(options =>
+        {
+            options.AddPolicy("idmt-auth", context =>
+                RateLimitPartition.GetFixedWindowLimiter(
+                    partitionKey: context.Connection.RemoteIpAddress?.ToString() ?? "unknown",
+                    factory: _ => new FixedWindowRateLimiterOptions
+                    {
+                        PermitLimit = idmtOptions.RateLimiting.PermitLimit,
+                        Window = TimeSpan.FromSeconds(idmtOptions.RateLimiting.WindowInSeconds),
+                        QueueLimit = 0
+                    }));
+            options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
+        });
+    }
+
     #endregion
 }
\ No newline at end of file
diff --git a/src/Idmt.Plugin/Features/Admin/AdminModels.cs b/src/Idmt.Plugin/Features/Admin/AdminModels.cs
new file mode 100644
index 0000000..34e2941
--- /dev/null
+++ b/src/Idmt.Plugin/Features/Admin/AdminModels.cs
@@ -0,0 +1,26 @@
+namespace Idmt.Plugin.Features.Admin;
+
+public sealed record TenantInfoResponse(
+    string Id,
+    string Identifier,
+    string Name,
+    string Plan,
+    bool IsActive
+);
+
+/// <summary>
+/// Generic paginated response envelope.
+/// </summary>
+/// <typeparam name="T">The item type contained in the page.</typeparam>
+/// <param name="Items">The items on the current page.</param>
+/// <param name="TotalCount">Total number of matching items across all pages.</param>
+/// <param name="Page">The 1-based current page number.</param>
+/// <param name="PageSize">The maximum number of items per page (capped at 100).</param>
+/// <param name="HasMore">True when additional pages exist after this one.</param>
+public sealed record PaginatedResponse<T>(
+    IReadOnlyList<T> Items,
+    int TotalCount,
+    int Page,
+    int PageSize,
+    bool HasMore
+);
diff --git a/src/Idmt.Plugin/Features/Admin/CreateTenant.cs b/src/Idmt.Plugin/Features/Admin/CreateTenant.cs
index be18c50..4b73a52 100644
--- a/src/Idmt.Plugin/Features/Admin/CreateTenant.cs
+++ b/src/Idmt.Plugin/Features/Admin/CreateTenant.cs
@@ -1,6 +1,10 @@
+using ErrorOr;
 using Finbuckle.MultiTenant.Abstractions;
+using FluentValidation;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
 using Idmt.Plugin.Validation;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -18,31 +22,27 @@ public static class CreateTenant
 {
     public sealed record CreateTenantRequest(
         string Identifier,
-        string Name,
-        string DisplayName
+        string Name
     );
 
     public sealed record CreateTenantResponse(
         string Id,
         string Identifier,
-        string Name,
-        string DisplayName
+        string Name
     );
 
     public interface ICreateTenantHandler
     {
-        Task<Result<CreateTenantResponse>> HandleAsync(CreateTenantRequest request, CancellationToken cancellationToken = default);
+        Task<ErrorOr<CreateTenantResponse>> HandleAsync(CreateTenantRequest request, CancellationToken cancellationToken = default);
     }
 
     internal sealed class CreateTenantHandler(
         IMultiTenantStore<IdmtTenantInfo> tenantStore,
-        IMultiTenantContextSetter tenantContextSetter,
-        IMultiTenantContextAccessor tenantContextAccessor,
-        IServiceProvider serviceProvider,
+        ITenantOperationService tenantOps,
         IOptions<IdmtOptions> options,
         ILogger<CreateTenantHandler> logger) : ICreateTenantHandler
     {
-        public async Task<Result<CreateTenantResponse>> HandleAsync(CreateTenantRequest request, CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<CreateTenantResponse>> HandleAsync(CreateTenantRequest request, CancellationToken cancellationToken = default)
         {
             IdmtTenantInfo resultTenant;
 
@@ -51,26 +51,25 @@ public async Task<Result<CreateTenantResponse>> HandleAsync(CreateTenantRequest
                 var existingTenant = await tenantStore.GetByIdentifierAsync(request.Identifier);
                 if (existingTenant is not null)
                 {
-                    if (!existingTenant.IsActive)
+                    if (existingTenant.IsActive)
                     {
-                        existingTenant = existingTenant with { IsActive = true };
-                        if (!await tenantStore.UpdateAsync(existingTenant))
-                        {
-                            return Result.Failure<CreateTenantResponse>("Failed to update tenant", StatusCodes.Status500InternalServerError);
-                        }
+                        return IdmtErrors.Tenant.AlreadyExists;
+                    }
+
+                    existingTenant = existingTenant with { IsActive = true };
+                    if (!await tenantStore.UpdateAsync(existingTenant))
+                    {
+                        return IdmtErrors.Tenant.UpdateFailed;
                     }
                     resultTenant = existingTenant;
                 }
                 else
                 {
-                    var tenant = new IdmtTenantInfo(request.Identifier, request.Name)
-                    {
-                        DisplayName = request.DisplayName
-                    };
+                    var tenant = new IdmtTenantInfo(request.Identifier, request.Name);
 
                     if (!await tenantStore.AddAsync(tenant))
                     {
-                        return Result.Failure<CreateTenantResponse>("Failed to create tenant", StatusCodes.Status400BadRequest);
+                        return IdmtErrors.Tenant.CreationFailed;
                     }
                     resultTenant = tenant;
                 }
@@ -78,7 +77,7 @@ public async Task<Result<CreateTenantResponse>> HandleAsync(CreateTenantRequest
             catch (Exception ex)
             {
                 logger.LogError(ex, "Error creating tenant with identifier {Identifier}", request.Identifier);
-                return Result.Failure<CreateTenantResponse>($"Error creating tenant: {ex.Message}", StatusCodes.Status500InternalServerError);
+                return IdmtErrors.General.Unexpected;
             }
 
             try
@@ -86,19 +85,19 @@ public async Task<Result<CreateTenantResponse>> HandleAsync(CreateTenantRequest
                 bool ok = await GuaranteeTenantRolesAsync(resultTenant);
                 if (!ok)
                 {
-                    return Result.Failure<CreateTenantResponse>($"Failed to guarantee tenant roles.", StatusCodes.Status500InternalServerError);
+                    return IdmtErrors.Tenant.RoleSeedFailed;
                 }
             }
             catch (Exception ex)
             {
                 logger.LogError(ex, "Error seeding roles for tenant {Identifier}", request.Identifier);
+                return IdmtErrors.Tenant.RoleSeedFailed;
             }
 
-            return Result.Success(new CreateTenantResponse(
+            return new CreateTenantResponse(
                 resultTenant.Id ?? string.Empty,
                 resultTenant.Identifier ?? string.Empty,
-                resultTenant.Name ?? string.Empty,
-                resultTenant.DisplayName ?? string.Empty), StatusCodes.Status200OK);
+                resultTenant.Name ?? string.Empty);
         }
 
         private async Task<bool> GuaranteeTenantRolesAsync(IdmtTenantInfo tenantInfo)
@@ -109,81 +108,52 @@ private async Task<bool> GuaranteeTenantRolesAsync(IdmtTenantInfo tenantInfo)
                 roles = [.. roles, .. options.Value.Identity.ExtraRoles];
             }
 
-            // Set tenant context before seeding roles to avoid NullReferenceException with multi-tenant filters
-            var previousContext = tenantContextAccessor.MultiTenantContext;
-            try
+            var result = await tenantOps.ExecuteInTenantScopeAsync(tenantInfo.Identifier!, async provider =>
             {
-                tenantContextSetter.MultiTenantContext = new MultiTenantContext<IdmtTenantInfo>(tenantInfo);
-
-                // Seed default roles
-                using var scope = serviceProvider.CreateScope();
-                var roleManager = scope.ServiceProvider.GetRequiredService<RoleManager<IdmtRole>>();
+                var roleManager = provider.GetRequiredService<RoleManager<IdmtRole>>();
                 foreach (var role in roles)
                 {
                     if (!await roleManager.RoleExistsAsync(role))
                     {
-                        var result = await roleManager.CreateAsync(new IdmtRole(role));
-                        if (!result.Succeeded)
+                        var createResult = await roleManager.CreateAsync(new IdmtRole(role));
+                        if (!createResult.Succeeded)
                         {
-                            return false;
+                            return IdmtErrors.Tenant.RoleSeedFailed;
                         }
                     }
                 }
-            }
-            finally
-            {
-                // Restore previous context
-                tenantContextSetter.MultiTenantContext = previousContext;
-            }
+                return Result.Success;
+            }, requireActive: false);
 
-            return true;
+            return !result.IsError;
         }
     }
 
-    public static Dictionary<string, string[]>? Validate(this CreateTenantRequest request)
-    {
-        var errors = new Dictionary<string, string[]>();
-
-        if (string.IsNullOrEmpty(request.Identifier))
-        {
-            errors["Identifier"] = ["Identifier is required"];
-        }
-        else if (!Validators.IsValidTenantIdentifier(request.Identifier))
-        {
-            errors["Identifier"] = ["Identifier can only contain lowercase alphanumeric characters, dashes, and underscores"];
-        }
-        if (string.IsNullOrEmpty(request.Name))
-        {
-            errors["Name"] = ["Name is required"];
-        }
-        if (string.IsNullOrEmpty(request.DisplayName))
-        {
-            errors["DisplayName"] = ["Display Name is required"];
-        }
-
-        return errors.Count > 0 ? errors : null;
-    }
-
     public static RouteHandlerBuilder MapCreateTenantEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        return endpoints.MapPost("/tenants", static async Task<Results<Ok<CreateTenantResponse>, Created<CreateTenantResponse>, ValidationProblem, BadRequest>> (
+        return endpoints.MapPost("/tenants", async Task<Results<Created<CreateTenantResponse>, ValidationProblem, Conflict, BadRequest, ProblemHttpResult>> (
             [FromBody] CreateTenantRequest request,
             [FromServices] ICreateTenantHandler handler,
+            [FromServices] IValidator<CreateTenantRequest> validator,
             HttpContext context) =>
         {
-            if (request.Validate() is { } validationErrors)
+            if (ValidationHelper.Validate(request, validator) is { } validationErrors)
             {
                 return TypedResults.ValidationProblem(validationErrors);
             }
             var response = await handler.HandleAsync(request, cancellationToken: context.RequestAborted);
-            if (!response.IsSuccess)
+            if (response.IsError)
             {
-                return TypedResults.BadRequest();
+                return response.FirstError.Type switch
+                {
+                    ErrorType.Conflict => TypedResults.Conflict(),
+                    ErrorType.Validation => TypedResults.BadRequest(),
+                    _ => TypedResults.Problem(response.FirstError.Description, statusCode: StatusCodes.Status500InternalServerError),
+                };
             }
-            return TypedResults.Ok(response.Value);
+            return TypedResults.Created($"/admin/tenants/{response.Value.Identifier}", response.Value);
         })
-        .RequireAuthorization(AuthOptions.RequireSysUserPolicy)
         .WithSummary("Create Tenant")
         .WithDescription("Create a new tenant in the system or reactivate an existing inactive tenant");
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/Admin/DeleteTenant.cs b/src/Idmt.Plugin/Features/Admin/DeleteTenant.cs
index 080cc8b..bc9cdb6 100644
--- a/src/Idmt.Plugin/Features/Admin/DeleteTenant.cs
+++ b/src/Idmt.Plugin/Features/Admin/DeleteTenant.cs
@@ -1,5 +1,7 @@
+using ErrorOr;
 using Finbuckle.MultiTenant.Abstractions;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -14,38 +16,38 @@ public static class DeleteTenant
 {
     public interface IDeleteTenantHandler
     {
-        Task<Result> HandleAsync(string tenantIdentifier, CancellationToken cancellationToken = default);
+        Task<ErrorOr<Success>> HandleAsync(string tenantIdentifier, CancellationToken cancellationToken = default);
     }
 
     internal sealed class DeleteTenantHandler(
         IMultiTenantStore<IdmtTenantInfo> tenantStore,
         ILogger<DeleteTenantHandler> logger) : IDeleteTenantHandler
     {
-        public async Task<Result> HandleAsync(string tenantIdentifier, CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<Success>> HandleAsync(string tenantIdentifier, CancellationToken cancellationToken = default)
         {
             try
             {
                 if (string.Compare(tenantIdentifier, MultiTenantOptions.DefaultTenantIdentifier, StringComparison.OrdinalIgnoreCase) == 0)
                 {
-                    return Result.Failure("Cannot delete the default tenant", StatusCodes.Status403Forbidden);
+                    return IdmtErrors.Tenant.CannotDeleteDefault;
                 }
                 var tenant = await tenantStore.GetByIdentifierAsync(tenantIdentifier);
                 if (tenant is null)
                 {
-                    return Result.Failure("Tenant not found", StatusCodes.Status404NotFound);
+                    return IdmtErrors.Tenant.NotFound;
                 }
                 tenant = tenant with { IsActive = false };
                 var updateResult = await tenantStore.UpdateAsync(tenant);
                 if (!updateResult)
                 {
-                    return Result.Failure("Failed to delete tenant", StatusCodes.Status500InternalServerError);
+                    return IdmtErrors.Tenant.DeletionFailed;
                 }
-                return Result.Success();
+                return Result.Success;
             }
             catch (Exception ex)
             {
                 logger.LogError(ex, "An error occurred while deleting tenant with ID {TenantId}", tenantIdentifier);
-                return Result.Failure($"An error occurred while deleting the tenant: {ex.Message}", StatusCodes.Status500InternalServerError);
+                return IdmtErrors.General.Unexpected;
             }
         }
     }
@@ -58,19 +60,19 @@ public static RouteHandlerBuilder MapDeleteTenantEndpoint(this IEndpointRouteBui
             CancellationToken cancellationToken = default) =>
         {
             var result = await handler.HandleAsync(tenantIdentifier, cancellationToken);
-            if (!result.IsSuccess)
+            if (result.IsError)
             {
-                return result.StatusCode switch
+                return result.FirstError.Type switch
                 {
-                    StatusCodes.Status403Forbidden => TypedResults.Forbid(),
-                    StatusCodes.Status404NotFound => TypedResults.NotFound(),
+                    ErrorType.Forbidden => TypedResults.Forbid(),
+                    ErrorType.NotFound => TypedResults.NotFound(),
                     _ => TypedResults.InternalServerError(),
                 };
             }
             return TypedResults.NoContent();
         })
-        .RequireAuthorization(AuthOptions.RequireSysAdminPolicy)
+        .RequireAuthorization(IdmtAuthOptions.RequireSysUserPolicy)
         .WithSummary("Delete tenant")
         .WithDescription("Soft deletes a tenant by its identifier");
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/Admin/GetAllTenants.cs b/src/Idmt.Plugin/Features/Admin/GetAllTenants.cs
index b5f3f4e..3eda88d 100644
--- a/src/Idmt.Plugin/Features/Admin/GetAllTenants.cs
+++ b/src/Idmt.Plugin/Features/Admin/GetAllTenants.cs
@@ -1,65 +1,94 @@
-using Finbuckle.MultiTenant.Abstractions;
+using ErrorOr;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
+using Idmt.Plugin.Persistence;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Routing;
+using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Logging;
 
 namespace Idmt.Plugin.Features.Admin;
 
 public static class GetAllTenants
 {
+    private const int MaxPageSize = 100;
+
     public interface IGetAllTenantsHandler
     {
-        Task<Result<TenantInfoResponse[]>> HandleAsync(CancellationToken cancellationToken = default);
+        Task<ErrorOr<PaginatedResponse<TenantInfoResponse>>> HandleAsync(
+            int page,
+            int pageSize,
+            CancellationToken cancellationToken = default);
     }
 
     internal sealed class GetAllTenantsHandler(
-        IMultiTenantStore<IdmtTenantInfo> tenantStore,
+        IdmtDbContext dbContext,
         ILogger<GetAllTenantsHandler> logger) : IGetAllTenantsHandler
     {
-        public async Task<Result<TenantInfoResponse[]>> HandleAsync(CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<PaginatedResponse<TenantInfoResponse>>> HandleAsync(
+            int page,
+            int pageSize,
+            CancellationToken cancellationToken = default)
         {
             try
             {
-                var tenants = await tenantStore.GetAllAsync();
-                var res = tenants
-                .Where(t => t is not null && !string.Equals(t.Identifier, MultiTenantOptions.DefaultTenantIdentifier, StringComparison.OrdinalIgnoreCase))
-                .OrderBy(t => t.Name)
-                .Select(t => new TenantInfoResponse(
-                    t!.Id ?? string.Empty,
-                    t.Identifier ?? string.Empty,
-                    t.Name ?? string.Empty,
-                    t.DisplayName ?? string.Empty,
-                    t.Plan ?? string.Empty,
-                    t.IsActive)).ToArray();
+                // Build a server-side query — no in-memory materialisation before pagination.
+                var query = dbContext.Set<IdmtTenantInfo>()
+                    .Where(t => t.Identifier != MultiTenantOptions.DefaultTenantIdentifier)
+                    .OrderBy(t => t.Name);
+
+                var totalCount = await query.CountAsync(cancellationToken);
+
+                var items = await query
+                    .Skip((page - 1) * pageSize)
+                    .Take(pageSize)
+                    .Select(t => new TenantInfoResponse(
+                        t.Id ?? string.Empty,
+                        t.Identifier ?? string.Empty,
+                        t.Name ?? string.Empty,
+                        t.Plan ?? string.Empty,
+                        t.IsActive))
+                    .ToListAsync(cancellationToken);
 
-                return Result.Success(res);
+                var response = new PaginatedResponse<TenantInfoResponse>(
+                    items,
+                    totalCount,
+                    page,
+                    pageSize,
+                    HasMore: (page - 1) * pageSize + items.Count < totalCount);
+
+                return response;
             }
             catch (Exception ex)
             {
                 logger.LogError(ex, "An error occurred while retrieving all tenants");
-                return Result.Failure<TenantInfoResponse[]>($"An error occurred while retrieving tenants: {ex.Message}", StatusCodes.Status500InternalServerError);
+                return IdmtErrors.General.Unexpected;
             }
         }
     }
 
     public static RouteHandlerBuilder MapGetAllTenantsEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        return endpoints.MapGet("/tenants", async Task<Results<Ok<TenantInfoResponse[]>, InternalServerError>> (
+        return endpoints.MapGet("/tenants", async Task<Results<Ok<PaginatedResponse<TenantInfoResponse>>, InternalServerError>> (
             IGetAllTenantsHandler handler,
-            CancellationToken cancellationToken) =>
+            CancellationToken cancellationToken,
+            [Microsoft.AspNetCore.Mvc.FromQuery] int page = 1,
+            [Microsoft.AspNetCore.Mvc.FromQuery] int pageSize = 25) =>
         {
-            var result = await handler.HandleAsync(cancellationToken);
-            if (!result.IsSuccess)
+            page = Math.Max(1, page);
+            pageSize = Math.Clamp(pageSize, 1, MaxPageSize);
+
+            var result = await handler.HandleAsync(page, pageSize, cancellationToken);
+            if (result.IsError)
             {
                 return TypedResults.InternalServerError();
             }
-            return TypedResults.Ok(result.Value!);
+            return TypedResults.Ok(result.Value);
         })
-        .RequireAuthorization(AuthOptions.RequireSysUserPolicy)
-        .WithSummary("Get tenants accessible by user");
+        .RequireAuthorization(IdmtAuthOptions.RequireSysUserPolicy)
+        .WithSummary("Get all tenants");
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/Admin/GetSystemInfo.cs b/src/Idmt.Plugin/Features/Admin/GetSystemInfo.cs
deleted file mode 100644
index 5f00e7b..0000000
--- a/src/Idmt.Plugin/Features/Admin/GetSystemInfo.cs
+++ /dev/null
@@ -1,63 +0,0 @@
-using Finbuckle.MultiTenant.Abstractions;
-using Idmt.Plugin.Configuration;
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Http.HttpResults;
-using Microsoft.AspNetCore.Mvc;
-using Microsoft.AspNetCore.Routing;
-
-namespace Idmt.Plugin.Features.Admin;
-
-public static class GetSystemInfo
-{
-    public sealed record SystemInfoResponse
-    {
-        public string ApplicationName { get; set; } = string.Empty;
-        public string Version { get; set; } = string.Empty;
-        public string Environment { get; set; } = string.Empty;
-        public TenantInfo? CurrentTenant { get; set; }
-        public DateTime ServerTime { get; set; }
-        public List<string> Features { get; set; } = [];
-    }
-
-    public sealed record TenantInfo
-    {
-        public string? Id { get; set; }
-        public string? Name { get; set; }
-        public string? Identifier { get; set; }
-    }
-
-    public static RouteHandlerBuilder MapGetSystemInfoEndpoint(this IEndpointRouteBuilder endpoints)
-    {
-        return endpoints.MapGet("/info", Task<Ok<SystemInfoResponse>> (
-            [FromServices] IMultiTenantContextAccessor tenantAccessor) =>
-        {
-            var currentTenant = tenantAccessor.MultiTenantContext?.TenantInfo;
-
-            var systemInfo = new SystemInfoResponse
-            {
-                ApplicationName = "IDMT Sample API",
-                Version = "1.0.0",
-                Environment = System.Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") ?? "Production",
-                CurrentTenant = currentTenant != null ? new TenantInfo
-                {
-                    Id = currentTenant.Id,
-                    Name = currentTenant.Name,
-                    Identifier = currentTenant.Identifier
-                } : null,
-                ServerTime = DT.UtcNow,
-                Features =
-                [
-                    "Multi-Tenant Support",
-                    "Vertical Slice Architecture",
-                    "Minimal APIs",
-                    "OpenAPI/Swagger Documentation"
-                ]
-            };
-
-            return Task.FromResult(TypedResults.Ok(systemInfo));
-        })
-        .RequireAuthorization(AuthOptions.RequireSysUserPolicy)
-        .WithSummary("Detailed system information");
-    }
-}
diff --git a/src/Idmt.Plugin/Features/Admin/GetUserTenants.cs b/src/Idmt.Plugin/Features/Admin/GetUserTenants.cs
index e13a4d8..fc4a3fb 100644
--- a/src/Idmt.Plugin/Features/Admin/GetUserTenants.cs
+++ b/src/Idmt.Plugin/Features/Admin/GetUserTenants.cs
@@ -1,5 +1,6 @@
-using Finbuckle.MultiTenant.Abstractions;
+using ErrorOr;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
 using Idmt.Plugin.Persistence;
 using Microsoft.AspNetCore.Builder;
@@ -11,72 +12,94 @@
 
 namespace Idmt.Plugin.Features.Admin;
 
-public sealed record TenantInfoResponse(
-    string Id,
-    string Identifier,
-    string Name,
-    string DisplayName,
-    string Plan,
-    bool IsActive
-);
-
 public static class GetUserTenants
 {
+    private const int MaxPageSize = 100;
+
     public interface IGetUserTenantsHandler
     {
-        Task<Result<TenantInfoResponse[]>> HandleAsync(Guid userId, CancellationToken cancellationToken = default);
+        Task<ErrorOr<PaginatedResponse<TenantInfoResponse>>> HandleAsync(
+            Guid userId,
+            int page,
+            int pageSize,
+            CancellationToken cancellationToken = default);
     }
 
     internal sealed class GetUserTenantsHandler(
         IdmtDbContext dbContext,
-        IMultiTenantStore<IdmtTenantInfo> tenantStore,
+        TimeProvider timeProvider,
         ILogger<GetUserTenantsHandler> logger) : IGetUserTenantsHandler
     {
-        public async Task<Result<TenantInfoResponse[]>> HandleAsync(Guid userId, CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<PaginatedResponse<TenantInfoResponse>>> HandleAsync(
+            Guid userId,
+            int page,
+            int pageSize,
+            CancellationToken cancellationToken = default)
         {
             try
             {
-                var tenantIds = await dbContext.TenantAccess
-                    .Where(ta => ta.UserId == userId && ta.IsActive)
-                    .Select(ta => ta.TenantId)
-                    .ToArrayAsync(cancellationToken);
+                var now = timeProvider.GetUtcNow();
 
-                var tenantTasks = tenantIds.Select(tenantStore.GetAsync);
-                var tenants = await Task.WhenAll(tenantTasks);
+                // Base query: join TenantAccess with TenantInfo, ordered deterministically.
+                var query = dbContext.TenantAccess
+                    .Where(ta => ta.UserId == userId && ta.IsActive &&
+                                 (ta.ExpiresAt == null || ta.ExpiresAt > now))
+                    .Join(dbContext.Set<IdmtTenantInfo>(),
+                        ta => ta.TenantId,
+                        ti => ti.Id,
+                        (ta, ti) => ti)
+                    .OrderBy(ti => ti.Name);
 
-                var res = tenants.Where(t => t != null).Select(t => new TenantInfoResponse(
-                    t!.Id ?? string.Empty,
-                    t.Identifier ?? string.Empty,
-                    t.Name ?? string.Empty,
-                    t.DisplayName ?? string.Empty,
-                    t.Plan ?? string.Empty,
-                    t.IsActive)).ToArray();
+                var totalCount = await query.CountAsync(cancellationToken);
 
-                return Result.Success(res);
+                var items = await query
+                    .Skip((page - 1) * pageSize)
+                    .Take(pageSize)
+                    .Select(ti => new TenantInfoResponse(
+                        ti.Id ?? string.Empty,
+                        ti.Identifier ?? string.Empty,
+                        ti.Name ?? string.Empty,
+                        ti.Plan ?? string.Empty,
+                        ti.IsActive))
+                    .ToListAsync(cancellationToken);
+
+                var response = new PaginatedResponse<TenantInfoResponse>(
+                    items,
+                    totalCount,
+                    page,
+                    pageSize,
+                    HasMore: (page - 1) * pageSize + items.Count < totalCount);
+
+                return response;
             }
             catch (Exception ex)
             {
                 logger.LogError(ex, "An error occurred while retrieving tenants for user {UserId}", userId);
-                return Result.Failure<TenantInfoResponse[]>($"An error occurred while retrieving tenants: {ex.Message}", StatusCodes.Status500InternalServerError);
+                return IdmtErrors.General.Unexpected;
             }
         }
     }
 
     public static RouteHandlerBuilder MapGetUserTenantsEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        return endpoints.MapGet("/users/{userId:guid}/tenants", async Task<Results<Ok<TenantInfoResponse[]>, InternalServerError>> (
+        return endpoints.MapGet("/users/{userId:guid}/tenants", async Task<Results<Ok<PaginatedResponse<TenantInfoResponse>>, InternalServerError>> (
             Guid userId,
             IGetUserTenantsHandler handler,
-            CancellationToken cancellationToken) =>
+            CancellationToken cancellationToken,
+            [Microsoft.AspNetCore.Mvc.FromQuery] int page = 1,
+            [Microsoft.AspNetCore.Mvc.FromQuery] int pageSize = 25) =>
         {
-            var result = await handler.HandleAsync(userId, cancellationToken);
-            if (!result.IsSuccess)
+            page = Math.Max(1, page);
+            pageSize = Math.Clamp(pageSize, 1, MaxPageSize);
+
+            var result = await handler.HandleAsync(userId, page, pageSize, cancellationToken);
+            if (result.IsError)
             {
                 return TypedResults.InternalServerError();
             }
-            return TypedResults.Ok(result.Value!);
+            return TypedResults.Ok(result.Value);
         })
-        .RequireAuthorization(AuthOptions.RequireSysUserPolicy)
+        .RequireAuthorization(IdmtAuthOptions.RequireSysUserPolicy)
         .WithSummary("Get tenants accessible by user");
     }
 }
diff --git a/src/Idmt.Plugin/Features/Admin/GrantTenantAccess.cs b/src/Idmt.Plugin/Features/Admin/GrantTenantAccess.cs
index 2b1b71c..7c6e507 100644
--- a/src/Idmt.Plugin/Features/Admin/GrantTenantAccess.cs
+++ b/src/Idmt.Plugin/Features/Admin/GrantTenantAccess.cs
@@ -1,7 +1,10 @@
+using ErrorOr;
 using Finbuckle.MultiTenant.Abstractions;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
 using Idmt.Plugin.Persistence;
+using Idmt.Plugin.Services;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.HttpResults;
@@ -16,105 +19,101 @@ namespace Idmt.Plugin.Features.Admin;
 
 public static class GrantTenantAccess
 {
-    public sealed record GrantAccessRequest(DateTime? ExpiresAt);
+    public sealed record GrantAccessRequest(DateTimeOffset? ExpiresAt);
 
     public interface IGrantTenantAccessHandler
     {
-        Task<Result> HandleAsync(Guid userId, string tenantIdentifier, DateTime? expiresAt = null, CancellationToken cancellationToken = default);
+        Task<ErrorOr<Success>> HandleAsync(Guid userId, string tenantIdentifier, DateTimeOffset? expiresAt = null, CancellationToken cancellationToken = default);
     }
 
+    // Issue 19 fix: inject IdmtDbContext, UserManager<IdmtUser>, and IMultiTenantStore<IdmtTenantInfo>
+    // as constructor parameters rather than resolving them from a manually-created IServiceProvider
+    // scope. The manual scope bypassed the request lifetime, causing audit-log fields that depend on
+    // ICurrentUserService (resolved through the request scope) to be null.
     internal sealed class GrantTenantAccessHandler(
-        IServiceProvider serviceProvider,
+        IdmtDbContext dbContext,
+        UserManager<IdmtUser> userManager,
+        IMultiTenantStore<IdmtTenantInfo> tenantStore,
+        ITenantOperationService tenantOps,
+        TimeProvider timeProvider,
         ILogger<GrantTenantAccessHandler> logger
         ) : IGrantTenantAccessHandler
     {
-        public async Task<Result> HandleAsync(Guid userId, string tenantIdentifier, DateTime? expiresAt = null, CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<Success>> HandleAsync(Guid userId, string tenantIdentifier, DateTimeOffset? expiresAt = null, CancellationToken cancellationToken = default)
         {
-            IdmtUser? user = null;
-            IdmtTenantInfo? targetTenant = null;
-            IList<string> userRoles = [];
-            using (var scope = serviceProvider.CreateScope())
+            if (expiresAt.HasValue && expiresAt.Value <= timeProvider.GetUtcNow())
             {
-                var sp = scope.ServiceProvider;
+                return Error.Validation("ExpiresAt", "Expiration date must be in the future");
+            }
 
-                try
+            IdmtUser? user;
+            IdmtTenantInfo? targetTenant;
+            IList<string> userRoles;
+
+            try
+            {
+                user = await dbContext.Users.FirstOrDefaultAsync(u => u.Id == userId, cancellationToken);
+                if (user is null)
                 {
-                    var dbContext = sp.GetRequiredService<IdmtDbContext>();
-                    var userManager = sp.GetRequiredService<UserManager<IdmtUser>>();
-                    var tenantStore = sp.GetRequiredService<IMultiTenantStore<IdmtTenantInfo>>();
+                    return IdmtErrors.User.NotFound;
+                }
 
-                    user = await dbContext.Users.FirstOrDefaultAsync(u => u.Id == userId, cancellationToken);
-                    if (user is null)
-                    {
-                        return Result.Failure("User not found", StatusCodes.Status404NotFound);
-                    }
+                targetTenant = await tenantStore.GetByIdentifierAsync(tenantIdentifier);
+                if (targetTenant is null)
+                {
+                    return IdmtErrors.Tenant.NotFound;
+                }
 
-                    targetTenant = await tenantStore.GetByIdentifierAsync(tenantIdentifier);
-                    if (targetTenant is null)
-                    {
-                        return Result.Failure("Tenant not found", StatusCodes.Status404NotFound);
-                    }
+                if (!targetTenant.IsActive)
+                {
+                    return IdmtErrors.Tenant.Inactive;
+                }
 
-                    userRoles = await userManager.GetRolesAsync(user);
-                    if (userRoles.Count == 0)
-                    {
-                        logger.LogWarning("User {UserId} has no roles assigned; cannot grant tenant access.", userId);
-                        return Result.Failure("User has no roles assigned", StatusCodes.Status400BadRequest);
-                    }
+                userRoles = await userManager.GetRolesAsync(user);
+                if (userRoles.Count == 0)
+                {
+                    logger.LogWarning("User {UserId} has no roles assigned; cannot grant tenant access.", userId);
+                    return IdmtErrors.User.NoRolesAssigned;
+                }
 
-                    var tenantAccess = await dbContext.TenantAccess
-                        .FirstOrDefaultAsync(ta => ta.UserId == userId && ta.TenantId == targetTenant.Id, cancellationToken);
-                    if (tenantAccess is not null)
-                    {
-                        tenantAccess.IsActive = true;
-                        tenantAccess.ExpiresAt = expiresAt;
-                        dbContext.TenantAccess.Update(tenantAccess);
-                    }
-                    else
-                    {
-                        tenantAccess = new TenantAccess
-                        {
-                            UserId = userId,
-                            TenantId = targetTenant.Id,
-                            IsActive = true,
-                            ExpiresAt = expiresAt
-                        };
-                        dbContext.TenantAccess.Add(tenantAccess);
-                    }
-                    await dbContext.SaveChangesAsync(cancellationToken);
+                var tenantAccess = await dbContext.TenantAccess
+                    .FirstOrDefaultAsync(ta => ta.UserId == userId && ta.TenantId == targetTenant.Id, cancellationToken);
+                if (tenantAccess is not null)
+                {
+                    tenantAccess.IsActive = true;
+                    tenantAccess.ExpiresAt = expiresAt;
+                    dbContext.TenantAccess.Update(tenantAccess);
                 }
-                catch (Exception ex)
+                else
                 {
-                    logger.LogError(ex, "Error granting tenant access to user {UserId} for tenant {TenantIdentifier}", userId, tenantIdentifier);
-                    return Result.Failure("An error occurred while granting tenant access", StatusCodes.Status500InternalServerError);
+                    tenantAccess = new TenantAccess
+                    {
+                        UserId = userId,
+                        TenantId = targetTenant.Id,
+                        IsActive = true,
+                        ExpiresAt = expiresAt
+                    };
+                    dbContext.TenantAccess.Add(tenantAccess);
                 }
             }
-
-            using (var scope = serviceProvider.CreateScope())
+            catch (Exception ex)
             {
-                var sp = scope.ServiceProvider;
-
-                var tenantStore = sp.GetRequiredService<IMultiTenantStore<IdmtTenantInfo>>();
-                var tenantInfo = await tenantStore.GetByIdentifierAsync(tenantIdentifier);
-                if (tenantInfo is null || !tenantInfo.IsActive)
-                {
-                    return Result.Failure("Tenant not found or inactive", StatusCodes.Status404NotFound);
-                }
-                // Set Tenant Context BEFORE resolving DbContext/Managers
-                var tenantContextSetter = sp.GetRequiredService<IMultiTenantContextSetter>();
-                var tenantContext = new MultiTenantContext<IdmtTenantInfo>(tenantInfo);
-                tenantContextSetter.MultiTenantContext = tenantContext;
+                logger.LogError(ex, "Error granting tenant access to user {UserId} for tenant {TenantIdentifier}", userId, tenantIdentifier);
+                return IdmtErrors.Tenant.AccessError;
+            }
 
+            // Execute tenant-scope operation BEFORE persisting TenantAccess to prevent orphaned records
+            var tenantResult = await tenantOps.ExecuteInTenantScopeAsync(tenantIdentifier, async tsp =>
+            {
                 try
                 {
-                    var targetUserManager = sp.GetRequiredService<UserManager<IdmtUser>>();
+                    var targetUserManager = tsp.GetRequiredService<UserManager<IdmtUser>>();
 
                     var targetUser = await targetUserManager.Users
                         .FirstOrDefaultAsync(u => u.Email == user.Email && u.UserName == user.UserName, cancellationToken);
 
                     if (targetUser is null)
                     {
-                        // Create new user record for the target tenant
                         targetUser = new IdmtUser
                         {
                             UserName = user.UserName,
@@ -132,8 +131,18 @@ public async Task<Result> HandleAsync(Guid userId, string tenantIdentifier, Date
                             IsActive = true
                         };
 
-                        await targetUserManager.CreateAsync(targetUser);
-                        await targetUserManager.AddToRolesAsync(targetUser, userRoles);
+                        var createResult = await targetUserManager.CreateAsync(targetUser);
+                        if (!createResult.Succeeded)
+                        {
+                            logger.LogError("Failed to create user in target tenant: {Errors}", string.Join(", ", createResult.Errors.Select(e => e.Description)));
+                            return IdmtErrors.Tenant.AccessError;
+                        }
+                        var roleResult = await targetUserManager.AddToRolesAsync(targetUser, userRoles);
+                        if (!roleResult.Succeeded)
+                        {
+                            logger.LogError("Failed to assign roles in target tenant: {Errors}", string.Join(", ", roleResult.Errors.Select(e => e.Description)));
+                            return IdmtErrors.Tenant.AccessError;
+                        }
                     }
                     else
                     {
@@ -141,14 +150,67 @@ public async Task<Result> HandleAsync(Guid userId, string tenantIdentifier, Date
                         await targetUserManager.UpdateAsync(targetUser);
                     }
 
-                    return Result.Success();
+                    return Result.Success;
                 }
                 catch (Exception ex)
                 {
                     logger.LogError(ex, "Error granting tenant access to user {UserId} in tenant {TenantIdentifier}", userId, tenantIdentifier);
-                    return Result.Failure("An error occurred while granting tenant access", StatusCodes.Status500InternalServerError);
+                    return IdmtErrors.Tenant.AccessError;
                 }
+            });
+
+            if (tenantResult.IsError)
+            {
+                return tenantResult;
+            }
+
+            // Tenant-scope operation succeeded — now persist the TenantAccess record
+            try
+            {
+                await dbContext.SaveChangesAsync(cancellationToken);
             }
+            catch (Exception ex)
+            {
+                logger.LogError(ex,
+                    "Failed to save TenantAccess record for user {UserId} in tenant {TenantIdentifier}. " +
+                    "Executing compensating action to deactivate user in target tenant.",
+                    userId, tenantIdentifier);
+
+                // Compensating action: deactivate the user in the target tenant
+                await tenantOps.ExecuteInTenantScopeAsync(tenantIdentifier, async tsp =>
+                {
+                    try
+                    {
+                        var compensationUserManager = tsp.GetRequiredService<UserManager<IdmtUser>>();
+                        var orphanedUser = await compensationUserManager.Users
+                            .FirstOrDefaultAsync(u => u.Email == user!.Email && u.UserName == user.UserName, cancellationToken);
+
+                        if (orphanedUser is not null)
+                        {
+                            orphanedUser.IsActive = false;
+                            await compensationUserManager.UpdateAsync(orphanedUser);
+                            logger.LogWarning(
+                                "Compensating action completed: deactivated user {Email} in tenant {TenantIdentifier} " +
+                                "after TenantAccess save failure.",
+                                user!.Email, tenantIdentifier);
+                        }
+
+                        return Result.Success;
+                    }
+                    catch (Exception compensationEx)
+                    {
+                        logger.LogCritical(compensationEx,
+                            "CRITICAL: Compensating action failed for user {UserId} in tenant {TenantIdentifier}. " +
+                            "Manual intervention required: user exists in target tenant without a TenantAccess record.",
+                            userId, tenantIdentifier);
+                        return IdmtErrors.Tenant.AccessError;
+                    }
+                });
+
+                return IdmtErrors.Tenant.AccessError;
+            }
+
+            return Result.Success;
         }
     }
 
@@ -162,18 +224,18 @@ public static RouteHandlerBuilder MapGrantTenantAccessEndpoint(this IEndpointRou
             CancellationToken cancellationToken) =>
         {
             var result = await handler.HandleAsync(userId, tenantIdentifier, request.ExpiresAt, cancellationToken);
-            if (!result.IsSuccess)
+            if (result.IsError)
             {
-                return result.StatusCode switch
+                return result.FirstError.Type switch
                 {
-                    StatusCodes.Status400BadRequest => TypedResults.BadRequest(),
-                    StatusCodes.Status404NotFound => TypedResults.NotFound(),
-                    _ => TypedResults.InternalServerError()
+                    ErrorType.Validation => TypedResults.BadRequest(),
+                    ErrorType.NotFound => TypedResults.NotFound(),
+                    _ => TypedResults.InternalServerError(),
                 };
             }
             return TypedResults.Ok();
         })
-        .RequireAuthorization(AuthOptions.RequireSysUserPolicy)
+        .RequireAuthorization(IdmtAuthOptions.RequireSysUserPolicy)
         .WithSummary("Grant user access to a tenant");
     }
 }
diff --git a/src/Idmt.Plugin/Features/Admin/RevokeTenantAccess.cs b/src/Idmt.Plugin/Features/Admin/RevokeTenantAccess.cs
index 7d04ed2..839f04e 100644
--- a/src/Idmt.Plugin/Features/Admin/RevokeTenantAccess.cs
+++ b/src/Idmt.Plugin/Features/Admin/RevokeTenantAccess.cs
@@ -1,7 +1,10 @@
+using ErrorOr;
 using Finbuckle.MultiTenant.Abstractions;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
 using Idmt.Plugin.Persistence;
+using Idmt.Plugin.Services;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.HttpResults;
@@ -17,113 +20,96 @@ public static class RevokeTenantAccess
 {
     public interface IRevokeTenantAccessHandler
     {
-        Task<Result> HandleAsync(Guid userId, string tenantIdentifier, CancellationToken cancellationToken = default);
+        Task<ErrorOr<Success>> HandleAsync(Guid userId, string tenantIdentifier, CancellationToken cancellationToken = default);
     }
 
+    // Fix: inject IdmtDbContext, UserManager<IdmtUser>, and IMultiTenantStore<IdmtTenantInfo>
+    // as constructor parameters rather than resolving them from a manually-created IServiceProvider
+    // scope. The manual scope bypassed the request lifetime, causing audit-log fields that depend on
+    // ICurrentUserService (resolved through the request scope) to be null.
     internal sealed class RevokeTenantAccessHandler(
-        IServiceProvider serviceProvider,
+        IdmtDbContext dbContext,
+        IMultiTenantStore<IdmtTenantInfo> tenantStore,
+        ITenantOperationService tenantOps,
         ILogger<RevokeTenantAccessHandler> logger) : IRevokeTenantAccessHandler
     {
-        public async Task<Result> HandleAsync(Guid userId, string tenantIdentifier, CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<Success>> HandleAsync(Guid userId, string tenantIdentifier, CancellationToken cancellationToken = default)
         {
             IdmtUser? user;
-            using (var scope = serviceProvider.CreateScope())
-            {
-                var sp = scope.ServiceProvider;
 
-                try
+            try
+            {
+                user = await dbContext.Users.FirstOrDefaultAsync(u => u.Id == userId, cancellationToken);
+                if (user is null)
                 {
-                    var dbContext = sp.GetRequiredService<IdmtDbContext>();
-                    var userManager = sp.GetRequiredService<UserManager<IdmtUser>>();
-                    var tenantStore = sp.GetRequiredService<IMultiTenantStore<IdmtTenantInfo>>();
-
-                    user = await dbContext.Users.FirstOrDefaultAsync(u => u.Id == userId, cancellationToken);
-                    if (user is null)
-                    {
-                        return Result.Failure("User not found", StatusCodes.Status404NotFound);
-                    }
-
-                    var targetTenant = await tenantStore.GetByIdentifierAsync(tenantIdentifier);
-                    if (targetTenant is null)
-                    {
-                        return Result.Failure("Tenant not found", StatusCodes.Status404NotFound);
-                    }
-
-                    var tenantAccess = await dbContext.TenantAccess
-                        .FirstOrDefaultAsync(ta => ta.UserId == userId && ta.TenantId == targetTenant.Id, cancellationToken);
-                    if (tenantAccess is not null)
-                    {
-                        tenantAccess.IsActive = false;
-                        dbContext.TenantAccess.Update(tenantAccess);
-                    }
-                    await dbContext.SaveChangesAsync(cancellationToken);
+                    return IdmtErrors.User.NotFound;
                 }
-                catch (Exception ex)
+
+                var targetTenant = await tenantStore.GetByIdentifierAsync(tenantIdentifier);
+                if (targetTenant is null)
                 {
-                    logger.LogError(ex, "Error revoking tenant access for user {UserId} and tenant {TenantIdentifier}", userId, tenantIdentifier);
-                    return Result.Failure("An error occurred while revoking tenant access", StatusCodes.Status500InternalServerError);
+                    return IdmtErrors.Tenant.NotFound;
                 }
-            }
-
-            using (var scope = serviceProvider.CreateScope())
-            {
-                var sp = scope.ServiceProvider;
 
-                var tenantStore = sp.GetRequiredService<IMultiTenantStore<IdmtTenantInfo>>();
-                var tenantInfo = await tenantStore.GetByIdentifierAsync(tenantIdentifier);
-                if (tenantInfo is null)
+                var tenantAccess = await dbContext.TenantAccess
+                    .FirstOrDefaultAsync(ta => ta.UserId == userId && ta.TenantId == targetTenant.Id, cancellationToken);
+                if (tenantAccess is null)
                 {
-                    return Result.Failure("Tenant not found", StatusCodes.Status404NotFound);
+                    return IdmtErrors.Tenant.AccessNotFound;
                 }
-                // Set Tenant Context BEFORE resolving DbContext/Managers
-                var tenantContextSetter = sp.GetRequiredService<IMultiTenantContextSetter>();
-                var tenantContext = new MultiTenantContext<IdmtTenantInfo>(tenantInfo);
-                tenantContextSetter.MultiTenantContext = tenantContext;
 
-                var userManager = sp.GetRequiredService<UserManager<IdmtUser>>();
+                tenantAccess.IsActive = false;
+                dbContext.TenantAccess.Update(tenantAccess);
+                await dbContext.SaveChangesAsync(cancellationToken);
+            }
+            catch (Exception ex)
+            {
+                logger.LogError(ex, "Error revoking tenant access for user {UserId} and tenant {TenantIdentifier}", userId, tenantIdentifier);
+                return IdmtErrors.Tenant.AccessError;
+            }
+
+            return await tenantOps.ExecuteInTenantScopeAsync(tenantIdentifier, async sp =>
+            {
+                var tenantUserManager = sp.GetRequiredService<UserManager<IdmtUser>>();
                 try
                 {
-                    var targetUser = await userManager.Users.FirstOrDefaultAsync(u => u.Email == user.Email && u.UserName == user.UserName, cancellationToken);
-                    if (targetUser is null)
-                    {
-                        return Result.Success();
-                    }
-                    else
+                    var targetUser = await tenantUserManager.Users.FirstOrDefaultAsync(u => u.Email == user.Email && u.UserName == user.UserName, cancellationToken);
+                    if (targetUser is not null)
                     {
                         targetUser.IsActive = false;
-                        await userManager.UpdateAsync(targetUser);
+                        await tenantUserManager.UpdateAsync(targetUser);
                     }
-                    return Result.Success();
+                    return Result.Success;
                 }
                 catch (Exception ex)
                 {
                     logger.LogError(ex, "Error deactivating user {UserId} in tenant {TenantIdentifier}", userId, tenantIdentifier);
-                    return Result.Failure("An error occurred while deactivating user", StatusCodes.Status500InternalServerError);
+                    return IdmtErrors.Tenant.AccessError;
                 }
-            }
+            }, requireActive: false);
         }
     }
 
     public static RouteHandlerBuilder MapRevokeTenantAccessEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        return endpoints.MapDelete("/users/{userId:guid}/tenants/{tenantId}", async Task<Results<Ok, NotFound, InternalServerError>> (
+        return endpoints.MapDelete("/users/{userId:guid}/tenants/{tenantIdentifier}", async Task<Results<NoContent, NotFound, InternalServerError>> (
             Guid userId,
-            string tenantId,
+            string tenantIdentifier,
             IRevokeTenantAccessHandler handler,
             CancellationToken cancellationToken) =>
         {
-            var result = await handler.HandleAsync(userId, tenantId, cancellationToken);
-            if (!result.IsSuccess)
+            var result = await handler.HandleAsync(userId, tenantIdentifier, cancellationToken);
+            if (result.IsError)
             {
-                return result.StatusCode switch
+                return result.FirstError.Type switch
                 {
-                    StatusCodes.Status404NotFound => TypedResults.NotFound(),
+                    ErrorType.NotFound => TypedResults.NotFound(),
                     _ => TypedResults.InternalServerError(),
                 };
             }
-            return TypedResults.Ok();
+            return TypedResults.NoContent();
         })
-        .RequireAuthorization(AuthOptions.RequireSysUserPolicy)
+        .RequireAuthorization(IdmtAuthOptions.RequireSysUserPolicy)
         .WithSummary("Revoke user access from a tenant");
     }
 }
diff --git a/src/Idmt.Plugin/Features/AdminEndpoints.cs b/src/Idmt.Plugin/Features/AdminEndpoints.cs
index 1286941..dfe369d 100644
--- a/src/Idmt.Plugin/Features/AdminEndpoints.cs
+++ b/src/Idmt.Plugin/Features/AdminEndpoints.cs
@@ -1,3 +1,4 @@
+using Idmt.Plugin.Configuration;
 using Idmt.Plugin.Features.Admin;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -10,6 +11,7 @@ public static class AdminEndpoints
     public static void MapAdminEndpoints(this IEndpointRouteBuilder endpoints)
     {
         var admin = endpoints.MapGroup("/admin")
+            .RequireAuthorization(IdmtAuthOptions.RequireSysUserPolicy)
             .WithTags("Admin");
 
         admin.MapCreateTenantEndpoint();
@@ -17,7 +19,6 @@ public static void MapAdminEndpoints(this IEndpointRouteBuilder endpoints)
         admin.MapGetUserTenantsEndpoint();
         admin.MapGrantTenantAccessEndpoint();
         admin.MapRevokeTenantAccessEndpoint();
-        admin.MapGetSystemInfoEndpoint();
         admin.MapGetAllTenantsEndpoint();
     }
 }
\ No newline at end of file
diff --git a/src/Idmt.Plugin/Features/Auth/ConfirmEmail.cs b/src/Idmt.Plugin/Features/Auth/ConfirmEmail.cs
index 52998ca..8faec74 100644
--- a/src/Idmt.Plugin/Features/Auth/ConfirmEmail.cs
+++ b/src/Idmt.Plugin/Features/Auth/ConfirmEmail.cs
@@ -1,6 +1,9 @@
-using Finbuckle.MultiTenant.Abstractions;
+using ErrorOr;
+using FluentValidation;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
 using Idmt.Plugin.Validation;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -19,110 +22,117 @@ public sealed record ConfirmEmailRequest(string TenantIdentifier, string Email,
 
     public interface IConfirmEmailHandler
     {
-        Task<Result> HandleAsync(ConfirmEmailRequest request, CancellationToken cancellationToken = default);
+        Task<ErrorOr<Success>> HandleAsync(ConfirmEmailRequest request, CancellationToken cancellationToken = default);
     }
 
-    internal sealed class ConfirmEmailHandler(IServiceProvider serviceProvider, ILogger<ConfirmEmailHandler> logger) : IConfirmEmailHandler
+    internal sealed class ConfirmEmailHandler(ITenantOperationService tenantOps, ILogger<ConfirmEmailHandler> logger) : IConfirmEmailHandler
     {
-        public async Task<Result> HandleAsync(ConfirmEmailRequest request, CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<Success>> HandleAsync(ConfirmEmailRequest request, CancellationToken cancellationToken = default)
         {
-            using var scope = serviceProvider.CreateScope();
-            var provider = scope.ServiceProvider;
-
-            var tenantStore = provider.GetRequiredService<IMultiTenantStore<IdmtTenantInfo>>();
-            var tenantInfo = await tenantStore.GetByIdentifierAsync(request.TenantIdentifier);
-            if (tenantInfo is null || !tenantInfo.IsActive)
+            return await tenantOps.ExecuteInTenantScopeAsync(request.TenantIdentifier, async provider =>
             {
-                return Result.Failure("Invalid tenant", StatusCodes.Status400BadRequest);
-            }
-            // Set Tenant Context BEFORE resolving DbContext/Managers
-            var tenantContextSetter = provider.GetRequiredService<IMultiTenantContextSetter>();
-            var tenantContext = new MultiTenantContext<IdmtTenantInfo>(tenantInfo);
-            tenantContextSetter.MultiTenantContext = tenantContext;
-
-            var userManager = provider.GetRequiredService<UserManager<IdmtUser>>();
-            try
-            {
-                var user = await userManager.FindByEmailAsync(request.Email);
-                if (user == null)
+                var userManager = provider.GetRequiredService<UserManager<IdmtUser>>();
+                try
                 {
-                    // Avoid revealing that the email does not exist
-                    return Result.Failure("User not found", StatusCodes.Status400BadRequest);
-                }
+                    var user = await userManager.FindByEmailAsync(request.Email);
+                    if (user == null)
+                    {
+                        return IdmtErrors.Email.ConfirmationFailed;
+                    }
+
+                    var result = await userManager.ConfirmEmailAsync(user, request.Token!);
 
-                // Reset password using the token
-                var result = await userManager.ConfirmEmailAsync(user, request.Token!);
+                    if (!result.Succeeded)
+                    {
+                        return IdmtErrors.Email.ConfirmationFailed;
+                    }
 
-                if (!result.Succeeded)
+                    return Result.Success;
+                }
+                catch (Exception ex)
                 {
-                    var errors = string.Join("\n", result.Errors.Select(e => e.Description));
-                    return Result.Failure(errors, StatusCodes.Status400BadRequest);
+                    logger.LogError(ex, "Error confirming email for {Email} in tenant {TenantIdentifier}", PiiMasker.MaskEmail(request.Email), request.TenantIdentifier);
+                    return IdmtErrors.General.Unexpected;
                 }
-
-                return Result.Success();
-            }
-            catch (Exception ex)
-            {
-                logger.LogError(ex, "Error confirming email for {Email} in tenant {TenantIdentifier}", request.Email, request.TenantIdentifier);
-                return Result.Failure(ex.Message, StatusCodes.Status500InternalServerError);
-            }
+            });
         }
     }
 
-    public static Dictionary<string, string[]>? Validate(this ConfirmEmailRequest request)
+    public static RouteHandlerBuilder MapConfirmEmailEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        var errors = new Dictionary<string, string[]>();
-
-        if (string.IsNullOrEmpty(request.TenantIdentifier))
-        {
-            errors["TenantIdentifier"] = ["Tenant identifier is required"];
-        }
-        if (string.IsNullOrEmpty(request.Email))
-        {
-            errors["Email"] = ["Email is required"];
-        }
-        if (!Validators.IsValidEmail(request.Email))
-        {
-            errors["Email"] = ["Invalid email address"];
-        }
-        if (string.IsNullOrEmpty(request.Token))
+        return endpoints.MapPost("/confirm-email", async Task<Results<Ok, ValidationProblem, BadRequest, InternalServerError>> (
+            [FromBody] ConfirmEmailRequest request,
+            [FromServices] IConfirmEmailHandler handler,
+            [FromServices] IValidator<ConfirmEmailRequest> validator,
+            HttpContext context) =>
         {
-            errors["Token"] = ["Token is required"];
-        }
+            if (ValidationHelper.Validate(request, validator) is { } validationErrors)
+            {
+                return TypedResults.ValidationProblem(validationErrors);
+            }
 
-        return errors.Count == 0 ? null : errors;
+            // Decode Base64URL-encoded token
+            string decodedToken;
+            try
+            {
+                decodedToken = Base64Service.DecodeBase64UrlToken(request.Token);
+            }
+            catch (FormatException)
+            {
+                return TypedResults.BadRequest();
+            }
+
+            var decodedRequest = request with { Token = decodedToken };
+            var result = await handler.HandleAsync(decodedRequest, cancellationToken: context.RequestAborted);
+
+            if (result.IsError)
+            {
+                return result.FirstError.Type switch
+                {
+                    ErrorType.NotFound => TypedResults.BadRequest(),
+                    ErrorType.Failure => TypedResults.BadRequest(),
+                    _ => TypedResults.InternalServerError(),
+                };
+            }
+            return TypedResults.Ok();
+        })
+        .WithName(IdmtEndpointNames.ConfirmEmail)
+        .WithSummary("Confirm email")
+        .WithDescription("Confirm user email address");
     }
 
-    public static RouteHandlerBuilder MapConfirmEmailEndpoint(this IEndpointRouteBuilder endpoints)
+    public static RouteHandlerBuilder MapConfirmEmailDirectEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        return endpoints.MapGet("/confirmEmail", async Task<Results<Ok, ValidationProblem, BadRequest, InternalServerError>> (
+        return endpoints.MapGet("/confirm-email", async Task<Results<Ok, BadRequest>> (
             [FromQuery] string tenantIdentifier,
             [FromQuery] string email,
             [FromQuery] string token,
             [FromServices] IConfirmEmailHandler handler,
-            IServiceProvider sp,
             HttpContext context) =>
         {
-            var request = new ConfirmEmailRequest(tenantIdentifier, email, token);
-            if (request.Validate() is { } validationErrors)
+            // Decode Base64URL-encoded token
+            string decodedToken;
+            try
             {
-                return TypedResults.ValidationProblem(validationErrors);
+                decodedToken = Base64Service.DecodeBase64UrlToken(token);
+            }
+            catch (FormatException)
+            {
+                return TypedResults.BadRequest();
             }
 
+            var request = new ConfirmEmailRequest(tenantIdentifier, email, decodedToken);
             var result = await handler.HandleAsync(request, cancellationToken: context.RequestAborted);
 
-            if (!result.IsSuccess)
+            if (result.IsError)
             {
-                return result.StatusCode switch
-                {
-                    StatusCodes.Status400BadRequest => TypedResults.BadRequest(),
-                    _ => TypedResults.InternalServerError(),
-                };
+                return TypedResults.BadRequest();
             }
+
             return TypedResults.Ok();
         })
-        .WithName(ApplicationOptions.ConfirmEmailEndpointName)
-        .WithSummary("Confirm email")
-        .WithDescription("Confirm user email address");
+        .WithName(IdmtEndpointNames.ConfirmEmailDirect)
+        .WithSummary("Confirm email directly")
+        .WithDescription("Directly confirms user email address via GET link from email");
     }
 }
diff --git a/src/Idmt.Plugin/Features/Auth/ForgotPassword.cs b/src/Idmt.Plugin/Features/Auth/ForgotPassword.cs
index b9f05c4..d5af0ff 100644
--- a/src/Idmt.Plugin/Features/Auth/ForgotPassword.cs
+++ b/src/Idmt.Plugin/Features/Auth/ForgotPassword.cs
@@ -1,7 +1,11 @@
+using ErrorOr;
+using FluentValidation;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
 using Idmt.Plugin.Services;
 using Idmt.Plugin.Validation;
 using Microsoft.AspNetCore.Builder;
+using Microsoft.Extensions.Logging;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.HttpResults;
 using Microsoft.AspNetCore.Identity;
@@ -14,12 +18,11 @@ public static class ForgotPassword
 {
     public sealed record ForgotPasswordRequest(string Email);
 
-    public sealed record ForgotPasswordResponse(string? ResetToken = null, string? ResetUrl = null);
+    public sealed record ForgotPasswordResponse;
 
     public interface IForgotPasswordHandler
     {
-        Task<Result<ForgotPasswordResponse>> HandleAsync(
-            bool useApiLinks,
+        Task<ErrorOr<ForgotPasswordResponse>> HandleAsync(
             ForgotPasswordRequest request,
             CancellationToken cancellationToken = default);
     }
@@ -27,10 +30,10 @@ Task<Result<ForgotPasswordResponse>> HandleAsync(
     internal sealed class ForgotPasswordHandler(
         UserManager<IdmtUser> userManager,
         IEmailSender<IdmtUser> emailSender,
-        IIdmtLinkGenerator linkGenerator) : IForgotPasswordHandler
+        IIdmtLinkGenerator linkGenerator,
+        ILogger<ForgotPasswordHandler> logger) : IForgotPasswordHandler
     {
-        public async Task<Result<ForgotPasswordResponse>> HandleAsync(
-            bool useApiLinks,
+        public async Task<ErrorOr<ForgotPasswordResponse>> HandleAsync(
             ForgotPasswordRequest request,
             CancellationToken cancellationToken = default)
         {
@@ -40,57 +43,45 @@ public async Task<Result<ForgotPasswordResponse>> HandleAsync(
                 if (user == null || !user.IsActive)
                 {
                     // Don't reveal whether user exists or not for security
-                    return Result.Success(new ForgotPasswordResponse(null, null), StatusCodes.Status200OK);
+                    return new ForgotPasswordResponse();
                 }
 
                 // Generate password reset token
                 var token = await userManager.GeneratePasswordResetTokenAsync(user);
 
-                // Generate password reset link
-                var resetUrl = useApiLinks
-                    ? linkGenerator.GeneratePasswordResetApiLink(user.Email!, token)
-                    : linkGenerator.GeneratePasswordResetFormLink(user.Email!, token);
+                // Generate password reset link (always client form URL)
+                var resetUrl = linkGenerator.GeneratePasswordResetLink(user.Email!, token);
 
                 // Send email with reset code
                 await emailSender.SendPasswordResetCodeAsync(user, request.Email, resetUrl);
 
-                return Result.Success(new ForgotPasswordResponse(token, resetUrl), StatusCodes.Status200OK);
+                return new ForgotPasswordResponse();
             }
             catch (Exception ex)
             {
-                return Result.Failure<ForgotPasswordResponse>(ex.Message, StatusCodes.Status500InternalServerError);
+                logger.LogError(ex, "An error occurred during forgot password for {Email}",
+                    request.Email.Length > 3 ? string.Concat(request.Email.AsSpan(0, 3), "***") : "***");
+                return IdmtErrors.General.Unexpected;
             }
         }
     }
 
-    public static Dictionary<string, string[]>? Validate(this ForgotPasswordRequest request)
-    {
-        var errors = new Dictionary<string, string[]>();
-
-        if (!Validators.IsValidEmail(request.Email))
-        {
-            errors["Email"] = ["Invalid email address."];
-        }
-
-        return errors.Count == 0 ? null : errors;
-    }
-
     public static RouteHandlerBuilder MapForgotPasswordEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        return endpoints.MapPost("/forgotPassword", async Task<Results<Ok, ValidationProblem, StatusCodeHttpResult>> (
-            [FromQuery] bool useApiLinks,
+        return endpoints.MapPost("/forgot-password", async Task<Results<Ok, ValidationProblem, StatusCodeHttpResult>> (
             [FromBody] ForgotPasswordRequest request,
             [FromServices] IForgotPasswordHandler handler,
+            [FromServices] IValidator<ForgotPasswordRequest> validator,
             HttpContext context) =>
         {
-            if (request.Validate() is { } validationErrors)
+            if (ValidationHelper.Validate(request, validator) is { } validationErrors)
             {
                 return TypedResults.ValidationProblem(validationErrors);
             }
-            var result = await handler.HandleAsync(useApiLinks, request, cancellationToken: context.RequestAborted);
-            if (!result.IsSuccess)
+            var result = await handler.HandleAsync(request, cancellationToken: context.RequestAborted);
+            if (result.IsError)
             {
-                return TypedResults.StatusCode(result.StatusCode);
+                return TypedResults.StatusCode(StatusCodes.Status500InternalServerError);
             }
             return TypedResults.Ok();
         })
diff --git a/src/Idmt.Plugin/Features/Auth/Login.cs b/src/Idmt.Plugin/Features/Auth/Login.cs
index e73c362..a519796 100644
--- a/src/Idmt.Plugin/Features/Auth/Login.cs
+++ b/src/Idmt.Plugin/Features/Auth/Login.cs
@@ -1,6 +1,10 @@
+using ErrorOr;
 using Finbuckle.MultiTenant.Abstractions;
+using FluentValidation;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
 using Idmt.Plugin.Validation;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Authentication.BearerToken;
@@ -42,14 +46,14 @@ public sealed record AccessTokenResponse
 
     public interface ILoginHandler
     {
-        Task<Result<LoginResponse>> HandleAsync(
+        Task<ErrorOr<LoginResponse>> HandleAsync(
             LoginRequest loginRequest,
             CancellationToken cancellationToken = default);
     }
 
     public interface ITokenLoginHandler
     {
-        Task<Result<AccessTokenResponse>> HandleAsync(
+        Task<ErrorOr<AccessTokenResponse>> HandleAsync(
             LoginRequest request,
             CancellationToken cancellationToken = default);
     }
@@ -58,9 +62,11 @@ internal sealed class LoginHandler(
         UserManager<IdmtUser> userManager,
         SignInManager<IdmtUser> signInManager,
         IMultiTenantContextAccessor multiTenantContextAccessor,
+        IOptions<IdmtOptions> idmtOptions,
+        TimeProvider timeProvider,
         ILogger<LoginHandler> logger) : ILoginHandler
     {
-        public async Task<Result<LoginResponse>> HandleAsync(
+        public async Task<ErrorOr<LoginResponse>> HandleAsync(
             LoginRequest request,
             CancellationToken cancellationToken = default)
         {
@@ -70,7 +76,12 @@ public async Task<Result<LoginResponse>> HandleAsync(
                 var tenantInfo = multiTenantContextAccessor.MultiTenantContext?.TenantInfo;
                 if (tenantInfo == null || string.IsNullOrEmpty(tenantInfo.Id))
                 {
-                    return Result.Failure<LoginResponse>("Tenant not resolved", StatusCodes.Status400BadRequest);
+                    return IdmtErrors.Tenant.NotResolved;
+                }
+
+                if (tenantInfo is not IdmtTenantInfo idmtTenant || !idmtTenant.IsActive)
+                {
+                    return IdmtErrors.Tenant.Inactive;
                 }
 
                 // Find user by email or username
@@ -84,9 +95,9 @@ public async Task<Result<LoginResponse>> HandleAsync(
                 {
                     user = await userManager.FindByNameAsync(request.Username);
                 }
-                if (user == null)
+                if (user is null || !user.IsActive)
                 {
-                    return Result.Failure<LoginResponse>("Unauthorized", StatusCodes.Status401Unauthorized);
+                    return IdmtErrors.Auth.Unauthorized;
                 }
 
                 var result = await signInManager.CheckPasswordSignInAsync(
@@ -94,28 +105,47 @@ public async Task<Result<LoginResponse>> HandleAsync(
                     request.Password,
                     lockoutOnFailure: true);
 
+                if (result.IsLockedOut)
+                {
+                    return IdmtErrors.Auth.LockedOut;
+                }
+
                 if (result.RequiresTwoFactor)
                 {
+                    if (await userManager.IsLockedOutAsync(user))
+                    {
+                        return IdmtErrors.Auth.LockedOut;
+                    }
+
                     if (!string.IsNullOrEmpty(request.TwoFactorCode))
                     {
-                        result = await signInManager.TwoFactorAuthenticatorSignInAsync(request.TwoFactorCode, request.RememberMe, request.RememberMe);
+                        var isValid = await userManager.VerifyTwoFactorTokenAsync(
+                            user, userManager.Options.Tokens.AuthenticatorTokenProvider, request.TwoFactorCode);
+                        if (!isValid)
+                        {
+                            await userManager.AccessFailedAsync(user);
+                            return IdmtErrors.Auth.Unauthorized;
+                        }
                     }
                     else if (!string.IsNullOrEmpty(request.TwoFactorRecoveryCode))
                     {
-                        result = await signInManager.TwoFactorRecoveryCodeSignInAsync(request.TwoFactorRecoveryCode);
+                        var redeemResult = await userManager.RedeemTwoFactorRecoveryCodeAsync(user, request.TwoFactorRecoveryCode);
+                        if (!redeemResult.Succeeded)
+                        {
+                            await userManager.AccessFailedAsync(user);
+                            return IdmtErrors.Auth.Unauthorized;
+                        }
+                    }
+                    else
+                    {
+                        return IdmtErrors.Auth.TwoFactorRequired;
                     }
-                }
 
-                if (!result.Succeeded)
-                {
-                    return Result.Failure<LoginResponse>("Unauthorized", StatusCodes.Status401Unauthorized);
+                    await userManager.ResetAccessFailedCountAsync(user);
                 }
-
-                // Check if user is active
-                if (!user.IsActive)
+                else if (!result.Succeeded)
                 {
-                    logger.LogWarning("Login attempt failed: User {UserId} is inactive", user.Id);
-                    return Result.Failure<LoginResponse>("User is deactivated", StatusCodes.Status403Forbidden);
+                    return IdmtErrors.Auth.Unauthorized;
                 }
 
                 // Direct cookie sign-in (no middleware delay)
@@ -126,19 +156,23 @@ await signInManager.Context.SignInAsync(
                     new AuthenticationProperties
                     {
                         IsPersistent = request.RememberMe,
-                        ExpiresUtc = DT.UtcNow.AddDays(30)
+                        ExpiresUtc = timeProvider.GetUtcNow().Add(idmtOptions.Value.Identity.Cookie.ExpireTimeSpan)
                     });
 
                 // Update last login timestamp
-                user.LastLoginAt = DT.UtcNow;
-                await userManager.UpdateAsync(user);
+                user.LastLoginAt = timeProvider.GetUtcNow();
+                var loginUpdateResult = await userManager.UpdateAsync(user);
+                if (!loginUpdateResult.Succeeded)
+                {
+                    logger.LogWarning("Failed to update LastLoginAt for user {UserId}", user.Id);
+                }
 
-                return Result.Success(new LoginResponse { UserId = user.Id });
+                return new LoginResponse { UserId = user.Id };
             }
             catch (Exception ex)
             {
-                logger.LogError(ex, "An error occurred during login for identifier {Email} {Username}", request.Email ?? "unknown", request.Username ?? "unknown");
-                return Result.Failure<LoginResponse>("An error occurred during login", StatusCodes.Status500InternalServerError);
+                logger.LogError(ex, "An error occurred during login for identifier {Email} {Username}", PiiMasker.MaskEmail(request.Email), PiiMasker.MaskEmail(request.Username));
+                return IdmtErrors.General.Unexpected;
             }
         }
     }
@@ -151,7 +185,7 @@ internal sealed class TokenLoginHandler(
         TimeProvider timeProvider,
         ILogger<TokenLoginHandler> logger) : ITokenLoginHandler
     {
-        public async Task<Result<AccessTokenResponse>> HandleAsync(
+        public async Task<ErrorOr<AccessTokenResponse>> HandleAsync(
             LoginRequest request,
             CancellationToken cancellationToken = default)
         {
@@ -161,7 +195,12 @@ public async Task<Result<AccessTokenResponse>> HandleAsync(
                 var tenantInfo = multiTenantContextAccessor.MultiTenantContext?.TenantInfo;
                 if (tenantInfo == null || string.IsNullOrEmpty(tenantInfo.Id))
                 {
-                    return Result.Failure<AccessTokenResponse>("Tenant not resolved", StatusCodes.Status400BadRequest);
+                    return IdmtErrors.Tenant.NotResolved;
+                }
+
+                if (tenantInfo is not IdmtTenantInfo idmtTenant || !idmtTenant.IsActive)
+                {
+                    return IdmtErrors.Tenant.Inactive;
                 }
 
                 // Find user by email or username
@@ -175,9 +214,9 @@ public async Task<Result<AccessTokenResponse>> HandleAsync(
                 {
                     user = await userManager.FindByNameAsync(request.Username);
                 }
-                if (user == null)
+                if (user == null || !user.IsActive)
                 {
-                    return Result.Failure<AccessTokenResponse>("Unauthorized", StatusCodes.Status401Unauthorized);
+                    return IdmtErrors.Auth.Unauthorized;
                 }
 
                 var result = await signInManager.CheckPasswordSignInAsync(
@@ -185,28 +224,47 @@ public async Task<Result<AccessTokenResponse>> HandleAsync(
                     request.Password,
                     lockoutOnFailure: true);
 
+                if (result.IsLockedOut)
+                {
+                    return IdmtErrors.Auth.LockedOut;
+                }
+
                 if (result.RequiresTwoFactor)
                 {
+                    if (await userManager.IsLockedOutAsync(user))
+                    {
+                        return IdmtErrors.Auth.LockedOut;
+                    }
+
                     if (!string.IsNullOrEmpty(request.TwoFactorCode))
                     {
-                        result = await signInManager.TwoFactorAuthenticatorSignInAsync(request.TwoFactorCode, request.RememberMe, request.RememberMe);
+                        var isValid = await userManager.VerifyTwoFactorTokenAsync(
+                            user, userManager.Options.Tokens.AuthenticatorTokenProvider, request.TwoFactorCode);
+                        if (!isValid)
+                        {
+                            await userManager.AccessFailedAsync(user);
+                            return IdmtErrors.Auth.Unauthorized;
+                        }
                     }
                     else if (!string.IsNullOrEmpty(request.TwoFactorRecoveryCode))
                     {
-                        result = await signInManager.TwoFactorRecoveryCodeSignInAsync(request.TwoFactorRecoveryCode);
+                        var redeemResult = await userManager.RedeemTwoFactorRecoveryCodeAsync(user, request.TwoFactorRecoveryCode);
+                        if (!redeemResult.Succeeded)
+                        {
+                            await userManager.AccessFailedAsync(user);
+                            return IdmtErrors.Auth.Unauthorized;
+                        }
+                    }
+                    else
+                    {
+                        return IdmtErrors.Auth.TwoFactorRequired;
                     }
-                }
 
-                if (!result.Succeeded)
-                {
-                    return Result.Failure<AccessTokenResponse>("Unauthorized", StatusCodes.Status401Unauthorized);
+                    await userManager.ResetAccessFailedCountAsync(user);
                 }
-
-                // Check if user is active
-                if (!user.IsActive)
+                else if (!result.Succeeded)
                 {
-                    logger.LogWarning("Login attempt failed: User {UserId} is inactive", user.Id);
-                    return Result.Failure<AccessTokenResponse>("User is deactivated", StatusCodes.Status403Forbidden);
+                    return IdmtErrors.Auth.Unauthorized;
                 }
 
                 // Generate tokens using BearerToken
@@ -239,82 +297,68 @@ public async Task<Result<AccessTokenResponse>> HandleAsync(
                 var refreshToken = refreshTokenProtector.Protect(refreshTicket);
 
                 // Update last login timestamp
-                user.LastLoginAt = DT.UtcNow;
-                await userManager.UpdateAsync(user);
+                user.LastLoginAt = timeProvider.GetUtcNow();
+                var tokenLoginUpdateResult = await userManager.UpdateAsync(user);
+                if (!tokenLoginUpdateResult.Succeeded)
+                {
+                    logger.LogWarning("Failed to update LastLoginAt for user {UserId}", user.Id);
+                }
 
                 var expiresIn = (long)bearerOptions.BearerTokenExpiration.TotalSeconds;
 
-                return Result.Success(new AccessTokenResponse
+                return new AccessTokenResponse
                 {
                     AccessToken = accessToken,
                     RefreshToken = refreshToken,
                     ExpiresIn = expiresIn,
                     TokenType = "Bearer"
-                });
+                };
             }
             catch (Exception ex)
             {
-                logger.LogError(ex, "An error occurred during login for identifier {Email} {Username}", request.Email ?? request.Username ?? "unknown", request.Email ?? request.Username ?? "unknown");
-                return Result.Failure<AccessTokenResponse>("An error occurred during login", StatusCodes.Status500InternalServerError);
+                logger.LogError(ex, "An error occurred during login for identifier {Email} {Username}", PiiMasker.MaskEmail(request.Email), PiiMasker.MaskEmail(request.Username));
+                return IdmtErrors.General.Unexpected;
             }
         }
     }
 
-    /// <summary>
-    /// Validate the login request.
-    /// </summary>
-    /// <returns>A list of validation errors or null if the request is valid.</returns>
-    public static Dictionary<string, string[]>? Validate(this LoginRequest request)
-    {
-        var errors = new Dictionary<string, string[]>();
-
-        if (request.Email is null && request.Username is null)
-        {
-            errors["Identifier"] = ["Email or Username is required."];
-        }
-        else
-        {
-            if (request.Email is not null && !Validators.IsValidEmail(request.Email))
-            {
-                errors["Email"] = ["Invalid email."];
-            }
-
-            if (request.Username is not null && !Validators.IsValidUsername(request.Username))
-            {
-                errors["Username"] = ["Invalid username."];
-            }
-        }
-
-        if (string.IsNullOrWhiteSpace(request.Password))
-        {
-            errors["Password"] = ["Password is required."];
-        }
-
-        return errors.Count == 0 ? null : errors;
-    }
-
     public static RouteHandlerBuilder MapCookieLoginEndpoint(this IEndpointRouteBuilder endpoints)
     {
         return endpoints.MapPost("/login", async Task<Results<Ok<LoginResponse>, UnauthorizedHttpResult, ForbidHttpResult, ValidationProblem, ProblemHttpResult>> (
             [FromBody] LoginRequest request,
             [FromServices] ILoginHandler handler,
+            [FromServices] IValidator<LoginRequest> validator,
             HttpContext context) =>
         {
-            if (request.Validate() is { } validationErrors)
+            if (ValidationHelper.Validate(request, validator) is { } validationErrors)
             {
                 return TypedResults.ValidationProblem(validationErrors);
             }
             var response = await handler.HandleAsync(request, cancellationToken: context.RequestAborted);
-            if (!response.IsSuccess)
+            if (response.IsError)
             {
-                return response.StatusCode switch
+                if (response.FirstError.Code == "Auth.LockedOut")
+                {
+                    return TypedResults.Problem(
+                        response.FirstError.Description,
+                        statusCode: StatusCodes.Status429TooManyRequests);
+                }
+                if (response.FirstError.Code == "Auth.TwoFactorRequired")
+                {
+                    return TypedResults.Problem(
+                        response.FirstError.Description,
+                        statusCode: StatusCodes.Status422UnprocessableEntity,
+                        title: response.FirstError.Code);
+                }
+                return response.FirstError.Type switch
                 {
-                    StatusCodes.Status401Unauthorized => TypedResults.Unauthorized(),
-                    StatusCodes.Status403Forbidden => TypedResults.Forbid(),
-                    _ => TypedResults.Problem(response.ErrorMessage, statusCode: response.StatusCode),
+                    ErrorType.Unauthorized => TypedResults.Unauthorized(),
+                    ErrorType.Forbidden => TypedResults.Forbid(),
+                    ErrorType.Validation => TypedResults.Problem(response.FirstError.Description, statusCode: StatusCodes.Status400BadRequest),
+                    _ => TypedResults.Problem(response.FirstError.Description, statusCode: StatusCodes.Status500InternalServerError),
                 };
             }
-            return TypedResults.Ok(response.Value!);
+            return TypedResults.Ok(response.Value);
         })
         .WithSummary("Login user")
         .WithDescription("Authenticate user and return cookie");
@@ -325,25 +369,40 @@ public static RouteHandlerBuilder MapTokenLoginEndpoint(this IEndpointRouteBuild
         return endpoints.MapPost("/token", async Task<Results<Ok<AccessTokenResponse>, UnauthorizedHttpResult, ForbidHttpResult, ValidationProblem, ProblemHttpResult>> (
             [FromBody] LoginRequest request,
             [FromServices] ITokenLoginHandler handler,
+            [FromServices] IValidator<LoginRequest> validator,
             HttpContext context) =>
         {
-            if (request.Validate() is { } validationErrors)
+            if (ValidationHelper.Validate(request, validator) is { } validationErrors)
             {
                 return TypedResults.ValidationProblem(validationErrors);
             }
             var response = await handler.HandleAsync(request, cancellationToken: context.RequestAborted);
-            if (!response.IsSuccess)
+            if (response.IsError)
             {
-                return response.StatusCode switch
+                if (response.FirstError.Code == "Auth.LockedOut")
+                {
+                    return TypedResults.Problem(
+                        response.FirstError.Description,
+                        statusCode: StatusCodes.Status429TooManyRequests);
+                }
+                if (response.FirstError.Code == "Auth.TwoFactorRequired")
+                {
+                    return TypedResults.Problem(
+                        response.FirstError.Description,
+                        statusCode: StatusCodes.Status422UnprocessableEntity,
+                        title: response.FirstError.Code);
+                }
+                return response.FirstError.Type switch
                 {
-                    StatusCodes.Status401Unauthorized => TypedResults.Unauthorized(),
-                    StatusCodes.Status403Forbidden => TypedResults.Forbid(),
-                    _ => TypedResults.Problem(response.ErrorMessage, statusCode: response.StatusCode),
+                    ErrorType.Unauthorized => TypedResults.Unauthorized(),
+                    ErrorType.Forbidden => TypedResults.Forbid(),
+                    ErrorType.Validation => TypedResults.Problem(response.FirstError.Description, statusCode: StatusCodes.Status400BadRequest),
+                    _ => TypedResults.Problem(response.FirstError.Description, statusCode: StatusCodes.Status500InternalServerError),
                 };
             }
-            return TypedResults.Ok(response.Value!);
+            return TypedResults.Ok(response.Value);
         })
         .WithSummary("Login user")
         .WithDescription("Authenticate user and return bearer token");
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/Auth/Logout.cs b/src/Idmt.Plugin/Features/Auth/Logout.cs
index b7f3605..28da8bb 100644
--- a/src/Idmt.Plugin/Features/Auth/Logout.cs
+++ b/src/Idmt.Plugin/Features/Auth/Logout.cs
@@ -1,4 +1,9 @@
+using ErrorOr;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Http.HttpResults;
@@ -6,50 +11,86 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 
 namespace Idmt.Plugin.Features.Auth;
 
 public static class Logout
 {
-
-    /// <summary>
-    /// Interface for logout operations
-    /// </summary>
     public interface ILogoutHandler
     {
-        /// <summary>
-        /// Handles user logout
-        /// </summary>
-        /// <param name="cancellationToken">Cancellation token</param>
-        Task HandleAsync(CancellationToken cancellationToken = default);
+        Task<ErrorOr<Success>> HandleAsync(CancellationToken cancellationToken = default);
     }
 
-    internal sealed class LogoutHandler(ILogger<LogoutHandler> logger, SignInManager<IdmtUser> signInManager)
-    : ILogoutHandler
+    internal sealed class LogoutHandler(
+        ILogger<LogoutHandler> logger,
+        SignInManager<IdmtUser> signInManager,
+        ICurrentUserService currentUserService,
+        IMultiTenantContextAccessor<IdmtTenantInfo> tenantContextAccessor,
+        IOptions<IdmtOptions> idmtOptions,
+        ITokenRevocationService tokenRevocationService)
+        : ILogoutHandler
     {
-        public async Task HandleAsync(CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<Success>> HandleAsync(CancellationToken cancellationToken = default)
         {
             try
             {
+                if (currentUserService.UserId is { } userId)
+                {
+                    // Primary resolution: use the Finbuckle multi-tenant context, which provides
+                    // the database Id required by the token revocation store.
+                    var tenantId = tenantContextAccessor.MultiTenantContext?.TenantInfo?.Id;
+
+                    if (tenantId is not null)
+                    {
+                        await tokenRevocationService.RevokeUserTokensAsync(userId, tenantId, cancellationToken);
+                    }
+                    else
+                    {
+                        // Fallback: the multi-tenant strategy did not resolve a tenant context
+                        // (e.g. header or route strategies at logout time). Read the tenant claim
+                        // from the bearer principal to produce a meaningful diagnostic. Token
+                        // revocation cannot proceed without the tenant DB Id, so log a warning
+                        // rather than silently succeeding with an unrevoked token.
+                        var tenantClaimKey = idmtOptions.Value.MultiTenant.StrategyOptions
+                            .GetValueOrDefault(IdmtMultiTenantStrategy.Claim, IdmtMultiTenantStrategy.DefaultClaim);
+                        var tenantIdentifierFromClaim = currentUserService.User?.FindFirst(tenantClaimKey)?.Value;
+
+                        logger.LogWarning(
+                            "Token revocation skipped for user {UserId}: tenant context could not be resolved. " +
+                            "Tenant identifier from bearer claims: {TenantIdentifier}. " +
+                            "Ensure the multi-tenant strategy resolves during logout requests, " +
+                            "or add the claim strategy so the tenant can be resolved from the bearer token.",
+                            userId,
+                            tenantIdentifierFromClaim ?? "<not present in claims>");
+                    }
+                }
+
                 await signInManager.SignOutAsync();
+                return Result.Success;
             }
             catch (Exception ex)
             {
                 logger.LogError(ex, "An error occurred during logout");
-                throw;
+                return IdmtErrors.General.Unexpected;
             }
         }
     }
 
     public static RouteHandlerBuilder MapLogoutEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        return endpoints.MapPost("/logout", async Task<NoContent> (
+        return endpoints.MapPost("/logout", async Task<Results<NoContent, ProblemHttpResult>> (
             [FromServices] ILogoutHandler logoutHandler,
             CancellationToken cancellationToken = default) =>
         {
-            await logoutHandler.HandleAsync(cancellationToken);
+            var result = await logoutHandler.HandleAsync(cancellationToken);
+            if (result.IsError)
+            {
+                return TypedResults.Problem(result.FirstError.Description, statusCode: StatusCodes.Status500InternalServerError);
+            }
             return TypedResults.NoContent();
         })
+        .RequireAuthorization()
         .WithSummary("Logout user")
         .WithDescription("Logout user and invalidate bearer token or cookie");
     }
diff --git a/src/Idmt.Plugin/Features/Auth/RefreshToken.cs b/src/Idmt.Plugin/Features/Auth/RefreshToken.cs
index 7dc161f..94b8f01 100644
--- a/src/Idmt.Plugin/Features/Auth/RefreshToken.cs
+++ b/src/Idmt.Plugin/Features/Auth/RefreshToken.cs
@@ -1,5 +1,12 @@
 using System.Security.Claims;
+using ErrorOr;
+using Finbuckle.MultiTenant.Abstractions;
+using FluentValidation;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
+using Idmt.Plugin.Validation;
 using Microsoft.AspNetCore.Authentication.BearerToken;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -19,16 +26,19 @@ public sealed record RefreshTokenResponse(ClaimsPrincipal ClaimsPrincipal);
 
     public interface IRefreshTokenHandler
     {
-        Task<Result<RefreshTokenResponse>> HandleAsync(RefreshTokenRequest request, CancellationToken cancellationToken = default);
+        Task<ErrorOr<RefreshTokenResponse>> HandleAsync(RefreshTokenRequest request, CancellationToken cancellationToken = default);
     }
 
     internal sealed class RefreshTokenHandler(
         IOptionsMonitor<BearerTokenOptions> bearerTokenOptions,
         TimeProvider timeProvider,
-        SignInManager<IdmtUser> signInManager)
+        SignInManager<IdmtUser> signInManager,
+        IMultiTenantContextAccessor<IdmtTenantInfo> tenantContextAccessor,
+        IOptions<IdmtOptions> idmtOptions,
+        ITokenRevocationService tokenRevocationService)
         : IRefreshTokenHandler
     {
-        public async Task<Result<RefreshTokenResponse>> HandleAsync(RefreshTokenRequest request, CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<RefreshTokenResponse>> HandleAsync(RefreshTokenRequest request, CancellationToken cancellationToken = default)
         {
             var refreshTokenProtector = bearerTokenOptions.Get(IdentityConstants.BearerScheme).RefreshTokenProtector;
             var refreshTicket = refreshTokenProtector.Unprotect(request.RefreshToken);
@@ -37,47 +47,61 @@ public async Task<Result<RefreshTokenResponse>> HandleAsync(RefreshTokenRequest
                 timeProvider.GetUtcNow() >= expiresUtc ||
                 await signInManager.ValidateSecurityStampAsync(refreshTicket.Principal) is not IdmtUser user)
             {
-                return Result.Failure<RefreshTokenResponse>("Invalid refresh token", StatusCodes.Status400BadRequest);
+                return IdmtErrors.Token.Invalid;
             }
 
-            ClaimsPrincipal claimsPrincipal = await signInManager.CreateUserPrincipalAsync(user);
-            return Result.Success(new RefreshTokenResponse(claimsPrincipal));
-        }
-    }
+            if (!user.IsActive)
+            {
+                return IdmtErrors.Auth.Unauthorized;
+            }
 
-    public static Dictionary<string, string[]>? Validate(this RefreshTokenRequest request)
-    {
-        if (string.IsNullOrEmpty(request.RefreshToken))
-        {
-            return new Dictionary<string, string[]>
+            // Validate tenant context matches refresh token
+            var tenantClaimKey = idmtOptions.Value.MultiTenant.StrategyOptions.GetValueOrDefault(
+                IdmtMultiTenantStrategy.Claim, IdmtMultiTenantStrategy.DefaultClaim);
+            var tokenTenantClaim = refreshTicket.Principal?.FindFirst(tenantClaimKey)?.Value;
+            var currentTenant = tenantContextAccessor.MultiTenantContext?.TenantInfo?.Identifier;
+
+            if (tokenTenantClaim is null || currentTenant is null || tokenTenantClaim != currentTenant)
             {
-                ["RefreshToken"] = ["Refresh token is required."]
-            };
+                return IdmtErrors.Auth.Unauthorized;
+            }
+
+            // Check if this token has been revoked
+            var issuedAt = refreshTicket.Properties.IssuedUtc
+                ?? expiresUtc - idmtOptions.Value.Identity.Bearer.RefreshTokenExpiration;
+            var tenantId = tenantContextAccessor.MultiTenantContext?.TenantInfo?.Id;
+
+            if (tenantId is not null && await tokenRevocationService.IsTokenRevokedAsync(user.Id, tenantId, issuedAt, cancellationToken))
+            {
+                return IdmtErrors.Token.Revoked;
+            }
+
+            ClaimsPrincipal claimsPrincipal = await signInManager.CreateUserPrincipalAsync(user);
+            return new RefreshTokenResponse(claimsPrincipal);
         }
-        return null;
     }
 
     public static RouteHandlerBuilder MapRefreshTokenEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        return endpoints.MapPost("/refresh", async Task<Results<Ok<AccessTokenResponse>, SignInHttpResult, ChallengeHttpResult, ValidationProblem>> (
+        return endpoints.MapPost("/refresh", async Task<Results<SignInHttpResult, ChallengeHttpResult, ValidationProblem>> (
             [FromBody] RefreshTokenRequest request,
             [FromServices] IRefreshTokenHandler handler,
+            [FromServices] IValidator<RefreshTokenRequest> validator,
             HttpContext context) =>
         {
-            if (request.Validate() is { } validationErrors)
+            if (ValidationHelper.Validate(request, validator) is { } validationErrors)
             {
                 return TypedResults.ValidationProblem(validationErrors);
             }
 
             var response = await handler.HandleAsync(request, cancellationToken: context.RequestAborted);
-            if (!response.IsSuccess)
+            if (response.IsError)
             {
                 return TypedResults.Challenge();
             }
-            return TypedResults.SignIn(response.Value!.ClaimsPrincipal, authenticationScheme: IdentityConstants.BearerScheme);
+            return TypedResults.SignIn(response.Value.ClaimsPrincipal, authenticationScheme: IdentityConstants.BearerScheme);
         })
         .WithSummary("Refresh token")
-        .WithDescription("Refresh JWT token using refresh token")
-        .RequireAuthorization();
+        .WithDescription("Refresh JWT token using refresh token");
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/Auth/ResendConfirmationEmail.cs b/src/Idmt.Plugin/Features/Auth/ResendConfirmationEmail.cs
index ee7a364..0bbd4d9 100644
--- a/src/Idmt.Plugin/Features/Auth/ResendConfirmationEmail.cs
+++ b/src/Idmt.Plugin/Features/Auth/ResendConfirmationEmail.cs
@@ -1,4 +1,6 @@
-using System.Text.Encodings.Web;
+using ErrorOr;
+using FluentValidation;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
 using Idmt.Plugin.Services;
 using Idmt.Plugin.Validation;
@@ -18,8 +20,7 @@ public sealed record ResendConfirmationEmailRequest(string Email);
 
     public interface IResendConfirmationEmailHandler
     {
-        Task<Result> HandleAsync(
-            bool useApiLinks,
+        Task<ErrorOr<Success>> HandleAsync(
             ResendConfirmationEmailRequest request,
             CancellationToken cancellationToken = default);
     }
@@ -31,8 +32,7 @@ internal sealed class ResendConfirmationEmailHandler(
         ILogger<ResendConfirmationEmailHandler> logger
         ) : IResendConfirmationEmailHandler
     {
-        public async Task<Result> HandleAsync(
-            bool useApiLinks,
+        public async Task<ErrorOr<Success>> HandleAsync(
             ResendConfirmationEmailRequest request,
             CancellationToken cancellationToken = default)
         {
@@ -42,61 +42,46 @@ public async Task<Result> HandleAsync(
                 if (user == null || !user.IsActive)
                 {
                     // Don't reveal whether user exists for security
-                    return Result.Success(StatusCodes.Status200OK);
+                    return Result.Success;
                 }
 
                 if (user.EmailConfirmed)
                 {
-                    return Result.Success(StatusCodes.Status200OK);
+                    return Result.Success;
                 }
 
                 // Generate email confirmation token
                 string token = await userManager.GenerateEmailConfirmationTokenAsync(user);
 
-                string confirmEmailUrl = useApiLinks
-                    ? linkGenerator.GenerateConfirmEmailApiLink(request.Email, token)
-                    : linkGenerator.GenerateConfirmEmailFormLink(request.Email, token);
+                string confirmEmailUrl = linkGenerator.GenerateConfirmEmailLink(request.Email, token);
 
-                await emailSender.SendConfirmationLinkAsync(user, request.Email, HtmlEncoder.Default.Encode(confirmEmailUrl));
+                await emailSender.SendConfirmationLinkAsync(user, request.Email, confirmEmailUrl);
 
-                return Result.Success(StatusCodes.Status200OK);
+                return Result.Success;
             }
             catch (Exception ex)
             {
-                logger.LogError(ex, "Error resending confirmation email to {Email}", request.Email);
-                return Result.Failure($"An error occurred while resending confirmation email: {ex.Message}", StatusCodes.Status500InternalServerError);
+                logger.LogError(ex, "Error resending confirmation email to {Email}", PiiMasker.MaskEmail(request.Email));
+                return IdmtErrors.General.Unexpected;
             }
         }
     }
 
-    public static Dictionary<string, string[]>? Validate(this ResendConfirmationEmailRequest request)
-    {
-        if (!Validators.IsValidEmail(request.Email))
-        {
-            return new Dictionary<string, string[]>
-            {
-                ["Email"] = ["Invalid email address."]
-            };
-        }
-
-        return null;
-    }
-
     public static RouteHandlerBuilder MapResendConfirmationEmailEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        return endpoints.MapPost("/resendConfirmationEmail", async Task<Results<Ok, ValidationProblem, InternalServerError>> (
-            [FromQuery] bool useApiLinks,
+        return endpoints.MapPost("/resend-confirmation-email", async Task<Results<Ok, ValidationProblem, InternalServerError>> (
             [FromBody] ResendConfirmationEmailRequest request,
             [FromServices] IResendConfirmationEmailHandler handler,
+            [FromServices] IValidator<ResendConfirmationEmailRequest> validator,
             HttpContext context) =>
         {
-            if (request.Validate() is { } validationErrors)
+            if (ValidationHelper.Validate(request, validator) is { } validationErrors)
             {
                 return TypedResults.ValidationProblem(validationErrors);
             }
 
-            var result = await handler.HandleAsync(useApiLinks, request, cancellationToken: context.RequestAborted);
-            if (!result.IsSuccess)
+            var result = await handler.HandleAsync(request, cancellationToken: context.RequestAborted);
+            if (result.IsError)
             {
                 return TypedResults.InternalServerError();
             }
diff --git a/src/Idmt.Plugin/Features/Auth/ResetPassword.cs b/src/Idmt.Plugin/Features/Auth/ResetPassword.cs
index f5e0fdd..7bb7a75 100644
--- a/src/Idmt.Plugin/Features/Auth/ResetPassword.cs
+++ b/src/Idmt.Plugin/Features/Auth/ResetPassword.cs
@@ -1,6 +1,9 @@
-using Finbuckle.MultiTenant.Abstractions;
+using ErrorOr;
+using FluentValidation;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
 using Idmt.Plugin.Validation;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -9,153 +12,94 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.DependencyInjection;
-using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Logging;
 
 namespace Idmt.Plugin.Features.Auth;
 
 public static class ResetPassword
 {
-    public sealed record ResetPasswordRequest(string NewPassword);
+    public sealed record ResetPasswordRequest(string TenantIdentifier, string Email, string Token, string NewPassword);
 
     public interface IResetPasswordHandler
     {
-        Task<Result> HandleAsync(string tenantIdentifier, string email, string token, ResetPasswordRequest request, CancellationToken cancellationToken = default);
+        Task<ErrorOr<Success>> HandleAsync(ResetPasswordRequest request, CancellationToken cancellationToken = default);
     }
 
-    internal sealed class ResetPasswordHandler(IServiceProvider serviceProvider) : IResetPasswordHandler
+    internal sealed class ResetPasswordHandler(
+        ITenantOperationService tenantOps,
+        ILogger<ResetPasswordHandler> logger) : IResetPasswordHandler
     {
-        public async Task<Result> HandleAsync(string tenantIdentifier, string email, string token, ResetPasswordRequest request, CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<Success>> HandleAsync(ResetPasswordRequest request, CancellationToken cancellationToken = default)
         {
-            using var scope = serviceProvider.CreateScope();
-            var provider = scope.ServiceProvider;
-
-            var tenantStore = provider.GetRequiredService<IMultiTenantStore<IdmtTenantInfo>>();
-            var tenantInfo = await tenantStore.GetByIdentifierAsync(tenantIdentifier);
-            if (tenantInfo is null || !tenantInfo.IsActive)
-            {
-                return Result.Failure("Invalid tenant", StatusCodes.Status400BadRequest);
-            }
-            // Set Tenant Context BEFORE resolving DbContext/Managers
-            var tenantContextSetter = provider.GetRequiredService<IMultiTenantContextSetter>();
-            var tenantContext = new MultiTenantContext<IdmtTenantInfo>(tenantInfo);
-            tenantContextSetter.MultiTenantContext = tenantContext;
-
-            var userManager = provider.GetRequiredService<UserManager<IdmtUser>>();
-            try
+            return await tenantOps.ExecuteInTenantScopeAsync(request.TenantIdentifier, async provider =>
             {
-                var user = await userManager.FindByEmailAsync(email);
-                if (user is null)
-                {
-                    // Avoid revealing that the email does not exist
-                    return Result.Failure("User not found", StatusCodes.Status400BadRequest);
-                }
-
-                // Reset password using the token
-                var result = await userManager.ResetPasswordAsync(user, token, request.NewPassword);
-
-                if (!result.Succeeded)
+                var userManager = provider.GetRequiredService<UserManager<IdmtUser>>();
+                try
                 {
-                    var errors = string.Join("\n", result.Errors.Select(e => e.Description));
-                    return Result.Failure(errors, StatusCodes.Status400BadRequest);
+                    var user = await userManager.FindByEmailAsync(request.Email);
+                    if (user is null || !user.IsActive)
+                    {
+                        return IdmtErrors.Password.ResetFailed;
+                    }
+
+                    var result = await userManager.ResetPasswordAsync(user, request.Token, request.NewPassword);
+
+                    if (!result.Succeeded)
+                    {
+                        return IdmtErrors.Password.ResetFailed;
+                    }
+
+                    if (!user.EmailConfirmed)
+                    {
+                        user.EmailConfirmed = true;
+                        await userManager.UpdateAsync(user);
+                    }
+
+                    return Result.Success;
                 }
-
-                if (!user.EmailConfirmed)
+                catch (Exception ex)
                 {
-                    user.EmailConfirmed = true;
-                    await userManager.UpdateAsync(user);
+                    logger.LogError(ex, "An error occurred during password reset for {Email}", PiiMasker.MaskEmail(request.Email));
+                    return IdmtErrors.General.Unexpected;
                 }
-
-                return Result.Success();
-            }
-            catch (Exception ex)
-            {
-                return Result.Failure($"An error occurred while resetting the password: {ex.Message}", StatusCodes.Status500InternalServerError);
-            }
+            });
         }
     }
 
-    public static Dictionary<string, string[]>? Validate(this ResetPasswordRequest request, string tenantIdentifier, string email, string token, Configuration.PasswordOptions options)
-    {
-        var errors = new Dictionary<string, string[]>();
-        if (string.IsNullOrEmpty(tenantIdentifier))
-        {
-            errors["TenantIdentifier"] = ["Tenant ID is required"];
-        }
-        if (!Validators.IsValidEmail(email))
-        {
-            errors["Email"] = ["Invalid email address."];
-        }
-        if (string.IsNullOrEmpty(token))
-        {
-            errors["Token"] = ["Token is required"];
-        }
-        if (!Validators.IsValidNewPassword(request.NewPassword, options, out var newPasswordErrors))
-        {
-            errors["NewPassword"] = newPasswordErrors ?? [];
-        }
-
-        return errors.Count == 0 ? null : errors;
-    }
-
     public static RouteHandlerBuilder MapResetPasswordEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        return endpoints.MapPost("/resetPassword", async Task<Results<Ok, ValidationProblem, BadRequest>> (
-            [FromQuery] string tenantIdentifier,
-            [FromQuery] string email,
-            [FromQuery] string token,
+        return endpoints.MapPost("/reset-password", async Task<Results<Ok, ValidationProblem, BadRequest>> (
             [FromBody] ResetPasswordRequest request,
             [FromServices] IResetPasswordHandler handler,
-            [FromServices] IOptions<IdmtOptions> options,
+            [FromServices] IValidator<ResetPasswordRequest> validator,
             HttpContext context) =>
         {
-            if (request.Validate(tenantIdentifier, email, token, options.Value.Identity.Password) is { } validationErrors)
+            if (ValidationHelper.Validate(request, validator) is { } validationErrors)
             {
                 return TypedResults.ValidationProblem(validationErrors);
             }
-            var result = await handler.HandleAsync(tenantIdentifier, email, token, request, cancellationToken: context.RequestAborted);
-            if (!result.IsSuccess)
+
+            // Decode Base64URL-encoded token
+            string decodedToken;
+            try
             {
-                return TypedResults.BadRequest();
+                decodedToken = Base64Service.DecodeBase64UrlToken(request.Token);
             }
-            return TypedResults.Ok();
-        })
-        .WithName(ApplicationOptions.PasswordResetEndpointName)
-        .WithSummary("Reset password")
-        .WithDescription("Reset password using reset token");
-    }
-
-    public static RouteHandlerBuilder MapResetPasswordRedirectEndpoint(this IEndpointRouteBuilder endpoints)
-    {
-        return endpoints.MapGet("/resetPassword", Results<RedirectHttpResult, ProblemHttpResult> (
-            [FromQuery] string tenantIdentifier,
-            [FromQuery] string email,
-            [FromQuery] string token,
-            [FromServices] IOptions<IdmtOptions> options,
-            HttpContext context) =>
-        {
-            var clientUrl = options.Value.Application.ClientUrl;
-            var resetPasswordPath = options.Value.Application.ResetPasswordFormPath;
-
-            if (string.IsNullOrEmpty(clientUrl))
+            catch (FormatException)
             {
-                return TypedResults.Problem("Client URL is not configured.");
+                return TypedResults.BadRequest();
             }
 
-            var queryParams = new Dictionary<string, string?>
+            var decodedRequest = request with { Token = decodedToken };
+            var result = await handler.HandleAsync(decodedRequest, cancellationToken: context.RequestAborted);
+            if (result.IsError)
             {
-                ["tenantIdentifier"] = tenantIdentifier,
-                ["email"] = email,
-                ["token"] = token
-            };
-
-            var uri = Microsoft.AspNetCore.WebUtilities.QueryHelpers.AddQueryString(
-                $"{clientUrl.TrimEnd('/')}/{resetPasswordPath.TrimStart('/')}",
-                queryParams);
-
-            return TypedResults.Redirect(uri);
+                return TypedResults.BadRequest();
+            }
+            return TypedResults.Ok();
         })
-        .WithName(ApplicationOptions.PasswordResetEndpointName + "-form")
-        .WithSummary("Redirect to reset password form")
-        .WithDescription("Redirect to reset password form");
+        .WithName(IdmtEndpointNames.PasswordReset)
+        .WithSummary("Reset password")
+        .WithDescription("Reset password using reset token");
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/AuthEndpoints.cs b/src/Idmt.Plugin/Features/AuthEndpoints.cs
index 31770c4..306a37b 100644
--- a/src/Idmt.Plugin/Features/AuthEndpoints.cs
+++ b/src/Idmt.Plugin/Features/AuthEndpoints.cs
@@ -1,25 +1,45 @@
+using Idmt.Plugin.Configuration;
 using Idmt.Plugin.Features.Auth;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Routing;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Options;
 
 namespace Idmt.Plugin.Features;
 
 public static class AuthEndpoints
 {
+    /// <summary>
+    /// The rate limiter policy name applied to all auth endpoints when rate limiting is enabled.
+    /// </summary>
+    internal const string AuthRateLimiterPolicy = "idmt-auth";
+
     public static void MapAuthEndpoints(this IEndpointRouteBuilder endpoints)
     {
+        var idmtOptions = endpoints.ServiceProvider
+            .GetRequiredService<IOptions<IdmtOptions>>().Value;
+
         var auth = endpoints.MapGroup("/auth")
             .WithTags("Authentication");
 
+        // Apply the fixed-window rate limiter to the entire auth group to prevent
+        // brute-force login attacks and email-flooding via forgot-password /
+        // resend-confirmation endpoints. Only added when the feature is enabled so
+        // host applications that manage their own rate limiting can opt out cleanly.
+        if (idmtOptions.RateLimiting.Enabled)
+        {
+            auth.RequireRateLimiting(AuthRateLimiterPolicy);
+        }
+
         auth.MapCookieLoginEndpoint();
         auth.MapLogoutEndpoint();
         auth.MapTokenLoginEndpoint();
         auth.MapRefreshTokenEndpoint();
         auth.MapConfirmEmailEndpoint();
+        auth.MapConfirmEmailDirectEndpoint();
         auth.MapResendConfirmationEmailEndpoint();
         auth.MapForgotPasswordEndpoint();
         auth.MapResetPasswordEndpoint();
-        auth.MapResetPasswordRedirectEndpoint();
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/Health/BasicHealthCheck.cs b/src/Idmt.Plugin/Features/Health/BasicHealthCheck.cs
index 0c4d819..71887f7 100644
--- a/src/Idmt.Plugin/Features/Health/BasicHealthCheck.cs
+++ b/src/Idmt.Plugin/Features/Health/BasicHealthCheck.cs
@@ -1,44 +1,40 @@
-using Finbuckle.MultiTenant.Abstractions;
 using Idmt.Plugin.Persistence;
-using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Diagnostics.HealthChecks;
 
 namespace Idmt.Plugin.Features.Health;
 
-public class BasicHealthCheck(IdmtDbContext dbContext, IMultiTenantContextAccessor tenantAccessor) : IHealthCheck
+public class BasicHealthCheck(IdmtDbContext dbContext, TimeProvider timeProvider) : IHealthCheck
 {
     public async Task<HealthCheckResult> CheckHealthAsync(HealthCheckContext context, CancellationToken cancellationToken = default)
     {
-        var currentTenant = tenantAccessor.MultiTenantContext?.TenantInfo;
-
         try
         {
             // Check database connectivity
-            var canConnect = await dbContext.Database.CanConnectAsync();
-
-            // Get user count for current tenant
-            var tenantId = currentTenant?.Id ?? "default";
-            var userCount = await dbContext.Users
-                .Where(u => u.TenantId == tenantId)
-                .CountAsync(cancellationToken: cancellationToken);
+            var canConnect = await dbContext.Database.CanConnectAsync(cancellationToken);
 
+            if (!canConnect)
+            {
+                return HealthCheckResult.Unhealthy("Database connection failed",
+                    data: new Dictionary<string, object>
+                    {
+                        { "database_connected", false },
+                        { "timestamp", timeProvider.GetUtcNow().UtcDateTime }
+                    });
+            }
 
-            return HealthCheckResult.Healthy("Database and tenant user count are healthy",
+            return HealthCheckResult.Healthy("Database is healthy",
                 new Dictionary<string, object>
                 {
-                    { "database_connected", canConnect },
-                    { "current_tenant", currentTenant?.Id ?? "No tenant" },
-                    { "tenant_user_count", userCount },
-                    { "timestamp", DT.UtcNow }
+                    { "database_connected", true },
+                    { "timestamp", timeProvider.GetUtcNow().UtcDateTime }
                 });
         }
         catch (Exception ex)
         {
-            return HealthCheckResult.Unhealthy("Database and tenant user count are unhealthy", ex,
+            return HealthCheckResult.Unhealthy("Database is unhealthy", ex,
                 new Dictionary<string, object>
                 {
-                    { "error", ex.Message },
-                    { "timestamp", DT.UtcNow }
+                    { "timestamp", timeProvider.GetUtcNow().UtcDateTime }
                 });
         }
     }
diff --git a/src/Idmt.Plugin/Features/Manage/GetUserInfo.cs b/src/Idmt.Plugin/Features/Manage/GetUserInfo.cs
index 8cd8d58..927a241 100644
--- a/src/Idmt.Plugin/Features/Manage/GetUserInfo.cs
+++ b/src/Idmt.Plugin/Features/Manage/GetUserInfo.cs
@@ -1,5 +1,7 @@
 using System.Security.Claims;
+using ErrorOr;
 using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -16,63 +18,70 @@ public sealed record GetUserInfoResponse(
         string Id,
         string Email,
         string UserName,
-        string Role,
+        IReadOnlyList<string> Roles,
         string TenantIdentifier,
-        string TenantDisplayName
+        string TenantName
     );
 
     public interface IGetUserInfoHandler
     {
-        Task<GetUserInfoResponse?> HandleAsync(ClaimsPrincipal user, CancellationToken cancellationToken = default);
+        Task<ErrorOr<GetUserInfoResponse>> HandleAsync(ClaimsPrincipal user, CancellationToken cancellationToken = default);
     }
 
     internal sealed class GetUserInfoHandler(UserManager<IdmtUser> userManager, IMultiTenantStore<IdmtTenantInfo> tenantStore) : IGetUserInfoHandler
     {
-        public async Task<GetUserInfoResponse?> HandleAsync(ClaimsPrincipal user, CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<GetUserInfoResponse>> HandleAsync(ClaimsPrincipal user, CancellationToken cancellationToken = default)
         {
             var userEmail = user.FindFirstValue(ClaimTypes.Email);
             if (string.IsNullOrEmpty(userEmail))
             {
-                return null;
+                return IdmtErrors.User.ClaimsNotFound;
             }
 
             var appUser = await userManager.FindByEmailAsync(userEmail);
             if (appUser == null || !appUser.IsActive)
             {
-                return null;
+                return IdmtErrors.User.NotFound;
             }
 
-            // Fail fast
-            var role = (await userManager.GetRolesAsync(appUser)).FirstOrDefault() ?? throw new InvalidOperationException("User has no role assigned");
-            var tenant = await tenantStore.GetAsync(appUser.TenantId) ?? throw new InvalidOperationException("Tenant not found");
+            var roles = (await userManager.GetRolesAsync(appUser)).OrderBy(r => r).ToList();
+            if (roles.Count == 0) return IdmtErrors.User.NoRolesAssigned;
+
+            var tenant = await tenantStore.GetAsync(appUser.TenantId);
+            if (tenant is null) return IdmtErrors.Tenant.NotFound;
 
             return new GetUserInfoResponse(
                 appUser.Id.ToString(),
                 appUser.Email ?? string.Empty,
                 appUser.UserName ?? string.Empty,
-                role ?? string.Empty,
+                roles,
                 tenant.Identifier ?? string.Empty,
-                tenant.DisplayName ?? string.Empty
+                tenant.Name ?? string.Empty
             );
         }
     }
 
     public static RouteHandlerBuilder MapGetUserInfoEndpoint(this IEndpointRouteBuilder endpoints)
     {
-        return endpoints.MapGet("/info", async Task<Results<Ok<GetUserInfoResponse>, NotFound>> (
+        return endpoints.MapGet("/info", async Task<Results<Ok<GetUserInfoResponse>, NotFound, BadRequest, ProblemHttpResult>> (
             ClaimsPrincipal user,
             [FromServices] IGetUserInfoHandler handler,
             HttpContext context) =>
         {
             var result = await handler.HandleAsync(user, cancellationToken: context.RequestAborted);
-            if (result == null)
+            if (result.IsError)
             {
-                return TypedResults.NotFound();
+                return result.FirstError.Type switch
+                {
+                    ErrorType.NotFound => TypedResults.NotFound(),
+                    ErrorType.Validation => TypedResults.BadRequest(),
+                    _ => TypedResults.Problem(result.FirstError.Description, statusCode: StatusCodes.Status500InternalServerError),
+                };
             }
-            return TypedResults.Ok(result);
+            return TypedResults.Ok(result.Value);
         })
         .WithSummary("Get user info")
         .WithDescription("Get current user authentication info")
         .RequireAuthorization();
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/Manage/RegisterUser.cs b/src/Idmt.Plugin/Features/Manage/RegisterUser.cs
index 2f37490..d6fc9a8 100644
--- a/src/Idmt.Plugin/Features/Manage/RegisterUser.cs
+++ b/src/Idmt.Plugin/Features/Manage/RegisterUser.cs
@@ -1,5 +1,7 @@
-using System.Text.RegularExpressions;
+using ErrorOr;
+using FluentValidation;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
 using Idmt.Plugin.Persistence;
 using Idmt.Plugin.Services;
@@ -16,274 +18,140 @@ namespace Idmt.Plugin.Features.Manage;
 
 public static class RegisterUser
 {
-    /// <summary>
-    /// Request model for user registration. Represents the data required to create a new user account.
-    /// The user will be created without a password and will need to set it via the password setup token.
-    /// </summary>
     public sealed record RegisterUserRequest
     {
-        /// <summary>
-        /// Email address for the user. Required and must be a valid email format.
-        /// </summary>
         public required string Email { get; init; }
-
-        /// <summary>
-        /// Optional username. If not provided, the email address will be used as the username.
-        /// </summary>
         public string? Username { get; init; }
-
-        /// <summary>
-        /// Role name to assign to the user upon registration. Required and must be an existing role.
-        /// </summary>
         public required string Role { get; init; }
     }
 
-    /// <summary>
-    /// Response model for user registration operations. Contains the result of the registration attempt,
-    /// including success status, user identifier, password setup token, and any validation or error messages.
-    /// </summary>
     public sealed record RegisterUserResponse
     {
-        /// <summary>
-        /// The unique identifier of the created user (as string). Only populated when Success is true.
-        /// </summary>
         public string? UserId { get; init; }
-
-        /// <summary>
-        /// Password reset token that can be used to set the user's initial password.
-        /// This token is generated using ASP.NET Core Identity's password reset token mechanism.
-        /// Only populated when Success is true.
-        /// </summary>
-        public string? PasswordSetupToken { get; init; }
-
-        /// <summary>
-        /// Fully constructed URL for password setup.
-        /// Contains the email and token as query parameters. Only populated when Success is true.
-        /// </summary>
-        public string? PasswordSetupUrl { get; init; }
     }
 
-    /// <summary>
-    /// Handler interface for user registration operations following the vertical slice architecture pattern.
-    /// Implementations handle the complete registration workflow including validation, user creation,
-    /// role assignment, and password setup token generation.
-    /// </summary>
     public interface IRegisterUserHandler
     {
-        /// <summary>
-        /// Handles a user registration request. Creates a new user account without a password,
-        /// assigns the specified role, and generates a password setup token.
-        /// </summary>
-        /// <param name="request">The registration request containing email, optional username, and role</param>
-        /// <param name="cancellationToken">Cancellation token to cancel the operation</param>
-        /// <returns>Registration response containing success status, user ID, password setup token, and any errors</returns>
-        Task<Result<RegisterUserResponse>> HandleAsync(
-            bool useApiLinks,
+        Task<ErrorOr<RegisterUserResponse>> HandleAsync(
             RegisterUserRequest request,
             CancellationToken cancellationToken = default);
     }
 
-
-    /// <summary>
-    /// Handler implementation for user registration following the vertical slice architecture pattern.
-    /// Handles the complete registration workflow: validates input, checks role existence, creates user account,
-    /// assigns role, and generates password setup token.
-    /// </summary>
-    /// <remarks>
-    /// This handler creates users without passwords. Users must set their password using the generated token.
-    /// The user's email is not confirmed until they set their password (email confirmation is handled elsewhere).
-    /// Users are created as active by default, and soft-deleted by setting IsActive to false.
-    /// </remarks>
     internal sealed class RegisterHandler(
         ILogger<RegisterHandler> logger,
         UserManager<IdmtUser> userManager,
         RoleManager<IdmtRole> roleManager,
-        IUserStore<IdmtUser> userStore,
         ICurrentUserService currentUserService,
         ITenantAccessService tenantAccessService,
         IdmtDbContext dbContext,
         IIdmtLinkGenerator linkGenerator,
         IEmailSender<IdmtUser> emailSender) : IRegisterUserHandler
     {
-        /// <summary>
-        /// Handles the user registration request. Executes the complete registration workflow:
-        /// 1. Validates the request data
-        /// 2. Creates the user entity with basic information
-        /// 3. Begins a database transaction
-        /// 4. Verifies the role exists (within transaction to prevent race conditions)
-        /// 5. Creates the user account with tenant context (within transaction)
-        /// 6. Assigns the specified role (within transaction)
-        /// 7. Commits the transaction if all operations succeed
-        /// 8. Generates password setup token
-        /// 9. Constructs password setup URL if configured
-        /// </summary>
-        /// <param name="request">The registration request containing email, optional username, and role</param>
-        /// <param name="cancellationToken">Cancellation token to cancel the operation</param>
-        /// <returns>Registration response with success status, user ID, password setup token, and any errors</returns>
-        /// <exception cref="NotSupportedException">Thrown when the user store does not support email functionality</exception>
-        public async Task<Result<RegisterUserResponse>> HandleAsync(
-            bool useApiLinks,
+        public async Task<ErrorOr<RegisterUserResponse>> HandleAsync(
             RegisterUserRequest request,
             CancellationToken cancellationToken = default)
         {
             // Security check: Validate role assignment permissions based on current user's role
             if (!tenantAccessService.CanAssignRole(request.Role))
             {
-                return Result.Failure<RegisterUserResponse>("Insufficient permissions to assign this role.", StatusCodes.Status403Forbidden);
+                return IdmtErrors.User.InsufficientPermissions;
             }
 
             // Get the tenant ID from the current user service (from tenant context)
-            var tenantId = currentUserService.TenantId
-                ?? throw new InvalidOperationException("Tenant context is not available. Cannot register user without tenant context.");
+            var tenantId = currentUserService.TenantId;
+            if (tenantId is null)
+            {
+                return IdmtErrors.Tenant.NotResolved;
+            }
 
-            // Create user entity with basic information, no password set
-            // User is active by default, but email is not confirmed until password is set
-            // When the user is unregistered, we set IsActive to false (soft delete)
             var user = new IdmtUser
             {
                 UserName = request.Username ?? request.Email,
                 Email = request.Email,
-                EmailConfirmed = false, // Will be confirmed when password is set
+                EmailConfirmed = false,
                 IsActive = true,
                 TenantId = tenantId,
                 LastLoginAt = null,
             };
 
-            // Use a database transaction to ensure atomicity: all operations (role check, user creation, role assignment) 
-            // happen atomically. If any step fails, everything is rolled back.
             await using var transaction = await dbContext.Database.BeginTransactionAsync(cancellationToken);
             try
             {
-                // Verify that the specified role exists in the system within the transaction
-                // This prevents race conditions where the role could be deleted between check and assignment
-                // Note: This check is not tenant-aware - roles are global across all tenants
                 bool roleExists = await roleManager.RoleExistsAsync(request.Role);
                 if (!roleExists)
                 {
                     await transaction.RollbackAsync(cancellationToken);
-                    return Result.Failure<RegisterUserResponse>("Role not found", StatusCodes.Status400BadRequest);
+                    return IdmtErrors.User.RoleNotFound;
                 }
 
-                // Create the user account (this will validate uniqueness constraints per tenant)
                 var result = await userManager.CreateAsync(user);
 
                 if (!result.Succeeded)
                 {
                     await transaction.RollbackAsync(cancellationToken);
                     logger.LogError("Failed to create user: {ErrorMessage}", result.Errors);
-                    return Result.Failure<RegisterUserResponse>("Failed to create user", StatusCodes.Status400BadRequest);
+                    return IdmtErrors.User.CreationFailed;
                 }
 
-                // Set username and email using store-specific methods (ensures proper normalization)
-                await userStore.SetUserNameAsync(user, request.Username ?? request.Email, cancellationToken);
-                IUserEmailStore<IdmtUser> emailStore = userStore as IUserEmailStore<IdmtUser>
-                    ?? throw new NotSupportedException("The user store does not support email functionality.");
-                await emailStore.SetEmailAsync(user, request.Email, cancellationToken);
-
-                // Assign the specified role to the user
-                // If this fails, the transaction will rollback and the user will not be created
                 var roleResult = await userManager.AddToRoleAsync(user, request.Role);
                 if (!roleResult.Succeeded)
                 {
                     await transaction.RollbackAsync(cancellationToken);
                     logger.LogError("Failed to assign role to user: {ErrorMessage}", roleResult.Errors);
-                    return Result.Failure<RegisterUserResponse>("Failed to assign role to user", StatusCodes.Status400BadRequest);
+                    return IdmtErrors.User.CreationFailed;
                 }
 
-                // Commit the transaction only if role check, user creation, and role assignment all succeeded
                 await transaction.CommitAsync(cancellationToken);
             }
             catch (Exception ex)
             {
                 await transaction.RollbackAsync(cancellationToken);
                 logger.LogError(ex, "Exception occurred during user registration. Transaction rolled back.");
-                return Result.Failure<RegisterUserResponse>($"An error occurred during user registration: {ex.Message}", StatusCodes.Status500InternalServerError);
+                return IdmtErrors.General.Unexpected;
             }
 
-            // Generate password setup token using ASP.NET Core Identity's password reset token mechanism
-            // This token is secure, time-limited, and can be used to set the user's initial password
             var token = await userManager.GeneratePasswordResetTokenAsync(user);
 
-            // Generate password setup URL
-            var passwordSetupUrl = useApiLinks
-                ? linkGenerator.GeneratePasswordResetApiLink(user.Email, token)
-                : linkGenerator.GeneratePasswordResetFormLink(user.Email, token);
+            var passwordSetupUrl = linkGenerator.GeneratePasswordResetLink(user.Email ?? request.Email, token);
 
-            logger.LogInformation("User created: {Email}. Request by {RequestingUserId}. Tenant: {TenantId}.", user.Email, currentUserService.UserId, tenantId);
+            logger.LogInformation("User created: {Email}. Request by {RequestingUserId}. Tenant: {TenantId}.", PiiMasker.MaskEmail(user.Email), currentUserService.UserId, tenantId);
 
-            await emailSender.SendPasswordResetLinkAsync(user, user.Email, passwordSetupUrl);
+            await emailSender.SendPasswordResetLinkAsync(user, user.Email ?? request.Email, passwordSetupUrl);
 
-            return Result.Success(new RegisterUserResponse
+            return new RegisterUserResponse
             {
                 UserId = user.GetId(),
-                PasswordSetupToken = token,
-                PasswordSetupUrl = passwordSetupUrl
-            });
-        }
-    }
-
-    /// <summary>
-    /// Validates the registration request and returns a dictionary of validation errors if any exist.
-    /// Returns null if validation passes.
-    /// </summary>
-    /// <param name="request">The registration request to validate</param>
-    /// <returns>Dictionary of field names to error messages if validation fails, null if validation succeeds</returns>
-    public static Dictionary<string, string[]>? Validate(this RegisterUserRequest request, string? allowedUsernameCharacters = null)
-    {
-        var errors = new Dictionary<string, string[]>();
-
-        // Validate email format using standard email validation
-        if (!Validators.IsValidEmail(request.Email))
-        {
-            errors["Email"] = ["Invalid email address."];
-        }
-
-        // Validate username length if provided (minimum 3 characters)
-        if (request.Username is not null)
-        {
-            if (!string.IsNullOrEmpty(allowedUsernameCharacters) && !Regex.IsMatch(request.Username, $"^[{allowedUsernameCharacters}]+$"))
-            {
-                errors["Username"] = [$"Username must contain only the following characters: {allowedUsernameCharacters}"];
-            }
-        }
-
-        // Validate that role is provided and not empty
-        if (string.IsNullOrEmpty(request.Role))
-        {
-            errors["Role"] = ["Role is required."];
+            };
         }
-
-        return errors.Count == 0 ? null : errors;
     }
 
     public static RouteHandlerBuilder MapRegisterUserEndpoint(this IEndpointRouteBuilder endpoints)
     {
         return endpoints.MapPost("/users", async Task<Results<Ok<RegisterUserResponse>, ValidationProblem, ForbidHttpResult, BadRequest, InternalServerError>> (
-            [FromQuery] bool useApiLinks,
             [FromBody] RegisterUserRequest request,
             [FromServices] IRegisterUserHandler handler,
+            [FromServices] IValidator<RegisterUserRequest> validator,
             HttpContext context) =>
         {
-            // Validate request data (email format, username length, role presence)
-            if (request.Validate() is { } validationErrors)
+            if (ValidationHelper.Validate(request, validator) is { } validationErrors)
             {
                 return TypedResults.ValidationProblem(validationErrors);
             }
 
-            var response = await handler.HandleAsync(useApiLinks, request, cancellationToken: context.RequestAborted);
-            if (!response.IsSuccess)
+            var response = await handler.HandleAsync(request, cancellationToken: context.RequestAborted);
+            if (response.IsError)
             {
-                return response.StatusCode switch
+                return response.FirstError.Type switch
                 {
-                    StatusCodes.Status403Forbidden => TypedResults.Forbid(),
-                    StatusCodes.Status400BadRequest => TypedResults.BadRequest(),
+                    ErrorType.Forbidden => TypedResults.Forbid(),
+                    ErrorType.Validation => TypedResults.BadRequest(),
                     _ => TypedResults.InternalServerError(),
                 };
             }
-            return TypedResults.Ok(response.Value!);
+            return TypedResults.Ok(response.Value);
         })
-        .RequireAuthorization(AuthOptions.RequireTenantManagerPolicy)
+        .RequireAuthorization(IdmtAuthOptions.RequireTenantManagerPolicy)
         .WithSummary("Register user")
         .WithDescription("Register a new user for a tenant (Admin/System only)");
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/Manage/UnregisterUser.cs b/src/Idmt.Plugin/Features/Manage/UnregisterUser.cs
index 7f74d96..2e3c4da 100644
--- a/src/Idmt.Plugin/Features/Manage/UnregisterUser.cs
+++ b/src/Idmt.Plugin/Features/Manage/UnregisterUser.cs
@@ -1,5 +1,7 @@
 using System.Security.Claims;
+using ErrorOr;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
 using Idmt.Plugin.Services;
 using Microsoft.AspNetCore.Builder;
@@ -17,7 +19,7 @@ public static class UnregisterUser
 {
     public interface IUnregisterUserHandler
     {
-        Task<Result> HandleAsync(Guid userId, CancellationToken cancellationToken = default);
+        Task<ErrorOr<Success>> HandleAsync(Guid userId, CancellationToken cancellationToken = default);
     }
 
     internal sealed class UnregisterUserHandler(
@@ -26,7 +28,7 @@ internal sealed class UnregisterUserHandler(
         UserManager<IdmtUser> userManager,
         ITenantAccessService tenantAccessService) : IUnregisterUserHandler
     {
-        public async Task<Result> HandleAsync(Guid userId, CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<Success>> HandleAsync(Guid userId, CancellationToken cancellationToken = default)
         {
             try
             {
@@ -34,14 +36,14 @@ public async Task<Result> HandleAsync(Guid userId, CancellationToken cancellatio
                 var appUser = await userManager.Users.FirstOrDefaultAsync(u => u.Id == userId, cancellationToken);
                 if (appUser is null)
                 {
-                    return Result.Failure("User not found", StatusCodes.Status404NotFound);
+                    return IdmtErrors.User.NotFound;
                 }
 
                 var userRoles = await userManager.GetRolesAsync(appUser);
 
                 if (!tenantAccessService.CanManageUser(userRoles))
                 {
-                    return Result.Failure("Insufficient permissions to delete this user.", StatusCodes.Status403Forbidden);
+                    return IdmtErrors.User.InsufficientPermissions;
                 }
 
                 var result = await userManager.DeleteAsync(appUser);
@@ -50,16 +52,16 @@ public async Task<Result> HandleAsync(Guid userId, CancellationToken cancellatio
                 {
                     var errors = string.Join("\n", result.Errors.Select(e => e.Description));
                     logger.LogError("Failed to unregister user {UserId}: {Errors}", userId, errors);
-                    return Result.Failure(errors, StatusCodes.Status400BadRequest);
+                    return IdmtErrors.User.DeletionFailed;
                 }
             }
             catch (Exception ex)
             {
                 logger.LogError(ex, "Exception occurred while unregistering user {UserId}", userId);
-                return Result.Failure($"An error occurred while unregistering the user: {ex.Message}", StatusCodes.Status500InternalServerError);
+                return IdmtErrors.General.Unexpected;
             }
 
-            return Result.Success();
+            return Result.Success;
         }
     }
 
@@ -72,20 +74,20 @@ public static RouteHandlerBuilder MapUnregisterUserEndpoint(this IEndpointRouteB
             HttpContext context) =>
         {
             var result = await handler.HandleAsync(userId, cancellationToken: context.RequestAborted);
-            if (!result.IsSuccess)
+            if (result.IsError)
             {
-                return result.StatusCode switch
+                return result.FirstError.Type switch
                 {
-                    StatusCodes.Status404NotFound => TypedResults.NotFound(),
-                    StatusCodes.Status403Forbidden => TypedResults.Forbid(),
-                    StatusCodes.Status400BadRequest => TypedResults.BadRequest(),
+                    ErrorType.NotFound => TypedResults.NotFound(),
+                    ErrorType.Forbidden => TypedResults.Forbid(),
+                    ErrorType.Failure => TypedResults.BadRequest(),
                     _ => TypedResults.InternalServerError(),
                 };
             }
             return TypedResults.Ok();
         })
-        .RequireAuthorization(AuthOptions.RequireTenantManagerPolicy)
+        .RequireAuthorization(IdmtAuthOptions.RequireTenantManagerPolicy)
         .WithSummary("Delete user")
         .WithDescription("Delete a user within the same tenant (Admin/System only)");
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/Manage/UpdateUser.cs b/src/Idmt.Plugin/Features/Manage/UpdateUser.cs
index 33a5dec..8731594 100644
--- a/src/Idmt.Plugin/Features/Manage/UpdateUser.cs
+++ b/src/Idmt.Plugin/Features/Manage/UpdateUser.cs
@@ -1,4 +1,6 @@
+using ErrorOr;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
 using Idmt.Plugin.Services;
 using Microsoft.AspNetCore.Builder;
@@ -18,7 +20,7 @@ public sealed record UpdateUserRequest(bool IsActive);
 
     public interface IUpdateUserHandler
     {
-        Task<Result> HandleAsync(Guid userId, UpdateUserRequest request, CancellationToken cancellationToken = default);
+        Task<ErrorOr<Success>> HandleAsync(Guid userId, UpdateUserRequest request, CancellationToken cancellationToken = default);
     }
 
     internal sealed class UpdateUserHandler(
@@ -26,21 +28,21 @@ internal sealed class UpdateUserHandler(
         ITenantAccessService tenantAccessService,
         ILogger<UpdateUserHandler> logger) : IUpdateUserHandler
     {
-        public async Task<Result> HandleAsync(Guid userId, UpdateUserRequest request, CancellationToken cancellationToken = default)
+        public async Task<ErrorOr<Success>> HandleAsync(Guid userId, UpdateUserRequest request, CancellationToken cancellationToken = default)
         {
             try
             {
                 var appUser = await userManager.Users.FirstOrDefaultAsync(u => u.Id == userId, cancellationToken);
                 if (appUser == null)
                 {
-                    return Result.Failure("User not found", StatusCodes.Status404NotFound);
+                    return IdmtErrors.User.NotFound;
                 }
 
                 var userRoles = await userManager.GetRolesAsync(appUser);
 
                 if (!tenantAccessService.CanManageUser(userRoles))
                 {
-                    return Result.Failure("Insufficient permissions to update this user.", StatusCodes.Status403Forbidden);
+                    return IdmtErrors.User.InsufficientPermissions;
                 }
 
                 appUser.IsActive = request.IsActive;
@@ -48,14 +50,14 @@ public async Task<Result> HandleAsync(Guid userId, UpdateUserRequest request, Ca
                 var result = await userManager.UpdateAsync(appUser);
                 if (!result.Succeeded)
                 {
-                    return Result.Failure("Failed to update user", StatusCodes.Status400BadRequest);
+                    return IdmtErrors.User.UpdateFailed;
                 }
-                return Result.Success();
+                return Result.Success;
             }
             catch (Exception ex)
             {
                 logger.LogError(ex, "Exception occurred while updating user {UserId}", userId);
-                return Result.Failure($"An error occurred while updating the user: {ex.Message}", StatusCodes.Status500InternalServerError);
+                return IdmtErrors.General.Unexpected;
             }
         }
     }
@@ -69,20 +71,20 @@ public static RouteHandlerBuilder MapUpdateUserEndpoint(this IEndpointRouteBuild
             HttpContext context) =>
         {
             var result = await handler.HandleAsync(userId, request, cancellationToken: context.RequestAborted);
-            if (!result.IsSuccess)
+            if (result.IsError)
             {
-                return result.StatusCode switch
+                return result.FirstError.Type switch
                 {
-                    StatusCodes.Status404NotFound => TypedResults.NotFound(),
-                    StatusCodes.Status403Forbidden => TypedResults.Forbid(),
-                    StatusCodes.Status400BadRequest => TypedResults.BadRequest(),
+                    ErrorType.NotFound => TypedResults.NotFound(),
+                    ErrorType.Forbidden => TypedResults.Forbid(),
+                    ErrorType.Failure => TypedResults.BadRequest(),
                     _ => TypedResults.InternalServerError(),
                 };
             }
             return TypedResults.Ok();
         })
-        .RequireAuthorization(AuthOptions.RequireTenantManagerPolicy)
+        .RequireAuthorization(IdmtAuthOptions.RequireTenantManagerPolicy)
         .WithSummary("Activate/Deactivate user")
         .WithDescription("Activate/Deactivate a user within the same tenant (Admin/System only)");
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/Manage/UpdateUserInfo.cs b/src/Idmt.Plugin/Features/Manage/UpdateUserInfo.cs
index 29ed29d..28b45b3 100644
--- a/src/Idmt.Plugin/Features/Manage/UpdateUserInfo.cs
+++ b/src/Idmt.Plugin/Features/Manage/UpdateUserInfo.cs
@@ -1,7 +1,10 @@
 using System.Security.Claims;
-using Idmt.Plugin.Configuration;
+using ErrorOr;
+using FluentValidation;
+using Idmt.Plugin.Errors;
 using Idmt.Plugin.Models;
 using Idmt.Plugin.Persistence;
+using Idmt.Plugin.Services;
 using Idmt.Plugin.Validation;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Http;
@@ -10,7 +13,6 @@
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Options;
 
 namespace Idmt.Plugin.Features.Manage;
 
@@ -25,15 +27,17 @@ public sealed record UpdateUserInfoRequest(
 
     public interface IUpdateUserInfoHandler
     {
-        Task<Result> HandleAsync(UpdateUserInfoRequest request, ClaimsPrincipal user, CancellationToken cancellationToken = default);
+        Task<ErrorOr<Success>> HandleAsync(UpdateUserInfoRequest request, ClaimsPrincipal user, CancellationToken cancellationToken = default);
     }
 
     internal sealed class UpdateUserInfoHandler(
         UserManager<IdmtUser> userManager,
         IdmtDbContext dbContext,
+        IIdmtLinkGenerator linkGenerator,
+        IEmailSender<IdmtUser> emailSender,
         ILogger<UpdateUserInfoHandler> logger) : IUpdateUserInfoHandler
     {
-        public async Task<Result> HandleAsync(
+        public async Task<ErrorOr<Success>> HandleAsync(
             UpdateUserInfoRequest request,
             ClaimsPrincipal user,
             CancellationToken cancellationToken = default)
@@ -41,22 +45,24 @@ public async Task<Result> HandleAsync(
             var userEmail = user.FindFirstValue(ClaimTypes.Email);
             if (string.IsNullOrEmpty(userEmail))
             {
-                return Result.Failure("User email not found in claims", StatusCodes.Status400BadRequest);
+                return IdmtErrors.User.ClaimsNotFound;
             }
 
             var appUser = await userManager.FindByEmailAsync(userEmail);
             if (appUser == null)
             {
-                return Result.Failure("User not found", StatusCodes.Status404NotFound);
+                return IdmtErrors.User.NotFound;
             }
             if (!appUser.IsActive)
             {
-                return Result.Failure("User is not active", StatusCodes.Status403Forbidden);
+                return IdmtErrors.User.Inactive;
             }
 
             await using var transaction = await dbContext.Database.BeginTransactionAsync(cancellationToken);
             try
             {
+                bool hasChanges = false;
+
                 // Update username if provided
                 if (!string.IsNullOrWhiteSpace(request.NewUsername) && request.NewUsername != appUser.UserName)
                 {
@@ -65,96 +71,102 @@ public async Task<Result> HandleAsync(
                     {
                         logger.LogError("Failed to set username: {ErrorMessage}", setUsernameResult.Errors.Select(e => e.Description));
                         await transaction.RollbackAsync(cancellationToken);
-                        return Result.Failure("Failed to update username", StatusCodes.Status400BadRequest);
+                        return IdmtErrors.User.UpdateFailed;
                     }
+                    hasChanges = true;
                 }
 
-                // Update email if provided
+                // Update email if provided.
+                // ChangeEmailAsync persists the new email and sets EmailConfirmed = false internally.
+                // After that we send a confirmation email to the new address so the user has a
+                // recovery path and is not permanently locked out.
                 if (!string.IsNullOrWhiteSpace(request.NewEmail) && request.NewEmail != appUser.Email)
                 {
-                    // Generate email change token
                     var token = await userManager.GenerateChangeEmailTokenAsync(appUser, request.NewEmail);
-                    var result = await userManager.ChangeEmailAsync(appUser, request.NewEmail, token);
-                    appUser.EmailConfirmed = false;
-                    await userManager.UpdateAsync(appUser);
-
-                    if (!result.Succeeded)
+                    var changeEmailResult = await userManager.ChangeEmailAsync(appUser, request.NewEmail, token);
+                    if (!changeEmailResult.Succeeded)
                     {
-                        logger.LogError("Failed to change email: {ErrorMessage}", result.Errors.Select(e => e.Description));
+                        logger.LogError("Failed to change email: {ErrorMessage}", changeEmailResult.Errors.Select(e => e.Description));
                         await transaction.RollbackAsync(cancellationToken);
-                        return Result.Failure("Failed to update email", StatusCodes.Status400BadRequest);
+                        return IdmtErrors.User.UpdateFailed;
                     }
+
+                    // ChangeEmailAsync already persisted EmailConfirmed = false — do NOT set it again
+                    // or call UpdateAsync for the email change; doing so is redundant and can cause
+                    // a second write with a stale concurrency stamp.
+
+                    // Generate a fresh confirmation token (the change-email token above is now consumed)
+                    // and send the link to the new address so the user can re-confirm.
+                    var confirmToken = await userManager.GenerateEmailConfirmationTokenAsync(appUser);
+                    var confirmLink = linkGenerator.GenerateConfirmEmailLink(request.NewEmail, confirmToken);
+                    await emailSender.SendConfirmationLinkAsync(appUser, request.NewEmail, confirmLink);
+
+                    logger.LogInformation("Email changed for user. Confirmation email dispatched to new address.");
+                    // hasChanges intentionally not set here: ChangeEmailAsync already persisted the
+                    // email change. The flag only controls the final UpdateAsync for other field
+                    // changes (username, password) that are still pending.
                 }
 
                 // Update password if provided
-                if (!string.IsNullOrEmpty(request.OldPassword) && !string.IsNullOrWhiteSpace(request.NewPassword))
+                if (!string.IsNullOrWhiteSpace(request.OldPassword) && !string.IsNullOrWhiteSpace(request.NewPassword))
                 {
                     var changePasswordResult = await userManager.ChangePasswordAsync(appUser, request.OldPassword, request.NewPassword);
                     if (!changePasswordResult.Succeeded)
                     {
                         logger.LogError("Failed to change password: {ErrorMessage}", changePasswordResult.Errors.Select(e => e.Description));
                         await transaction.RollbackAsync(cancellationToken);
-                        return Result.Failure("Failed to update password", StatusCodes.Status400BadRequest);
+                        return IdmtErrors.Password.ResetFailed;
                     }
+                    hasChanges = true;
                 }
 
-                await userManager.UpdateAsync(appUser);
+                if (hasChanges)
+                {
+                    var updateResult = await userManager.UpdateAsync(appUser);
+                    if (!updateResult.Succeeded)
+                    {
+                        logger.LogError("Failed to update user: {Errors}", string.Join(", ", updateResult.Errors.Select(e => e.Description)));
+                        await transaction.RollbackAsync(cancellationToken);
+                        return IdmtErrors.User.UpdateFailed;
+                    }
+                }
 
                 await transaction.CommitAsync(cancellationToken);
 
-                return Result.Success();
+                return Result.Success;
             }
             catch (Exception ex)
             {
                 await transaction.RollbackAsync(cancellationToken);
-                logger.LogError(ex, "Exception occurred during user registration. Transaction rolled back.");
-                return Result.Failure($"An error occurred while updating user info: {ex.Message}", StatusCodes.Status500InternalServerError);
+                logger.LogError(ex, "Exception occurred during user info update. Transaction rolled back.");
+                return IdmtErrors.General.Unexpected;
             }
         }
     }
 
-    public static Dictionary<string, string[]>? Validate(this UpdateUserInfoRequest request, Configuration.PasswordOptions options)
-    {
-        var errors = new Dictionary<string, string[]>();
-        // Only require old password when NewPassword is provided
-        if (!string.IsNullOrEmpty(request.NewPassword) && string.IsNullOrEmpty(request.OldPassword))
-        {
-            errors["OldPassword"] = ["Old password is required to change password"];
-        }
-        if (request.NewEmail is not null && !Validators.IsValidEmail(request.NewEmail))
-        {
-            errors["NewEmail"] = ["New email is not valid"];
-        }
-        if (request.NewPassword is not null && !Validators.IsValidNewPassword(request.NewPassword, options, out var newPasswordErrors))
-        {
-            errors["NewPassword"] = newPasswordErrors ?? [];
-        }
-
-        return errors.Count == 0 ? null : errors;
-    }
-
     public static RouteHandlerBuilder MapUpdateUserInfoEndpoint(this IEndpointRouteBuilder endpoints)
     {
         return endpoints.MapPut("/info", async Task<Results<Ok, ValidationProblem, BadRequest, NotFound, ForbidHttpResult, InternalServerError>> (
             [FromBody] UpdateUserInfoRequest request,
             ClaimsPrincipal user,
             [FromServices] IUpdateUserInfoHandler handler,
-            [FromServices] IOptions<IdmtOptions> options,
+            [FromServices] IValidator<UpdateUserInfoRequest> validator,
             HttpContext context) =>
         {
-            if (request.Validate(options.Value.Identity.Password) is { } errors)
+            if (ValidationHelper.Validate(request, validator) is { } errors)
             {
                 return TypedResults.ValidationProblem(errors);
             }
 
             var result = await handler.HandleAsync(request, user, cancellationToken: context.RequestAborted);
-            if (!result.IsSuccess)
+            if (result.IsError)
             {
-                return result.StatusCode switch
+                return result.FirstError.Type switch
                 {
-                    StatusCodes.Status400BadRequest => TypedResults.BadRequest(),
-                    StatusCodes.Status403Forbidden => TypedResults.Forbid(),
-                    StatusCodes.Status404NotFound => TypedResults.NotFound(),
+                    ErrorType.NotFound => TypedResults.NotFound(),
+                    ErrorType.Forbidden => TypedResults.Forbid(),
+                    ErrorType.Validation => TypedResults.BadRequest(),
+                    ErrorType.Failure => TypedResults.BadRequest(),
                     _ => TypedResults.InternalServerError(),
                 };
             }
@@ -164,4 +176,4 @@ public static RouteHandlerBuilder MapUpdateUserInfoEndpoint(this IEndpointRouteB
         .WithDescription("Update current user authentication info")
         .RequireAuthorization();
     }
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Features/Result.cs b/src/Idmt.Plugin/Features/Result.cs
deleted file mode 100644
index fffc236..0000000
--- a/src/Idmt.Plugin/Features/Result.cs
+++ /dev/null
@@ -1,35 +0,0 @@
-using Microsoft.AspNetCore.Http;
-
-namespace Idmt.Plugin.Features;
-
-public class Result
-{
-    public bool IsSuccess { get; init; }
-    public string? ErrorMessage { get; init; }
-    public int StatusCode { get; init; } = StatusCodes.Status200OK;
-
-    public static Result Success(int statusCode = StatusCodes.Status200OK)
-    {
-        return new Result { IsSuccess = true, StatusCode = statusCode };
-    }
-
-    public static Result Failure(string errorMessage, int statusCode = StatusCodes.Status400BadRequest)
-    {
-        return new Result { IsSuccess = false, ErrorMessage = errorMessage, StatusCode = statusCode };
-    }
-
-    public static Result<T> Success<T>(T value, int statusCode = StatusCodes.Status200OK)
-    {
-        return new Result<T> { IsSuccess = true, Value = value, StatusCode = statusCode };
-    }
-
-    public static Result<T> Failure<T>(string errorMessage, int statusCode = StatusCodes.Status400BadRequest)
-    {
-        return new Result<T> { IsSuccess = false, ErrorMessage = errorMessage, StatusCode = statusCode };
-    }
-}
-
-public class Result<T> : Result
-{
-    public T? Value { get; init; }
-}
\ No newline at end of file
diff --git a/src/Idmt.Plugin/Idmt.Plugin.csproj b/src/Idmt.Plugin/Idmt.Plugin.csproj
index 8e86b25..fc5031e 100644
--- a/src/Idmt.Plugin/Idmt.Plugin.csproj
+++ b/src/Idmt.Plugin/Idmt.Plugin.csproj
@@ -18,15 +18,20 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Finbuckle.MultiTenant" Version="10.0.1" />
-    <PackageReference Include="Finbuckle.MultiTenant.AspNetCore" Version="10.0.1" />
-    <PackageReference Include="Finbuckle.MultiTenant.EntityFrameworkCore" Version="10.0.1" />
-    <PackageReference Include="Finbuckle.MultiTenant.Identity.EntityFrameworkCore" Version="10.0.1" />
-    <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="10.0.1" />
-    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.1" />
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.1" />
-    <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.1" />
-    <PackageReference Include="Microsoft.SourceLink.GitHub" Version="8.0.0" PrivateAssets="All" />
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <PackageReference Include="Finbuckle.MultiTenant" Version="10.0.3" />
+    <PackageReference Include="Finbuckle.MultiTenant.AspNetCore" Version="10.0.3" />
+    <PackageReference Include="Finbuckle.MultiTenant.EntityFrameworkCore" Version="10.0.3" />
+    <PackageReference Include="Finbuckle.MultiTenant.Identity.EntityFrameworkCore" Version="10.0.3" />
+    <PackageReference Include="Microsoft.AspNetCore.Identity.EntityFrameworkCore" Version="10.0.3" />
+    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.3" />
+    <PackageReference Include="Microsoft.SourceLink.GitHub" Version="10.0.103" PrivateAssets="All" />
+    <PackageReference Include="ErrorOr" Version="2.1.0" />
+    <PackageReference Include="FluentValidation" Version="12.1.1" />
+    <PackageReference Include="FluentValidation.DependencyInjectionExtensions" Version="12.1.1" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/Idmt.Plugin/Middleware/CurrentUserMiddleware.cs b/src/Idmt.Plugin/Middleware/CurrentUserMiddleware.cs
index 2fe4d38..d7504e0 100644
--- a/src/Idmt.Plugin/Middleware/CurrentUserMiddleware.cs
+++ b/src/Idmt.Plugin/Middleware/CurrentUserMiddleware.cs
@@ -4,8 +4,7 @@
 namespace Idmt.Plugin.Middleware;
 
 /// <summary>
-/// Middleware for setting current user and validating tenant isolation on bearer tokens.
-/// Ensures that users cannot use tokens from one tenant to access another tenant's resources.
+/// Middleware for setting current user context from the authenticated HTTP request.
 /// </summary>
 public class CurrentUserMiddleware(ICurrentUserService currentUserService) : IMiddleware
 {
diff --git a/src/Idmt.Plugin/Middleware/ValidateBearerTokenTenantMiddleware.cs b/src/Idmt.Plugin/Middleware/ValidateBearerTokenTenantMiddleware.cs
index 322ab64..b1d4aff 100644
--- a/src/Idmt.Plugin/Middleware/ValidateBearerTokenTenantMiddleware.cs
+++ b/src/Idmt.Plugin/Middleware/ValidateBearerTokenTenantMiddleware.cs
@@ -1,22 +1,26 @@
 using Finbuckle.MultiTenant.Abstractions;
 using Idmt.Plugin.Configuration;
 using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
 namespace Idmt.Plugin.Middleware;
 
 public class ValidateBearerTokenTenantMiddleware(
     IMultiTenantContextAccessor tenantContextAccessor,
-    IOptions<IdmtOptions> idmtOptions) : IMiddleware
+    IOptions<IdmtOptions> idmtOptions,
+    ILogger<ValidateBearerTokenTenantMiddleware> logger) : IMiddleware
 {
     public async Task InvokeAsync(HttpContext context, RequestDelegate next)
     {
-        // Validate tenant isolation on bearer token authentication
-        // When a bearer token is used, ensure the token's tenant claim matches the current tenant context
+        // Validate tenant isolation on bearer token authentication.
+        // When a bearer token is used, ensure the token's tenant claim matches the current
+        // tenant context so that a token issued for Tenant A cannot be used against Tenant B.
         if (context.User.Identity?.IsAuthenticated == true &&
             context.Request.Headers.Authorization.ToString().StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
         {
-            if (!ValidateTokenTenant(context, tenantContextAccessor))
+            if (!await ValidateTokenTenantAsync(context, tenantContextAccessor))
             {
                 return; // Tenant validation failed, response already set, don't call next
             }
@@ -28,18 +32,25 @@ public async Task InvokeAsync(HttpContext context, RequestDelegate next)
     /// <summary>
     /// Validates that the tenant in the bearer token matches the currently resolved tenant.
     /// This prevents users from using a token from Tenant A to access Tenant B resources.
-    /// Returns false if validation fails and sets appropriate response, true if validation passes.
+    /// Returns false if validation fails and writes a ProblemDetails JSON body, true if
+    /// validation passes.
     /// </summary>
-    private bool ValidateTokenTenant(
+    private async Task<bool> ValidateTokenTenantAsync(
         HttpContext context,
         IMultiTenantContextAccessor tenantContextAccessor)
     {
         try
         {
             var currentTenant = tenantContextAccessor.MultiTenantContext?.TenantInfo;
-            if (currentTenant == null)
+            if (currentTenant is null)
             {
-                return true; // No tenant context resolved, allow the request
+                logger.LogWarning("Bearer token authentication used but no tenant context was resolved. Rejecting request.");
+                await WriteProblemDetailsAsync(
+                    context,
+                    StatusCodes.Status401Unauthorized,
+                    "Unauthorized",
+                    "No tenant context could be resolved for this request.");
+                return false;
             }
 
             // Get the tenant claim type from configuration
@@ -53,23 +64,57 @@ private bool ValidateTokenTenant(
             // If no tenant claim is present in the token, reject the request for security
             if (string.IsNullOrEmpty(tokenTenantClaim))
             {
-                context.Response.StatusCode = StatusCodes.Status401Unauthorized;
+                await WriteProblemDetailsAsync(
+                    context,
+                    StatusCodes.Status401Unauthorized,
+                    "Unauthorized",
+                    "The bearer token does not contain a required tenant claim.");
                 return false;
             }
 
-            // Validate that the token's tenant identifier matches the current request's tenant identifier
-            // The factory adds tenantInfo.Identifier to the claim, so we compare with Identifier, not Id
+            // Validate that the token's tenant identifier matches the current request's tenant
+            // identifier. The factory adds tenantInfo.Identifier to the claim, so we compare
+            // with Identifier, not Id.
             if (!tokenTenantClaim.Equals(currentTenant.Identifier, StringComparison.Ordinal))
             {
-                context.Response.StatusCode = StatusCodes.Status403Forbidden;
+                await WriteProblemDetailsAsync(
+                    context,
+                    StatusCodes.Status403Forbidden,
+                    "Forbidden",
+                    "The bearer token was not issued for the requested tenant.");
                 return false;
             }
 
             return true; // Validation passed
         }
-        catch
+        catch (Exception ex)
         {
-            return false; // On error, reject the request
+            logger.LogWarning(ex, "Error validating bearer token tenant");
+            await WriteProblemDetailsAsync(
+                context,
+                StatusCodes.Status401Unauthorized,
+                "Unauthorized",
+                "An error occurred while validating the bearer token tenant.");
+            return false;
         }
     }
+
+    private static async Task WriteProblemDetailsAsync(
+        HttpContext context,
+        int statusCode,
+        string title,
+        string detail)
+    {
+        context.Response.StatusCode = statusCode;
+        context.Response.ContentType = "application/problem+json";
+        var problemDetails = new ProblemDetails
+        {
+            Status = statusCode,
+            Title = title,
+            Detail = detail
+        };
+        await context.Response.WriteAsJsonAsync(problemDetails, problemDetails.GetType(),
+            options: null, contentType: "application/problem+json",
+            cancellationToken: context.RequestAborted);
+    }
 }
diff --git a/src/Idmt.Plugin/Models/IdmtAuditLog.cs b/src/Idmt.Plugin/Models/IdmtAuditLog.cs
index bc76078..1e4c8fe 100644
--- a/src/Idmt.Plugin/Models/IdmtAuditLog.cs
+++ b/src/Idmt.Plugin/Models/IdmtAuditLog.cs
@@ -53,7 +53,7 @@ public class IdmtAuditLog
     /// <summary>
     /// When this action occurred.
     /// </summary>
-    public DateTime Timestamp { get; set; } = DT.UtcNow;
+    public DateTimeOffset Timestamp { get; set; }
 
     /// <summary>
     /// Whether this was a successful action.
diff --git a/src/Idmt.Plugin/Models/IdmtTenantInfo.cs b/src/Idmt.Plugin/Models/IdmtTenantInfo.cs
index 3e2b255..7327091 100644
--- a/src/Idmt.Plugin/Models/IdmtTenantInfo.cs
+++ b/src/Idmt.Plugin/Models/IdmtTenantInfo.cs
@@ -7,20 +7,37 @@ namespace Idmt.Plugin.Models;
 /// Implements ITenantInfo interface from Finbuckle.MultiTenant.
 /// Identifier must be at least 3 characters long.
 /// </summary>
-public record IdmtTenantInfo : TenantInfo, IAuditable
+public record IdmtTenantInfo : ITenantInfo, IAuditable
 {
-    public IdmtTenantInfo(string id, string identifier, string name) : base(id, identifier, name)
+    public IdmtTenantInfo(string id, string identifier, string name)
     {
+        ArgumentException.ThrowIfNullOrEmpty(id);
+        ArgumentException.ThrowIfNullOrEmpty(identifier);
+        ArgumentException.ThrowIfNullOrEmpty(name);
+        if (identifier.Length < 3)
+        {
+            throw new ArgumentException("Identifier must be at least 3 characters long.", nameof(identifier));
+        }
+
+        Id = id;
+        Identifier = identifier;
+        Name = name;
     }
 
-    public IdmtTenantInfo(string identifier, string name) : base(Guid.CreateVersion7().ToString(), identifier, name)
+    public IdmtTenantInfo(string identifier, string name) : this(Guid.CreateVersion7().ToString(), identifier, name)
     {
     }
 
+    /// <inheritdoc/>
+    public string Id { get; init; }
+
+    /// <inheritdoc/>
+    public string Identifier { get; init; }
+
     /// <summary>
     /// Human-readable display name for the tenant.
     /// </summary>
-    public string? DisplayName { get; init; }
+    public string? Name { get; init; }
 
     /// <summary>
     /// The tenant's subscription or feature plan, if applicable.
@@ -54,7 +71,7 @@ public IdmtTenantInfo(string identifier, string name) : base(Guid.CreateVersion7
 
     public string GetId() => Id ?? string.Empty;
 
-    public string GetName() => nameof(IdmtTenantInfo);
+    public string GetName() => Name ?? Identifier;
 
     public string? GetTenantId() => Id;
 }
\ No newline at end of file
diff --git a/src/Idmt.Plugin/Models/IdmtUser.cs b/src/Idmt.Plugin/Models/IdmtUser.cs
index 518884f..3ae6811 100644
--- a/src/Idmt.Plugin/Models/IdmtUser.cs
+++ b/src/Idmt.Plugin/Models/IdmtUser.cs
@@ -27,7 +27,7 @@ public class IdmtUser : IdentityUser<Guid>, IAuditable
     /// <summary>
     /// When this user last logged in.
     /// </summary>
-    public DateTime? LastLoginAt { get; set; }
+    public DateTimeOffset? LastLoginAt { get; set; }
 
     public string GetId() => Id.ToString();
 
diff --git a/src/Idmt.Plugin/Models/RevokedToken.cs b/src/Idmt.Plugin/Models/RevokedToken.cs
new file mode 100644
index 0000000..11eb5f4
--- /dev/null
+++ b/src/Idmt.Plugin/Models/RevokedToken.cs
@@ -0,0 +1,12 @@
+namespace Idmt.Plugin.Models;
+
+/// <summary>
+/// Tracks revoked refresh token families. Any refresh token issued before
+/// RevokedAt for the given UserId+TenantId is considered invalid.
+/// </summary>
+public sealed class RevokedToken
+{
+    public string TokenId { get; set; } = null!;
+    public DateTimeOffset RevokedAt { get; set; }
+    public DateTimeOffset ExpiresAt { get; set; }
+}
diff --git a/src/Idmt.Plugin/Models/TenantAccess.cs b/src/Idmt.Plugin/Models/TenantAccess.cs
index aa738ae..a58cbba 100644
--- a/src/Idmt.Plugin/Models/TenantAccess.cs
+++ b/src/Idmt.Plugin/Models/TenantAccess.cs
@@ -23,9 +23,9 @@ public sealed class TenantAccess : IAuditable
     public bool IsActive { get; set; } = true;
 
     /// <summary>
-    /// Optional expiration date
+    /// Optional expiration date (always UTC)
     /// </summary>
-    public DateTime? ExpiresAt { get; set; }
+    public DateTimeOffset? ExpiresAt { get; set; }
 
     public string GetId() => Id.ToString();
 
diff --git a/src/Idmt.Plugin/Persistence/IdmtDbContext.cs b/src/Idmt.Plugin/Persistence/IdmtDbContext.cs
index 847e9e5..3d6d6e1 100644
--- a/src/Idmt.Plugin/Persistence/IdmtDbContext.cs
+++ b/src/Idmt.Plugin/Persistence/IdmtDbContext.cs
@@ -1,9 +1,12 @@
 using Finbuckle.MultiTenant.Abstractions;
 using Finbuckle.MultiTenant.EntityFrameworkCore.Extensions;
 using Finbuckle.MultiTenant.Identity.EntityFrameworkCore;
+using Idmt.Plugin.Constants;
 using Idmt.Plugin.Models;
 using Idmt.Plugin.Services;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Microsoft.Extensions.Logging;
 
 namespace Idmt.Plugin.Persistence;
 
@@ -14,30 +17,42 @@ public class IdmtDbContext
     : MultiTenantIdentityDbContext<IdmtUser, IdmtRole, Guid>
 {
     private readonly ICurrentUserService _currentUserService;
+    private readonly TimeProvider _timeProvider;
+    private readonly ILogger<IdmtDbContext> _logger;
 
     public IdmtDbContext(
-        IMultiTenantContextAccessor multiTenantContextAccessor, ICurrentUserService currentUserService)
+        IMultiTenantContextAccessor multiTenantContextAccessor, ICurrentUserService currentUserService, TimeProvider timeProvider, ILogger<IdmtDbContext> logger)
         : base(multiTenantContextAccessor)
     {
         _currentUserService = currentUserService;
+        _timeProvider = timeProvider;
+        _logger = logger;
     }
 
     public IdmtDbContext(
         IMultiTenantContextAccessor multiTenantContextAccessor,
         DbContextOptions<IdmtDbContext> options,
-        ICurrentUserService currentUserService)
+        ICurrentUserService currentUserService,
+        TimeProvider timeProvider,
+        ILogger<IdmtDbContext> logger)
         : base(multiTenantContextAccessor, options)
     {
         _currentUserService = currentUserService;
+        _timeProvider = timeProvider;
+        _logger = logger;
     }
 
     protected IdmtDbContext(
         IMultiTenantContextAccessor multiTenantContextAccessor,
         DbContextOptions options,
-        ICurrentUserService currentUserService)
+        ICurrentUserService currentUserService,
+        TimeProvider timeProvider,
+        ILogger<IdmtDbContext> logger)
         : base(multiTenantContextAccessor, options)
     {
         _currentUserService = currentUserService;
+        _timeProvider = timeProvider;
+        _logger = logger;
     }
 
     /// <summary>
@@ -50,16 +65,34 @@ protected IdmtDbContext(
     /// </summary>
     public DbSet<TenantAccess> TenantAccess { get; set; } = null!;
 
+    /// <summary>
+    /// Revoked refresh token records for token revocation tracking.
+    /// </summary>
+    public DbSet<RevokedToken> RevokedTokens { get; set; } = null!;
+
     protected override void OnModelCreating(ModelBuilder builder)
     {
         base.OnModelCreating(builder);
 
+        // Store DateTimeOffset as UTC ticks (long) so that range comparisons are
+        // translatable by all supported providers, including the SQLite provider
+        // used in unit tests (which cannot translate DateTimeOffset text comparisons
+        // in ExecuteDelete / ExecuteDeleteAsync).
+        var dateTimeOffsetConverter = new ValueConverter<DateTimeOffset, long>(
+            dto => dto.UtcTicks,
+            ticks => new DateTimeOffset(ticks, TimeSpan.Zero));
+
+        var nullableDateTimeOffsetConverter = new ValueConverter<DateTimeOffset?, long?>(
+            dto => dto == null ? null : dto.Value.UtcTicks,
+            ticks => ticks == null ? null : new DateTimeOffset(ticks.Value, TimeSpan.Zero));
+
         // Configure user entity with proper multi-tenant support
         builder.Entity<IdmtUser>(entity =>
         {
             entity.HasIndex(u => u.IsActive);
             entity.HasIndex(u => new { u.Email, u.UserName, u.TenantId }).IsUnique();
             entity.IsMultiTenant();
+            entity.Property(u => u.LastLoginAt).HasConversion(nullableDateTimeOffsetConverter);
         });
 
         // Configure role entity with proper multi-tenant support
@@ -77,15 +110,27 @@ protected override void OnModelCreating(ModelBuilder builder)
             entity.HasIndex(a => new { a.UserId, a.Timestamp });
             entity.HasIndex(a => new { a.TenantId, a.Timestamp });
             entity.HasIndex(a => a.Action);
+            entity.Property(a => a.Timestamp).HasConversion(dateTimeOffsetConverter);
         });
 
         // Configure tenant access
         builder.Entity<TenantAccess>(entity =>
         {
             entity.HasKey(ta => ta.Id);
-            entity.HasIndex(ta => new { ta.UserId, ta.TenantId });
+            entity.HasIndex(ta => new { ta.UserId, ta.TenantId }).IsUnique();
             entity.HasIndex(ta => ta.TenantId);
             entity.HasIndex(ta => ta.IsActive);
+            entity.Property(ta => ta.ExpiresAt).HasConversion(nullableDateTimeOffsetConverter);
+        });
+
+        // Configure revoked tokens
+        builder.Entity<RevokedToken>(entity =>
+        {
+            entity.HasKey(rt => rt.TokenId);
+            entity.Property(rt => rt.TokenId).HasMaxLength(128);
+            entity.Property(rt => rt.RevokedAt).HasConversion(dateTimeOffsetConverter);
+            entity.Property(rt => rt.ExpiresAt).HasConversion(dateTimeOffsetConverter);
+            entity.HasIndex(rt => rt.ExpiresAt);
         });
 
         // Configure TenantInfo - IdmtTenantStoreDbContext accesses this table but doesn't configure it
@@ -101,7 +146,6 @@ protected override void OnModelCreating(ModelBuilder builder)
 
             // Property configurations for custom properties
             entity.Property(ti => ti.Name).HasMaxLength(200);
-            entity.Property(ti => ti.DisplayName).HasMaxLength(200);
             entity.Property(ti => ti.Plan).HasMaxLength(100);
             entity.Property(ti => ti.IsActive).IsRequired().HasDefaultValue(true);
 
@@ -114,58 +158,70 @@ protected override void OnModelCreating(ModelBuilder builder)
 
     public override Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
     {
-        var entries = ChangeTracker.Entries<IAuditable>().ToArray();
-
-        foreach (var entry in entries)
+        try
         {
-            if (entry.State == EntityState.Added)
+            var entries = ChangeTracker.Entries<IAuditable>().ToArray();
+
+            foreach (var entry in entries)
             {
-                AuditLogs.Add(new IdmtAuditLog
+                if (entry.State == EntityState.Added)
                 {
-                    UserId = _currentUserService.UserId,
-                    TenantId = entry.Entity.GetTenantId(),
-                    Action = "Created",
-                    Resource = entry.Entity.GetName(),
-                    ResourceId = entry.Entity.GetId(),
-                    Success = true,
-                    Timestamp = DT.UtcNow,
-                    IpAddress = _currentUserService.IpAddress,
-                    UserAgent = _currentUserService.UserAgent,
-                });
-            }
-            else if (entry.State == EntityState.Deleted)
-            {
-                AuditLogs.Add(new IdmtAuditLog
+                    AuditLogs.Add(new IdmtAuditLog
+                    {
+                        UserId = _currentUserService.UserId,
+                        TenantId = entry.Entity.GetTenantId(),
+                        Action = AuditAction.Created.ToString(),
+                        Resource = entry.Entity.GetName(),
+                        ResourceId = entry.Entity.GetId(),
+                        Success = true,
+                        Timestamp = _timeProvider.GetUtcNow(),
+                        IpAddress = _currentUserService.IpAddress,
+                        UserAgent = _currentUserService.UserAgent,
+                    });
+                }
+                else if (entry.State == EntityState.Deleted)
                 {
-                    UserId = _currentUserService.UserId,
-                    TenantId = entry.Entity.GetTenantId(),
-                    Action = "Deleted",
-                    Resource = entry.Entity.GetName(),
-                    ResourceId = entry.Entity.GetId(),
-                    Success = true,
-                    Timestamp = DT.UtcNow,
-                    IpAddress = _currentUserService.IpAddress,
-                    UserAgent = _currentUserService.UserAgent,
-                });
+                    AuditLogs.Add(new IdmtAuditLog
+                    {
+                        UserId = _currentUserService.UserId,
+                        TenantId = entry.Entity.GetTenantId(),
+                        Action = AuditAction.Deleted.ToString(),
+                        Resource = entry.Entity.GetName(),
+                        ResourceId = entry.Entity.GetId(),
+                        Success = true,
+                        Timestamp = _timeProvider.GetUtcNow(),
+                        IpAddress = _currentUserService.IpAddress,
+                        UserAgent = _currentUserService.UserAgent,
+                    });
+                }
+                else if (entry.State == EntityState.Modified)
+                {
+                    string details = string.Join("\n", entry.Properties
+                        .Where(prop => prop.IsModified)
+                        .Select(prop => prop.Metadata.Name));
+                    AuditLogs.Add(new IdmtAuditLog
+                    {
+                        UserId = _currentUserService.UserId,
+                        TenantId = entry.Entity.GetTenantId(),
+                        Action = AuditAction.Modified.ToString(),
+                        Resource = entry.Entity.GetName(),
+                        ResourceId = entry.Entity.GetId(),
+                        Details = details,
+                        Success = true,
+                        Timestamp = _timeProvider.GetUtcNow(),
+                        IpAddress = _currentUserService.IpAddress,
+                        UserAgent = _currentUserService.UserAgent,
+                    });
+                }
             }
-            else if (entry.State == EntityState.Modified)
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Audit logging failed during SaveChangesAsync");
+            foreach (var entry in ChangeTracker.Entries<IdmtAuditLog>()
+                .Where(e => e.State == EntityState.Added).ToList())
             {
-                string details = string.Join("\n", entry.Properties
-                    .Where(prop => prop.IsModified)
-                    .Select(prop => prop.Metadata.Name));
-                AuditLogs.Add(new IdmtAuditLog
-                {
-                    UserId = _currentUserService.UserId,
-                    TenantId = entry.Entity.GetTenantId(),
-                    Action = "Modified",
-                    Resource = entry.Entity.GetName(),
-                    ResourceId = entry.Entity.GetId(),
-                    Details = details,
-                    Success = true,
-                    Timestamp = DT.UtcNow,
-                    IpAddress = _currentUserService.IpAddress,
-                    UserAgent = _currentUserService.UserAgent,
-                });
+                entry.State = EntityState.Detached;
             }
         }
 
@@ -173,5 +229,5 @@ public override Task<int> SaveChangesAsync(CancellationToken cancellationToken =
     }
 
     public override int SaveChanges() =>
-        SaveChangesAsync(CancellationToken.None).GetAwaiter().GetResult();
+        throw new NotSupportedException("Use SaveChangesAsync. Sync SaveChanges is not supported in IdmtDbContext.");
 }
\ No newline at end of file
diff --git a/src/Idmt.Plugin/Persistence/IdmtTenantStoreDbContext.cs b/src/Idmt.Plugin/Persistence/IdmtTenantStoreDbContext.cs
index 99d603b..88ee424 100644
--- a/src/Idmt.Plugin/Persistence/IdmtTenantStoreDbContext.cs
+++ b/src/Idmt.Plugin/Persistence/IdmtTenantStoreDbContext.cs
@@ -22,7 +22,7 @@ protected IdmtTenantStoreDbContext(DbContextOptions options) : base(options)
 
     protected override void OnModelCreating(ModelBuilder modelBuilder)
     {
-        // IdmtDbContext owns all table configurations
-        // This keeps migrations simple: only run dotnet ef migrations with IdmtDbContext
+        base.OnModelCreating(modelBuilder);
+        // IdmtDbContext owns all table configurations for migrations
     }
 }
diff --git a/src/Idmt.Plugin/Services/Base64Service.cs b/src/Idmt.Plugin/Services/Base64Service.cs
new file mode 100644
index 0000000..323d737
--- /dev/null
+++ b/src/Idmt.Plugin/Services/Base64Service.cs
@@ -0,0 +1,11 @@
+using System.Text;
+using Microsoft.AspNetCore.WebUtilities;
+
+internal static class Base64Service
+{
+    internal static string DecodeBase64UrlToken(string encodedToken)
+    {
+        var bytes = WebEncoders.Base64UrlDecode(encodedToken);
+        return Encoding.UTF8.GetString(bytes);
+    }
+}
\ No newline at end of file
diff --git a/src/Idmt.Plugin/Services/BetterSignInManager.cs b/src/Idmt.Plugin/Services/BetterSignInManager.cs
deleted file mode 100644
index 80758ae..0000000
--- a/src/Idmt.Plugin/Services/BetterSignInManager.cs
+++ /dev/null
@@ -1,44 +0,0 @@
-using Idmt.Plugin.Models;
-using Microsoft.AspNetCore.Authentication;
-using Microsoft.AspNetCore.Http;
-using Microsoft.AspNetCore.Identity;
-using Microsoft.Extensions.Logging;
-using Microsoft.Extensions.Options;
-
-namespace Idmt.Plugin.Services;
-
-/// <summary>
-/// Provides the APIs for user sign in.
-/// </summary>
-/// <typeparam name="TUser">The type encapsulating a user.</typeparam>
-internal sealed class BetterSignInManager(
-    UserManager<IdmtUser> userManager,
-    IHttpContextAccessor contextAccessor,
-    IUserClaimsPrincipalFactory<IdmtUser> claimsFactory,
-    IOptions<IdentityOptions> optionsAccessor,
-    ILogger<SignInManager<IdmtUser>> logger,
-    IAuthenticationSchemeProvider schemes,
-    IUserConfirmation<IdmtUser> confirmation)
-    : SignInManager<IdmtUser>(userManager, contextAccessor, claimsFactory, optionsAccessor, logger, schemes, confirmation)
-{
-    /// <summary>
-    /// Attempts to sign in the specified <paramref name="userName"/> and <paramref name="password"/> combination
-    /// as an asynchronous operation.
-    /// </summary>
-    /// <param name="userName">The userName or email to sign in.</param>
-    /// <param name="password">The password to attempt to sign in with.</param>
-    /// <param name="isPersistent">Flag indicating whether the sign-in cookie should persist after the browser is closed.</param>
-    /// <param name="lockoutOnFailure">Flag indicating if the user account should be locked if the sign in fails.</param>
-    /// <returns>The task object representing the asynchronous operation containing the <see name="SignInResult"/>
-    /// for the sign-in attempt.</returns>
-    public override async Task<SignInResult> PasswordSignInAsync(string userName, string password, bool isPersistent, bool lockoutOnFailure)
-    {
-        var user = await UserManager.FindByEmailAsync(userName);
-        user ??= await UserManager.FindByNameAsync(userName);
-        if (user == null)
-        {
-            return SignInResult.Failed;
-        }
-        return await PasswordSignInAsync(user, password, isPersistent, lockoutOnFailure);
-    }
-}
\ No newline at end of file
diff --git a/src/Idmt.Plugin/Services/CurrentUserService.cs b/src/Idmt.Plugin/Services/CurrentUserService.cs
index cbaf8f0..7bc5ee7 100644
--- a/src/Idmt.Plugin/Services/CurrentUserService.cs
+++ b/src/Idmt.Plugin/Services/CurrentUserService.cs
@@ -16,7 +16,7 @@ internal sealed class CurrentUserService(
     public string? UserAgent { get; private set; }
 
     public Guid? UserId =>
-        Guid.TryParse(User?.FindFirstValue(ClaimTypes.NameIdentifier) ?? Guid.Empty.ToString(), out var userId) ? userId : null;
+        Guid.TryParse(User?.FindFirstValue(ClaimTypes.NameIdentifier), out var userId) ? userId : null;
 
     public string? UserIdAsString => User?.FindFirstValue(ClaimTypes.NameIdentifier);
 
diff --git a/src/Idmt.Plugin/Services/ICurrentUserService.cs b/src/Idmt.Plugin/Services/ICurrentUserService.cs
index 40c57df..b871ee6 100644
--- a/src/Idmt.Plugin/Services/ICurrentUserService.cs
+++ b/src/Idmt.Plugin/Services/ICurrentUserService.cs
@@ -14,6 +14,7 @@ public interface ICurrentUserService
     string? UserName { get; }
     string? TenantId { get; }
     string? TenantIdentifier { get; }
+    bool IsActive { get; }
 
     bool IsInRole(string role);
 
diff --git a/src/Idmt.Plugin/Services/ITenantAccessService.cs b/src/Idmt.Plugin/Services/ITenantAccessService.cs
index 319488a..b76708c 100644
--- a/src/Idmt.Plugin/Services/ITenantAccessService.cs
+++ b/src/Idmt.Plugin/Services/ITenantAccessService.cs
@@ -10,8 +10,9 @@ public interface ITenantAccessService
     /// </summary>
     /// <param name="userId">The ID of the user.</param>
     /// <param name="tenantId">The id of the tenant.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
     /// <returns>True if the user can access the tenant, false otherwise.</returns>
-    Task<bool> CanAccessTenantAsync(Guid userId, string tenantId);
+    Task<bool> CanAccessTenantAsync(Guid userId, string tenantId, CancellationToken cancellationToken = default);
 
     /// <summary>
     /// Checks if the current user can assign the specified role.
diff --git a/src/Idmt.Plugin/Services/ITenantOperationService.cs b/src/Idmt.Plugin/Services/ITenantOperationService.cs
new file mode 100644
index 0000000..26d4375
--- /dev/null
+++ b/src/Idmt.Plugin/Services/ITenantOperationService.cs
@@ -0,0 +1,16 @@
+using ErrorOr;
+
+namespace Idmt.Plugin.Services;
+
+public interface ITenantOperationService
+{
+    Task<ErrorOr<T>> ExecuteInTenantScopeAsync<T>(
+        string tenantIdentifier,
+        Func<IServiceProvider, Task<ErrorOr<T>>> operation,
+        bool requireActive = true);
+
+    Task<ErrorOr<Success>> ExecuteInTenantScopeAsync(
+        string tenantIdentifier,
+        Func<IServiceProvider, Task<ErrorOr<Success>>> operation,
+        bool requireActive = true);
+}
diff --git a/src/Idmt.Plugin/Services/ITokenRevocationService.cs b/src/Idmt.Plugin/Services/ITokenRevocationService.cs
new file mode 100644
index 0000000..42103de
--- /dev/null
+++ b/src/Idmt.Plugin/Services/ITokenRevocationService.cs
@@ -0,0 +1,8 @@
+namespace Idmt.Plugin.Services;
+
+public interface ITokenRevocationService
+{
+    Task RevokeUserTokensAsync(Guid userId, string tenantId, CancellationToken cancellationToken = default);
+    Task<bool> IsTokenRevokedAsync(Guid userId, string tenantId, DateTimeOffset issuedAt, CancellationToken cancellationToken = default);
+    Task CleanupExpiredAsync(CancellationToken cancellationToken = default);
+}
diff --git a/src/Idmt.Plugin/Services/IdmtEmailSender.cs b/src/Idmt.Plugin/Services/IdmtEmailSender.cs
index f9ed466..b8116fe 100644
--- a/src/Idmt.Plugin/Services/IdmtEmailSender.cs
+++ b/src/Idmt.Plugin/Services/IdmtEmailSender.cs
@@ -8,22 +8,19 @@ public class IdmtEmailSender(ILogger<IdmtEmailSender> logger) : IEmailSender<Idm
 {
     public virtual Task SendConfirmationLinkAsync(IdmtUser user, string email, string confirmationLink)
     {
-        Console.WriteLine("Sending confirmation link to {0} with link {1}", email, confirmationLink);
-        logger.LogInformation("Sending confirmation link to {Email} with link {Link}", email, confirmationLink);
+        logger.LogWarning("Email sending is not configured (stub implementation). Confirmation link for {Email} was not sent", email);
         return Task.CompletedTask;
     }
 
     public virtual Task SendPasswordResetCodeAsync(IdmtUser user, string email, string resetCode)
     {
-        Console.WriteLine("Sending password reset code to {0} with code {1}", email, resetCode);
-        logger.LogInformation("Sending password reset code to {Email} with code {Code}", email, resetCode);
+        logger.LogWarning("Email sending is not configured (stub implementation). Password reset code for {Email} was not sent", email);
         return Task.CompletedTask;
     }
 
     public virtual Task SendPasswordResetLinkAsync(IdmtUser user, string email, string resetLink)
     {
-        Console.WriteLine("Sending password reset link to {0} with link {1}", email, resetLink);
-        logger.LogInformation("Sending password reset link to {Email} with link {Link}", email, resetLink);
+        logger.LogWarning("Email sending is not configured (stub implementation). Password reset link for {Email} was not sent", email);
         return Task.CompletedTask;
     }
 }
diff --git a/src/Idmt.Plugin/Services/IdmtEmailSenderStartupCheck.cs b/src/Idmt.Plugin/Services/IdmtEmailSenderStartupCheck.cs
new file mode 100644
index 0000000..52ef390
--- /dev/null
+++ b/src/Idmt.Plugin/Services/IdmtEmailSenderStartupCheck.cs
@@ -0,0 +1,46 @@
+using Idmt.Plugin.Models;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+
+namespace Idmt.Plugin.Services;
+
+/// <summary>
+/// A startup check that logs a warning when <see cref="IdmtEmailSender"/> (the built-in no-op
+/// stub) is the registered <see cref="IEmailSender{IdmtUser}"/> implementation. This surfaces
+/// the misconfiguration at application startup rather than silently at the point where an email
+/// would have been delivered.
+/// </summary>
+/// <remarks>
+/// To silence this warning, register a real <c>IEmailSender&lt;IdmtUser&gt;</c> implementation
+/// before calling <c>AddIdmt</c>, or replace the stub after the call:
+/// <code>
+/// services.AddTransient&lt;IEmailSender&lt;IdmtUser&gt;, MySmtpEmailSender&gt;();
+/// </code>
+/// The last registration wins because ASP.NET Core DI resolves the last-registered descriptor
+/// for a given service type.
+/// </remarks>
+internal sealed class IdmtEmailSenderStartupCheck(
+    IServiceProvider serviceProvider,
+    ILogger<IdmtEmailSenderStartupCheck> logger) : IHostedService
+{
+    public Task StartAsync(CancellationToken cancellationToken)
+    {
+        // Resolve inside a scope so we do not keep scoped/transient instances alive for the
+        // lifetime of the host. IEmailSender<IdmtUser> is registered as transient.
+        using var scope = serviceProvider.CreateScope();
+        var sender = scope.ServiceProvider.GetRequiredService<IEmailSender<IdmtUser>>();
+
+        if (sender is IdmtEmailSender)
+        {
+            logger.LogWarning(
+                "Using default IdmtEmailSender stub — emails will not be delivered. " +
+                "Register a custom IEmailSender<IdmtUser> for production use.");
+        }
+
+        return Task.CompletedTask;
+    }
+
+    public Task StopAsync(CancellationToken cancellationToken) => Task.CompletedTask;
+}
diff --git a/src/Idmt.Plugin/Services/IdmtLinkGenerator.cs b/src/Idmt.Plugin/Services/IdmtLinkGenerator.cs
index 289ee3f..411bc01 100644
--- a/src/Idmt.Plugin/Services/IdmtLinkGenerator.cs
+++ b/src/Idmt.Plugin/Services/IdmtLinkGenerator.cs
@@ -1,7 +1,9 @@
+using System.Text;
 using Finbuckle.MultiTenant.Abstractions;
 using Idmt.Plugin.Configuration;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Routing;
+using Microsoft.AspNetCore.WebUtilities;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
@@ -9,10 +11,8 @@ namespace Idmt.Plugin.Services;
 
 public interface IIdmtLinkGenerator
 {
-    string GenerateConfirmEmailApiLink(string email, string token);
-    string GenerateConfirmEmailFormLink(string email, string token);
-    string GeneratePasswordResetApiLink(string email, string token);
-    string GeneratePasswordResetFormLink(string email, string token);
+    string GenerateConfirmEmailLink(string email, string token);
+    string GeneratePasswordResetLink(string email, string token);
 }
 
 public sealed class IdmtLinkGenerator(
@@ -22,98 +22,74 @@ public sealed class IdmtLinkGenerator(
     IOptions<IdmtOptions> options,
     ILogger<IdmtLinkGenerator> logger) : IIdmtLinkGenerator
 {
-    public string GenerateConfirmEmailApiLink(string email, string token)
+    public string GenerateConfirmEmailLink(string email, string token)
     {
-        if (httpContextAccessor.HttpContext is null)
-        {
-            throw new InvalidOperationException("No HTTP context was found.");
-        }
-
-        var routeValues = new RouteValueDictionary()
-        {
-            [GetTenantRouteParameter()] = multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Identifier ?? string.Empty,
-            ["tenantIdentifier"] = multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Identifier ?? string.Empty,
-            ["email"] = email,
-            ["token"] = token,
-        };
-
-        var confirmEmailUrl = linkGenerator.GetUriByName(httpContextAccessor.HttpContext, ApplicationOptions.ConfirmEmailEndpointName, routeValues)
-            ?? throw new NotSupportedException($"Could not find endpoint named '{ApplicationOptions.ConfirmEmailEndpointName}'.");
-
-        logger.LogInformation("Confirm email link generated for {Email}. Tenant: {TenantId}.", email, multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Id ?? string.Empty);
+        var httpContext = httpContextAccessor.HttpContext
+            ?? throw new InvalidOperationException("No HTTP context was found.");
 
-        return confirmEmailUrl;
-    }
+        var encodedToken = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(token));
+        var tenantIdentifier = multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Identifier ?? string.Empty;
+        var mode = options.Value.Application.EmailConfirmationMode;
 
-    public string GenerateConfirmEmailFormLink(string email, string token)
-    {
-        if (httpContextAccessor.HttpContext is null)
+        string url;
+        if (mode == EmailConfirmationMode.ServerConfirm)
         {
-            throw new InvalidOperationException("No HTTP context was found.");
+            var routeValues = new RouteValueDictionary
+            {
+                ["tenantIdentifier"] = tenantIdentifier,
+                ["email"] = email,
+                ["token"] = encodedToken,
+            };
+
+            // Add route strategy parameter if route strategy is active
+            AddTenantRouteParameter(routeValues, tenantIdentifier);
+
+            url = linkGenerator.GetUriByName(httpContext, IdmtEndpointNames.ConfirmEmailDirect, routeValues)
+                ?? throw new NotSupportedException($"Could not find endpoint named '{IdmtEndpointNames.ConfirmEmailDirect}'.");
         }
-
-        var clientUrl = options.Value.Application.ClientUrl;
-        var confirmEmailFormPath = options.Value.Application.ConfirmEmailFormPath;
-
-        if (string.IsNullOrEmpty(clientUrl))
+        else
         {
-            throw new InvalidOperationException("Client URL is not configured.");
+            url = BuildClientFormUrl(
+                options.Value.Application.ClientUrl,
+                options.Value.Application.ConfirmEmailFormPath,
+                tenantIdentifier,
+                email,
+                encodedToken);
         }
 
-        var queryParams = new Dictionary<string, string?>
-        {
-            [GetTenantRouteParameter()] = multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Identifier ?? string.Empty,
-            ["tenantIdentifier"] = multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Identifier ?? string.Empty,
-            ["email"] = email,
-            ["token"] = token,
-        };
-
-        var uri = Microsoft.AspNetCore.WebUtilities.QueryHelpers.AddQueryString(
-            $"{clientUrl.TrimEnd('/')}/{confirmEmailFormPath.TrimStart('/')}",
-            queryParams);
-
-        logger.LogInformation("Confirm email link generated for {Email}. Tenant: {TenantId}.", email, multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Id ?? string.Empty);
+        logger.LogInformation("Confirm email link generated for {Email}. Tenant: {TenantId}.",
+            PiiMasker.MaskEmail(email),
+            multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Id ?? string.Empty);
 
-        return uri;
+        return url;
     }
 
-    public string GeneratePasswordResetApiLink(string email, string token)
+    public string GeneratePasswordResetLink(string email, string token)
     {
         if (httpContextAccessor.HttpContext is null)
         {
             throw new InvalidOperationException("No HTTP context was found.");
         }
 
-        // Generate password setup URL
-        var routeValues = new RouteValueDictionary()
-        {
-            [GetTenantRouteParameter()] = multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Identifier ?? string.Empty,
-            ["tenantIdentifier"] = multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Identifier ?? string.Empty,
-            ["email"] = email,
-            ["token"] = token,
-        };
+        var encodedToken = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(token));
+        var tenantIdentifier = multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Identifier ?? string.Empty;
 
-        var passwordSetupUrl = linkGenerator.GetUriByName(
-            httpContextAccessor.HttpContext,
-            ApplicationOptions.PasswordResetEndpointName,
-            routeValues)
-            ?? throw new NotSupportedException($"Could not find endpoint named '{ApplicationOptions.PasswordResetEndpointName}'.");
+        var url = BuildClientFormUrl(
+            options.Value.Application.ClientUrl,
+            options.Value.Application.ResetPasswordFormPath,
+            tenantIdentifier,
+            email,
+            encodedToken);
 
-        logger.LogInformation("Password reset link generated for {Email}. Tenant: {TenantId}.", email, multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Id ?? string.Empty);
+        logger.LogInformation("Password reset link generated for {Email}. Tenant: {TenantId}.",
+            PiiMasker.MaskEmail(email),
+            multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Id ?? string.Empty);
 
-        return passwordSetupUrl;
+        return url;
     }
 
-    public string GeneratePasswordResetFormLink(string email, string token)
+    private static string BuildClientFormUrl(string? clientUrl, string formPath, string tenantIdentifier, string email, string encodedToken)
     {
-        if (httpContextAccessor.HttpContext is null)
-        {
-            throw new InvalidOperationException("No HTTP context was found.");
-        }
-
-        var clientUrl = options.Value.Application.ClientUrl;
-        var resetPasswordFormPath = options.Value.Application.ResetPasswordFormPath;
-
         if (string.IsNullOrEmpty(clientUrl))
         {
             throw new InvalidOperationException("Client URL is not configured.");
@@ -121,21 +97,25 @@ public string GeneratePasswordResetFormLink(string email, string token)
 
         var queryParams = new Dictionary<string, string?>
         {
-            [GetTenantRouteParameter()] = multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Identifier ?? string.Empty,
-            ["tenantIdentifier"] = multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Identifier ?? string.Empty,
+            ["tenantIdentifier"] = tenantIdentifier,
             ["email"] = email,
-            ["token"] = token,
+            ["token"] = encodedToken,
         };
 
-        var uri = Microsoft.AspNetCore.WebUtilities.QueryHelpers.AddQueryString(
-            $"{clientUrl.TrimEnd('/')}/{resetPasswordFormPath.TrimStart('/')}",
+        return QueryHelpers.AddQueryString(
+            $"{clientUrl.TrimEnd('/')}/{formPath.TrimStart('/')}",
             queryParams);
+    }
 
-        logger.LogInformation("Password reset link generated for {Email}. Tenant: {TenantId}.", email, multiTenantContextAccessor.MultiTenantContext?.TenantInfo?.Id ?? string.Empty);
+    private void AddTenantRouteParameter(RouteValueDictionary routeValues, string tenantIdentifier)
+    {
+        var routeParam = options.Value.MultiTenant.StrategyOptions
+            .GetValueOrDefault(IdmtMultiTenantStrategy.Route, IdmtMultiTenantStrategy.DefaultRouteParameter);
 
-        return uri;
+        // Only add if different from "tenantIdentifier" to avoid duplication
+        if (!string.Equals(routeParam, "tenantIdentifier", StringComparison.Ordinal))
+        {
+            routeValues[routeParam] = tenantIdentifier;
+        }
     }
-
-    private string GetTenantRouteParameter() =>
-        options.Value.MultiTenant.StrategyOptions.GetValueOrDefault(IdmtMultiTenantStrategy.Route, IdmtMultiTenantStrategy.DefaultRouteParameter);
-}
\ No newline at end of file
+}
diff --git a/src/Idmt.Plugin/Services/IdmtUserClaimsPrincipalFactory.cs b/src/Idmt.Plugin/Services/IdmtUserClaimsPrincipalFactory.cs
index 710f83e..3ae5711 100644
--- a/src/Idmt.Plugin/Services/IdmtUserClaimsPrincipalFactory.cs
+++ b/src/Idmt.Plugin/Services/IdmtUserClaimsPrincipalFactory.cs
@@ -1,8 +1,10 @@
 using System.Security.Claims;
 using Finbuckle.MultiTenant.Abstractions;
 using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Constants;
 using Idmt.Plugin.Models;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 
 namespace Idmt.Plugin.Services;
@@ -12,7 +14,8 @@ internal sealed class IdmtUserClaimsPrincipalFactory(
     RoleManager<IdmtRole> roleManager,
     IOptions<IdentityOptions> optionsAccessor,
     IMultiTenantStore<IdmtTenantInfo> tenantStore,
-    IOptions<IdmtOptions> idmtOptions)
+    IOptions<IdmtOptions> idmtOptions,
+    ILogger<IdmtUserClaimsPrincipalFactory> logger)
     : UserClaimsPrincipalFactory<IdmtUser, IdmtRole>(userManager, roleManager, optionsAccessor)
 {
     protected override async Task<ClaimsIdentity> GenerateClaimsAsync(IdmtUser user)
@@ -20,15 +23,21 @@ protected override async Task<ClaimsIdentity> GenerateClaimsAsync(IdmtUser user)
         var identity = await base.GenerateClaimsAsync(user);
 
         // Add custom claims
-        identity.AddClaim(new Claim("is_active", user.IsActive.ToString()));
+        identity.AddClaim(new Claim(IdmtClaimTypes.IsActive, user.IsActive.ToString()));
 
         // Add tenant claim for multi-tenant strategies (header, claim, route)
         // This ensures token validation includes tenant context
         var claimKey = idmtOptions.Value.MultiTenant.StrategyOptions.GetValueOrDefault(IdmtMultiTenantStrategy.Claim, IdmtMultiTenantStrategy.DefaultClaim);
 
         // Try to get tenant info from store using user's TenantId
-        var tenantInfo = await tenantStore.GetAsync(user.TenantId) ?? throw new InvalidOperationException($"Tenant information not found for tenant ID: {user.TenantId}. User ID: {user.Id}");
-        identity.AddClaim(new Claim(claimKey, tenantInfo.Identifier));
+        var tenantInfo = await tenantStore.GetAsync(user.TenantId);
+        if (tenantInfo is null)
+        {
+            logger.LogWarning("Tenant information not found for tenant ID: {TenantId}. User ID: {UserId}. Returning identity without tenant claim.", user.TenantId, user.Id);
+            return identity;
+        }
+
+        identity.AddClaim(new Claim(claimKey, tenantInfo.Identifier ?? string.Empty));
 
         return identity;
     }
diff --git a/src/Idmt.Plugin/Services/PiiMasker.cs b/src/Idmt.Plugin/Services/PiiMasker.cs
new file mode 100644
index 0000000..69260d8
--- /dev/null
+++ b/src/Idmt.Plugin/Services/PiiMasker.cs
@@ -0,0 +1,16 @@
+namespace Idmt.Plugin.Services;
+
+/// <summary>
+/// Utility for masking personally identifiable information in log output.
+/// </summary>
+internal static class PiiMasker
+{
+    /// <summary>
+    /// Masks an email address, keeping only the first 3 characters visible.
+    /// </summary>
+    public static string MaskEmail(string? email)
+    {
+        if (string.IsNullOrEmpty(email)) return "***";
+        return email.Length > 3 ? string.Concat(email.AsSpan(0, 3), "***") : "***";
+    }
+}
diff --git a/src/Idmt.Plugin/Services/TenantAccessService.cs b/src/Idmt.Plugin/Services/TenantAccessService.cs
index 3e8993e..6754f2f 100644
--- a/src/Idmt.Plugin/Services/TenantAccessService.cs
+++ b/src/Idmt.Plugin/Services/TenantAccessService.cs
@@ -6,16 +6,18 @@ namespace Idmt.Plugin.Services;
 
 internal sealed class TenantAccessService(
     IdmtDbContext dbContext,
-    ICurrentUserService currentUserService) : ITenantAccessService
+    ICurrentUserService currentUserService,
+    TimeProvider timeProvider) : ITenantAccessService
 {
-    public async Task<bool> CanAccessTenantAsync(Guid userId, string tenantId)
+    public async Task<bool> CanAccessTenantAsync(Guid userId, string tenantId, CancellationToken cancellationToken = default)
     {
         return await dbContext.TenantAccess
             .AnyAsync(ta =>
                 ta.UserId == userId &&
                 ta.TenantId == tenantId &&
                 ta.IsActive &&
-                (ta.ExpiresAt == null || ta.ExpiresAt > DT.UtcNow));
+                (ta.ExpiresAt == null || ta.ExpiresAt > timeProvider.GetUtcNow()),
+                cancellationToken);
     }
 
     public bool CanAssignRole(string role)
diff --git a/src/Idmt.Plugin/Services/TenantOperationService.cs b/src/Idmt.Plugin/Services/TenantOperationService.cs
new file mode 100644
index 0000000..917ae80
--- /dev/null
+++ b/src/Idmt.Plugin/Services/TenantOperationService.cs
@@ -0,0 +1,46 @@
+using ErrorOr;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Errors;
+using Idmt.Plugin.Models;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace Idmt.Plugin.Services;
+
+internal sealed class TenantOperationService(IServiceProvider serviceProvider) : ITenantOperationService
+{
+    public async Task<ErrorOr<T>> ExecuteInTenantScopeAsync<T>(
+        string tenantIdentifier,
+        Func<IServiceProvider, Task<ErrorOr<T>>> operation,
+        bool requireActive = true)
+    {
+        using var scope = serviceProvider.CreateScope();
+        var provider = scope.ServiceProvider;
+
+        var tenantStore = provider.GetRequiredService<IMultiTenantStore<IdmtTenantInfo>>();
+        var tenantInfo = await tenantStore.GetByIdentifierAsync(tenantIdentifier);
+
+        if (tenantInfo is null)
+        {
+            return IdmtErrors.Tenant.NotFound;
+        }
+
+        if (requireActive && !tenantInfo.IsActive)
+        {
+            return IdmtErrors.Tenant.Inactive;
+        }
+
+        // Set tenant context before resolving scoped services
+        var tenantContextSetter = provider.GetRequiredService<IMultiTenantContextSetter>();
+        tenantContextSetter.MultiTenantContext = new MultiTenantContext<IdmtTenantInfo>(tenantInfo);
+
+        return await operation(provider);
+    }
+
+    public async Task<ErrorOr<Success>> ExecuteInTenantScopeAsync(
+        string tenantIdentifier,
+        Func<IServiceProvider, Task<ErrorOr<Success>>> operation,
+        bool requireActive = true)
+    {
+        return await ExecuteInTenantScopeAsync<Success>(tenantIdentifier, operation, requireActive);
+    }
+}
diff --git a/src/Idmt.Plugin/Services/TokenRevocationCleanupService.cs b/src/Idmt.Plugin/Services/TokenRevocationCleanupService.cs
new file mode 100644
index 0000000..3fcb930
--- /dev/null
+++ b/src/Idmt.Plugin/Services/TokenRevocationCleanupService.cs
@@ -0,0 +1,39 @@
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+
+namespace Idmt.Plugin.Services;
+
+internal sealed class TokenRevocationCleanupService(
+    IServiceScopeFactory scopeFactory,
+    ILogger<TokenRevocationCleanupService> logger,
+    TimeSpan? interval = null) : BackgroundService
+{
+    private readonly TimeSpan _interval = interval ?? TimeSpan.FromHours(1);
+
+    protected override async Task ExecuteAsync(CancellationToken stoppingToken)
+    {
+        while (!stoppingToken.IsCancellationRequested)
+        {
+            try
+            {
+                await Task.Delay(_interval, stoppingToken);
+
+                using var scope = scopeFactory.CreateScope();
+                var revocationService = scope.ServiceProvider.GetRequiredService<ITokenRevocationService>();
+                await revocationService.CleanupExpiredAsync(stoppingToken);
+
+                logger.LogDebug("Token revocation cleanup completed");
+            }
+            catch (OperationCanceledException) when (stoppingToken.IsCancellationRequested)
+            {
+                // Graceful shutdown
+                break;
+            }
+            catch (Exception ex)
+            {
+                logger.LogError(ex, "Error during token revocation cleanup");
+            }
+        }
+    }
+}
diff --git a/src/Idmt.Plugin/Services/TokenRevocationService.cs b/src/Idmt.Plugin/Services/TokenRevocationService.cs
new file mode 100644
index 0000000..fbd6e90
--- /dev/null
+++ b/src/Idmt.Plugin/Services/TokenRevocationService.cs
@@ -0,0 +1,90 @@
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Persistence;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+
+namespace Idmt.Plugin.Services;
+
+internal sealed class TokenRevocationService(
+    IdmtDbContext dbContext,
+    TimeProvider timeProvider,
+    IOptions<IdmtOptions> idmtOptions,
+    ILogger<TokenRevocationService> logger) : ITokenRevocationService
+{
+    public async Task RevokeUserTokensAsync(Guid userId, string tenantId, CancellationToken cancellationToken = default)
+    {
+        var tokenId = BuildTokenId(userId, tenantId);
+        var now = timeProvider.GetUtcNow();
+        var expiresAt = now.Add(idmtOptions.Value.Identity.Bearer.RefreshTokenExpiration);
+
+        var existing = await dbContext.RevokedTokens.FindAsync([tokenId], cancellationToken);
+        if (existing is not null)
+        {
+            // Only extend the expiry — never move RevokedAt forward as that
+            // would re-validate tokens issued between the old and new timestamps
+            existing.ExpiresAt = expiresAt;
+        }
+        else
+        {
+            dbContext.RevokedTokens.Add(new RevokedToken
+            {
+                TokenId = tokenId,
+                RevokedAt = now,
+                ExpiresAt = expiresAt
+            });
+        }
+
+        try
+        {
+            await dbContext.SaveChangesAsync(cancellationToken);
+        }
+        catch (DbUpdateException) when (existing is null)
+        {
+            // TOCTOU race: a concurrent logout for the same user+tenant won the
+            // insert race and triggered a unique constraint violation. Clear the
+            // tracker so the conflicting Add is no longer tracked, then reload
+            // the winner's record and slide its ExpiresAt forward.
+            // RevokedAt is intentionally left untouched — the winning insert
+            // already recorded the earliest revocation timestamp, which is
+            // correct: moving it forward would re-validate tokens issued between
+            // the two concurrent revocation calls.
+            dbContext.ChangeTracker.Clear();
+            var conflict = await dbContext.RevokedTokens.FindAsync([tokenId], cancellationToken);
+            if (conflict is not null)
+            {
+                conflict.ExpiresAt = expiresAt;
+                await dbContext.SaveChangesAsync(cancellationToken);
+            }
+        }
+
+        logger.LogInformation("Revoked all refresh tokens for user {UserId} in tenant {TenantId}", userId, tenantId);
+    }
+
+    public async Task<bool> IsTokenRevokedAsync(Guid userId, string tenantId, DateTimeOffset issuedAt, CancellationToken cancellationToken = default)
+    {
+        var tokenId = BuildTokenId(userId, tenantId);
+        var revocation = await dbContext.RevokedTokens
+            .AsNoTracking()
+            .FirstOrDefaultAsync(rt => rt.TokenId == tokenId, cancellationToken);
+
+        // Strict less-than: a token issued at the exact revocation time is considered new (post-revocation)
+        return revocation is not null && issuedAt < revocation.RevokedAt;
+    }
+
+    public async Task CleanupExpiredAsync(CancellationToken cancellationToken = default)
+    {
+        var now = timeProvider.GetUtcNow();
+        var count = await dbContext.RevokedTokens
+            .Where(rt => rt.ExpiresAt < now)
+            .ExecuteDeleteAsync(cancellationToken);
+
+        if (count > 0)
+        {
+            logger.LogInformation("Cleaned up {Count} expired token revocation records", count);
+        }
+    }
+
+    private static string BuildTokenId(Guid userId, string tenantId) => $"{userId}:{tenantId}";
+}
diff --git a/src/Idmt.Plugin/Validation/ConfirmEmailRequestValidator.cs b/src/Idmt.Plugin/Validation/ConfirmEmailRequestValidator.cs
new file mode 100644
index 0000000..63ea408
--- /dev/null
+++ b/src/Idmt.Plugin/Validation/ConfirmEmailRequestValidator.cs
@@ -0,0 +1,21 @@
+using FluentValidation;
+using Idmt.Plugin.Features.Auth;
+
+namespace Idmt.Plugin.Validation;
+
+public class ConfirmEmailRequestValidator : AbstractValidator<ConfirmEmail.ConfirmEmailRequest>
+{
+    public ConfirmEmailRequestValidator()
+    {
+        RuleFor(x => x.TenantIdentifier).NotEmpty()
+            .WithMessage("Tenant identifier is required");
+
+        RuleFor(x => x.Email).NotEmpty()
+            .WithMessage("Email is required")
+            .Must(Validators.IsValidEmail)
+            .WithMessage("Invalid email address");
+
+        RuleFor(x => x.Token).NotEmpty()
+            .WithMessage("Token is required");
+    }
+}
diff --git a/src/Idmt.Plugin/Validation/CreateTenantRequestValidator.cs b/src/Idmt.Plugin/Validation/CreateTenantRequestValidator.cs
new file mode 100644
index 0000000..4770a3f
--- /dev/null
+++ b/src/Idmt.Plugin/Validation/CreateTenantRequestValidator.cs
@@ -0,0 +1,22 @@
+using FluentValidation;
+using Idmt.Plugin.Features.Admin;
+
+namespace Idmt.Plugin.Validation;
+
+public class CreateTenantRequestValidator : AbstractValidator<CreateTenant.CreateTenantRequest>
+{
+    public CreateTenantRequestValidator()
+    {
+        RuleFor(x => x.Identifier).NotEmpty()
+            .WithMessage("Identifier is required")
+            .MinimumLength(3)
+            .WithMessage("Identifier must be at least 3 characters")
+            .Must(Validators.IsValidTenantIdentifier)
+            .WithMessage("Identifier can only contain lowercase alphanumeric characters, dashes, and underscores");
+
+        RuleFor(x => x.Name).NotEmpty()
+            .WithMessage("Name is required")
+            .MaximumLength(200)
+            .WithMessage("Name must not exceed 200 characters");
+    }
+}
diff --git a/src/Idmt.Plugin/Validation/ForgotPasswordRequestValidator.cs b/src/Idmt.Plugin/Validation/ForgotPasswordRequestValidator.cs
new file mode 100644
index 0000000..f01f746
--- /dev/null
+++ b/src/Idmt.Plugin/Validation/ForgotPasswordRequestValidator.cs
@@ -0,0 +1,13 @@
+using FluentValidation;
+using Idmt.Plugin.Features.Auth;
+
+namespace Idmt.Plugin.Validation;
+
+public class ForgotPasswordRequestValidator : AbstractValidator<ForgotPassword.ForgotPasswordRequest>
+{
+    public ForgotPasswordRequestValidator()
+    {
+        RuleFor(x => x.Email).Must(Validators.IsValidEmail)
+            .WithMessage("Invalid email address.");
+    }
+}
diff --git a/src/Idmt.Plugin/Validation/LoginRequestValidator.cs b/src/Idmt.Plugin/Validation/LoginRequestValidator.cs
new file mode 100644
index 0000000..5a27121
--- /dev/null
+++ b/src/Idmt.Plugin/Validation/LoginRequestValidator.cs
@@ -0,0 +1,29 @@
+using FluentValidation;
+using Idmt.Plugin.Features.Auth;
+
+namespace Idmt.Plugin.Validation;
+
+public class LoginRequestValidator : AbstractValidator<Login.LoginRequest>
+{
+    public LoginRequestValidator()
+    {
+        RuleFor(x => x).Must(x => x.Email is not null || x.Username is not null)
+            .WithMessage("Email or Username is required.")
+            .WithName("Identifier");
+
+        When(x => x.Email is not null, () =>
+        {
+            RuleFor(x => x.Email).Must(Validators.IsValidEmail)
+                .WithMessage("Invalid email.");
+        });
+
+        When(x => x.Username is not null, () =>
+        {
+            RuleFor(x => x.Username).Must(Validators.IsValidUsername)
+                .WithMessage("Invalid username.");
+        });
+
+        RuleFor(x => x.Password).NotEmpty()
+            .WithMessage("Password is required.");
+    }
+}
diff --git a/src/Idmt.Plugin/Validation/RefreshTokenRequestValidator.cs b/src/Idmt.Plugin/Validation/RefreshTokenRequestValidator.cs
new file mode 100644
index 0000000..4f0f838
--- /dev/null
+++ b/src/Idmt.Plugin/Validation/RefreshTokenRequestValidator.cs
@@ -0,0 +1,13 @@
+using FluentValidation;
+using Idmt.Plugin.Features.Auth;
+
+namespace Idmt.Plugin.Validation;
+
+public class RefreshTokenRequestValidator : AbstractValidator<RefreshToken.RefreshTokenRequest>
+{
+    public RefreshTokenRequestValidator()
+    {
+        RuleFor(x => x.RefreshToken).NotEmpty()
+            .WithMessage("Refresh token is required.");
+    }
+}
diff --git a/src/Idmt.Plugin/Validation/RegisterUserRequestValidator.cs b/src/Idmt.Plugin/Validation/RegisterUserRequestValidator.cs
new file mode 100644
index 0000000..b7dd58a
--- /dev/null
+++ b/src/Idmt.Plugin/Validation/RegisterUserRequestValidator.cs
@@ -0,0 +1,29 @@
+using FluentValidation;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Features.Manage;
+using Microsoft.Extensions.Options;
+
+namespace Idmt.Plugin.Validation;
+
+public class RegisterUserRequestValidator : AbstractValidator<RegisterUser.RegisterUserRequest>
+{
+    public RegisterUserRequestValidator(IOptions<IdmtOptions> options)
+    {
+        RuleFor(x => x.Email).Must(Validators.IsValidEmail)
+            .WithMessage("Invalid email address.");
+
+        When(x => x.Username is not null, () =>
+        {
+            var allowedChars = options.Value.Identity.User.AllowedUserNameCharacters;
+            When(_ => !string.IsNullOrEmpty(allowedChars), () =>
+            {
+                RuleFor(x => x.Username)
+                    .Must(username => username!.All(c => allowedChars.Contains(c)))
+                    .WithMessage($"Username must contain only the following characters: {allowedChars}");
+            });
+        });
+
+        RuleFor(x => x.Role).NotEmpty()
+            .WithMessage("Role is required.");
+    }
+}
diff --git a/src/Idmt.Plugin/Validation/ResendConfirmationEmailRequestValidator.cs b/src/Idmt.Plugin/Validation/ResendConfirmationEmailRequestValidator.cs
new file mode 100644
index 0000000..9a4c3b6
--- /dev/null
+++ b/src/Idmt.Plugin/Validation/ResendConfirmationEmailRequestValidator.cs
@@ -0,0 +1,13 @@
+using FluentValidation;
+using Idmt.Plugin.Features.Auth;
+
+namespace Idmt.Plugin.Validation;
+
+public class ResendConfirmationEmailRequestValidator : AbstractValidator<ResendConfirmationEmail.ResendConfirmationEmailRequest>
+{
+    public ResendConfirmationEmailRequestValidator()
+    {
+        RuleFor(x => x.Email).Must(Validators.IsValidEmail)
+            .WithMessage("Invalid email address.");
+    }
+}
diff --git a/src/Idmt.Plugin/Validation/ResetPasswordRequestValidator.cs b/src/Idmt.Plugin/Validation/ResetPasswordRequestValidator.cs
new file mode 100644
index 0000000..2f9eef7
--- /dev/null
+++ b/src/Idmt.Plugin/Validation/ResetPasswordRequestValidator.cs
@@ -0,0 +1,27 @@
+using FluentValidation;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Features.Auth;
+using Microsoft.Extensions.Options;
+
+namespace Idmt.Plugin.Validation;
+
+public class ResetPasswordRequestValidator : AbstractValidator<ResetPassword.ResetPasswordRequest>
+{
+    public ResetPasswordRequestValidator(IOptions<IdmtOptions> options)
+    {
+        RuleFor(x => x.TenantIdentifier).NotEmpty()
+            .WithMessage("Tenant identifier is required.");
+
+        RuleFor(x => x.Email).NotEmpty()
+            .WithMessage("Email is required.")
+            .Must(Validators.IsValidEmail)
+            .WithMessage("Invalid email address.");
+
+        RuleFor(x => x.Token).NotEmpty()
+            .WithMessage("Token is required.");
+
+        RuleFor(x => x.NewPassword).Must(password =>
+            Validators.IsValidNewPassword(password, options.Value.Identity.Password, out _))
+            .WithMessage("Password does not meet requirements.");
+    }
+}
diff --git a/src/Idmt.Plugin/Validation/UpdateUserInfoRequestValidator.cs b/src/Idmt.Plugin/Validation/UpdateUserInfoRequestValidator.cs
new file mode 100644
index 0000000..c19aafb
--- /dev/null
+++ b/src/Idmt.Plugin/Validation/UpdateUserInfoRequestValidator.cs
@@ -0,0 +1,31 @@
+using FluentValidation;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Features.Manage;
+using Microsoft.Extensions.Options;
+
+namespace Idmt.Plugin.Validation;
+
+public class UpdateUserInfoRequestValidator : AbstractValidator<UpdateUserInfo.UpdateUserInfoRequest>
+{
+    public UpdateUserInfoRequestValidator(IOptions<IdmtOptions> options)
+    {
+        When(x => !string.IsNullOrWhiteSpace(x.NewPassword), () =>
+        {
+            RuleFor(x => x.OldPassword).NotEmpty()
+                .WithMessage("Old password is required to change password");
+        });
+
+        When(x => !string.IsNullOrWhiteSpace(x.NewEmail), () =>
+        {
+            RuleFor(x => x.NewEmail).Must(Validators.IsValidEmail)
+                .WithMessage("New email is not valid");
+        });
+
+        When(x => !string.IsNullOrWhiteSpace(x.NewPassword), () =>
+        {
+            RuleFor(x => x.NewPassword).Must(password =>
+                Validators.IsValidNewPassword(password, options.Value.Identity.Password, out _))
+                .WithMessage("Password does not meet requirements.");
+        });
+    }
+}
diff --git a/src/Idmt.Plugin/Validation/ValidationHelper.cs b/src/Idmt.Plugin/Validation/ValidationHelper.cs
new file mode 100644
index 0000000..ac7cdf0
--- /dev/null
+++ b/src/Idmt.Plugin/Validation/ValidationHelper.cs
@@ -0,0 +1,19 @@
+using FluentValidation;
+
+namespace Idmt.Plugin.Validation;
+
+public static class ValidationHelper
+{
+    public static Dictionary<string, string[]>? Validate<T>(T instance, IValidator<T> validator)
+    {
+        var result = validator.Validate(instance);
+        if (result.IsValid)
+            return null;
+
+        return result.Errors
+            .GroupBy(e => e.PropertyName)
+            .ToDictionary(
+                g => g.Key,
+                g => g.Select(e => e.ErrorMessage).ToArray());
+    }
+}
diff --git a/src/Idmt.Plugin/Validation/Validators.cs b/src/Idmt.Plugin/Validation/Validators.cs
index fd30ae0..222a278 100644
--- a/src/Idmt.Plugin/Validation/Validators.cs
+++ b/src/Idmt.Plugin/Validation/Validators.cs
@@ -42,7 +42,7 @@ public static bool IsValidEmail(string? email)
     /// <param name="errors">The list of errors if the password is invalid.</param>
     /// <param name="options"></param>
     /// <returns>True if the password is valid, false otherwise.</returns>
-    public static bool IsValidNewPassword(string? password, PasswordOptions options, out string[]? errors)
+    public static bool IsValidNewPassword(string? password, IdmtPasswordOptions options, out string[]? errors)
     {
         if (string.IsNullOrWhiteSpace(password))
         {
@@ -97,22 +97,6 @@ public static bool IsValidNewPassword(string? password, PasswordOptions options,
         return true;
     }
 
-    /// <summary>
-    /// Validates a GUID string.
-    /// </summary>
-    public static bool IsValidGuid(string? guidString)
-    {
-        return !string.IsNullOrWhiteSpace(guidString) && Guid.TryParse(guidString, out _);
-    }
-
-    /// <summary>
-    /// Validates a tenant ID (non-empty string).
-    /// </summary>
-    public static bool IsValidTenantId(string? tenantId)
-    {
-        return !string.IsNullOrWhiteSpace(tenantId) && tenantId.Length >= 3;
-    }
-
     /// <summary>
     /// Validates a username (non-empty string with minimum 3 characters).
     /// </summary>
diff --git a/src/Idmt.sln b/src/Idmt.sln
deleted file mode 100644
index cfedd5c..0000000
--- a/src/Idmt.sln
+++ /dev/null
@@ -1,49 +0,0 @@
-
-Microsoft Visual Studio Solution File, Format Version 12.00
-# Visual Studio Version 17
-VisualStudioVersion = 17.0.31903.59
-MinimumVisualStudioVersion = 10.0.40219.1
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Idmt.Plugin", "Idmt.Plugin\Idmt.Plugin.csproj", "{733A6665-226B-498C-97F1-3F33063A4CEB}"
-EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "samples", "samples", "{A98C7932-C24A-431A-9944-987E193ACFBC}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Idmt.BasicSample", "samples\Idmt.BasicSample\Idmt.BasicSample.csproj", "{7A3DB082-6320-4B95-B0E1-848688215E21}"
-EndProject
-Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "tests", "tests", "{F3D577DA-B949-4028-B52F-8BC6CA8A9647}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Idmt.BasicSample.Tests", "tests\Idmt.BasicSample.Tests\Idmt.BasicSample.Tests.csproj", "{CD3EFBE5-8F2E-4A5B-A5A6-0D989BC1BE91}"
-EndProject
-Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Idmt.UnitTests", "tests\Idmt.UnitTests\Idmt.UnitTests.csproj", "{C3116626-A482-42EF-AACC-1C1061504BD7}"
-EndProject
-Global
-	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Any CPU = Debug|Any CPU
-		Release|Any CPU = Release|Any CPU
-	EndGlobalSection
-	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{733A6665-226B-498C-97F1-3F33063A4CEB}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{733A6665-226B-498C-97F1-3F33063A4CEB}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{733A6665-226B-498C-97F1-3F33063A4CEB}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{733A6665-226B-498C-97F1-3F33063A4CEB}.Release|Any CPU.Build.0 = Release|Any CPU
-		{7A3DB082-6320-4B95-B0E1-848688215E21}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{7A3DB082-6320-4B95-B0E1-848688215E21}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{7A3DB082-6320-4B95-B0E1-848688215E21}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{7A3DB082-6320-4B95-B0E1-848688215E21}.Release|Any CPU.Build.0 = Release|Any CPU
-		{CD3EFBE5-8F2E-4A5B-A5A6-0D989BC1BE91}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{CD3EFBE5-8F2E-4A5B-A5A6-0D989BC1BE91}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{CD3EFBE5-8F2E-4A5B-A5A6-0D989BC1BE91}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{CD3EFBE5-8F2E-4A5B-A5A6-0D989BC1BE91}.Release|Any CPU.Build.0 = Release|Any CPU
-		{C3116626-A482-42EF-AACC-1C1061504BD7}.Debug|Any CPU.ActiveCfg = Debug|Any CPU
-		{C3116626-A482-42EF-AACC-1C1061504BD7}.Debug|Any CPU.Build.0 = Debug|Any CPU
-		{C3116626-A482-42EF-AACC-1C1061504BD7}.Release|Any CPU.ActiveCfg = Release|Any CPU
-		{C3116626-A482-42EF-AACC-1C1061504BD7}.Release|Any CPU.Build.0 = Release|Any CPU
-	EndGlobalSection
-	GlobalSection(SolutionProperties) = preSolution
-		HideSolutionNode = FALSE
-	EndGlobalSection
-	GlobalSection(NestedProjects) = preSolution
-		{7A3DB082-6320-4B95-B0E1-848688215E21} = {A98C7932-C24A-431A-9944-987E193ACFBC}
-		{CD3EFBE5-8F2E-4A5B-A5A6-0D989BC1BE91} = {F3D577DA-B949-4028-B52F-8BC6CA8A9647}
-		{C3116626-A482-42EF-AACC-1C1061504BD7} = {F3D577DA-B949-4028-B52F-8BC6CA8A9647}
-	EndGlobalSection
-EndGlobal
diff --git a/src/Idmt.slnx b/src/Idmt.slnx
new file mode 100644
index 0000000..46ddcb0
--- /dev/null
+++ b/src/Idmt.slnx
@@ -0,0 +1,10 @@
+<Solution>
+  <Folder Name="/samples/">
+    <Project Path="samples/Idmt.BasicSample/Idmt.BasicSample.csproj" />
+  </Folder>
+  <Folder Name="/tests/">
+    <Project Path="tests/Idmt.BasicSample.Tests/Idmt.BasicSample.Tests.csproj" />
+    <Project Path="tests/Idmt.UnitTests/Idmt.UnitTests.csproj" />
+  </Folder>
+  <Project Path="Idmt.Plugin/Idmt.Plugin.csproj" />
+</Solution>
diff --git a/src/samples/Idmt.BasicSample/Idmt.BasicSample.csproj b/src/samples/Idmt.BasicSample/Idmt.BasicSample.csproj
index c00c310..c0aa06c 100644
--- a/src/samples/Idmt.BasicSample/Idmt.BasicSample.csproj
+++ b/src/samples/Idmt.BasicSample/Idmt.BasicSample.csproj
@@ -7,8 +7,8 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.1" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.3" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.3" />
   </ItemGroup>
 
   <ItemGroup>
diff --git a/src/samples/Idmt.BasicSample/Program.cs b/src/samples/Idmt.BasicSample/Program.cs
index fe3145b..06cbdb6 100644
--- a/src/samples/Idmt.BasicSample/Program.cs
+++ b/src/samples/Idmt.BasicSample/Program.cs
@@ -35,7 +35,7 @@
     app.MapGroup("").MapIdmtEndpoints();
 }
 
-await app.EnsureIdmtDatabaseAsync(autoMigrate: false);
+await app.EnsureIdmtDatabaseAsync();
 
 var seedAction = app.Services.GetService<SeedDataAsync>();
 await app.SeedIdmtDataAsync(seedAction);
diff --git a/src/tests/Idmt.BasicSample.Tests/AdminIntegrationTests.cs b/src/tests/Idmt.BasicSample.Tests/AdminIntegrationTests.cs
index 33b429a..8aef208 100644
--- a/src/tests/Idmt.BasicSample.Tests/AdminIntegrationTests.cs
+++ b/src/tests/Idmt.BasicSample.Tests/AdminIntegrationTests.cs
@@ -35,51 +35,6 @@ public async Task Healthz_endpoint_allows_authenticated_user()
 
     #endregion
 
-    #region Get System Info Tests
-
-    [Fact]
-    public async Task GetSystemInfo_returns_system_details()
-    {
-        var client = await CreateAuthenticatedClientAsync();
-
-        var response = await client.GetAsync("/admin/info");
-        await response.AssertSuccess();
-
-        var sysInfo = await response.Content.ReadFromJsonAsync<GetSystemInfo.SystemInfoResponse>();
-        Assert.NotNull(sysInfo);
-        Assert.NotEmpty(sysInfo!.ApplicationName);
-        Assert.NotEmpty(sysInfo.Version);
-        Assert.NotEmpty(sysInfo.Environment);
-        Assert.True(sysInfo.ServerTime > DateTime.MinValue);
-    }
-
-    [Fact]
-    public async Task GetSystemInfo_returns_current_tenant_info()
-    {
-        var client = await CreateAuthenticatedClientAsync();
-
-        var response = await client.GetAsync("/admin/info");
-        await response.AssertSuccess();
-
-        var sysInfo = await response.Content.ReadFromJsonAsync<GetSystemInfo.SystemInfoResponse>();
-        Assert.NotNull(sysInfo);
-        Assert.NotNull(sysInfo!.CurrentTenant);
-        var currentTenant = sysInfo.CurrentTenant!;
-        Assert.NotNull(currentTenant.Identifier);
-        Assert.NotNull(currentTenant.Name);
-    }
-
-    [Fact]
-    public async Task GetSystemInfo_requires_authentication()
-    {
-        var client = Factory.CreateClientWithTenant();
-
-        var response = await client.GetAsync("/admin/info");
-        Assert.Contains(response.StatusCode, new[] { HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.Found });
-    }
-
-    #endregion
-
     #region Create Tenant Tests (Handler-based)
 
     [Fact]
@@ -89,12 +44,11 @@ public async Task CreateTenant_handler_with_valid_data_succeeds()
         var handler = scope.ServiceProvider.GetRequiredService<CreateTenant.ICreateTenantHandler>();
 
         var tenantIdentifier = $"tenant-{Guid.NewGuid():N}";
-        var request = new CreateTenant.CreateTenantRequest(tenantIdentifier, "Test Tenant", "Test Tenant Display");
+        var request = new CreateTenant.CreateTenantRequest(tenantIdentifier, "Test Tenant");
         var result = await handler.HandleAsync(request);
 
-        Assert.True(result.IsSuccess);
-        Assert.NotNull(result.Value);
-        Assert.Equal(tenantIdentifier, result.Value!.Identifier);
+        Assert.False(result.IsError);
+        Assert.Equal(tenantIdentifier, result.Value.Identifier);
     }
 
     [Fact]
@@ -107,7 +61,7 @@ public async Task CreateTenant_handler_with_duplicate_identifier_reactivates()
         var tenantIdentifier = $"tenant-{Guid.NewGuid():N}";
 
         // Create initial tenant
-        var request = new CreateTenant.CreateTenantRequest(tenantIdentifier, "Test Tenant", "Test Display");
+        var request = new CreateTenant.CreateTenantRequest(tenantIdentifier, "Test Tenant");
         var result = await handler.HandleAsync(request);
         var tenantId = result.Value!.Id;
 
@@ -116,8 +70,8 @@ public async Task CreateTenant_handler_with_duplicate_identifier_reactivates()
 
         // Reactivate by creating again
         var reactivateResult = await handler.HandleAsync(request);
-        Assert.True(reactivateResult.IsSuccess);
-        Assert.Equal(tenantId, reactivateResult.Value!.Id);
+        Assert.False(reactivateResult.IsError);
+        Assert.Equal(tenantId, reactivateResult.Value.Id);
     }
 
     #endregion
@@ -132,11 +86,11 @@ public async Task DeleteTenant_handler_with_valid_identifier_succeeds()
         var deleteHandler = scope.ServiceProvider.GetRequiredService<DeleteTenant.IDeleteTenantHandler>();
 
         var tenantIdentifier = $"tenant-{Guid.NewGuid():N}";
-        var request = new CreateTenant.CreateTenantRequest(tenantIdentifier, "Test Tenant", "Test Display");
+        var request = new CreateTenant.CreateTenantRequest(tenantIdentifier, "Test Tenant");
         await createHandler.HandleAsync(request);
 
         var deleted = await deleteHandler.HandleAsync(tenantIdentifier);
-        Assert.True(deleted.IsSuccess);
+        Assert.False(deleted.IsError);
     }
 
     [Fact]
@@ -146,7 +100,7 @@ public async Task DeleteTenant_handler_with_invalid_identifier_returns_false()
         var deleteHandler = scope.ServiceProvider.GetRequiredService<DeleteTenant.IDeleteTenantHandler>();
 
         var deleted = await deleteHandler.HandleAsync($"nonexistent-{Guid.NewGuid():N}");
-        Assert.False(deleted.IsSuccess);
+        Assert.True(deleted.IsError);
     }
 
     #endregion
@@ -160,7 +114,7 @@ public async Task GrantTenantAccess_with_valid_data_succeeds()
         var email = $"grant-{Guid.NewGuid():N}@example.com";
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"grant{Guid.NewGuid():N}",
@@ -183,7 +137,7 @@ public async Task GrantTenantAccess_allows_user_to_access_tenant()
         var email = $"grant-access-{Guid.NewGuid():N}@example.com";
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"grantaccess{Guid.NewGuid():N}",
@@ -197,9 +151,9 @@ await sysClient.PostAsJsonAsync(
             new { ExpiresAt = (DateTime?)null });
 
         // Verify user can access tenant
-        var tenants = await sysClient.GetFromJsonAsync<TenantInfoResponse[]>($"/admin/users/{userId}/tenants");
-        Assert.NotNull(tenants);
-        Assert.Contains(tenants!, t => t.Identifier == IdmtApiFactory.DefaultTenantIdentifier);
+        var paginated = await sysClient.GetFromJsonAsync<PaginatedResponse<TenantInfoResponse>>($"/admin/users/{userId}/tenants");
+        Assert.NotNull(paginated);
+        Assert.Contains(paginated!.Items, t => t.Identifier == IdmtApiFactory.DefaultTenantIdentifier);
     }
 
     [Fact]
@@ -221,7 +175,7 @@ public async Task GrantTenantAccess_with_nonexistent_tenant_fails()
         var email = $"grant-notenant-{Guid.NewGuid():N}@example.com";
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"grantnotenant{Guid.NewGuid():N}",
@@ -244,7 +198,7 @@ public async Task GrantTenantAccess_with_expiration_date_succeeds()
         var email = $"grant-expires-{Guid.NewGuid():N}@example.com";
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"grantexpires{Guid.NewGuid():N}",
@@ -278,13 +232,13 @@ public async Task GrantTenantAccess_requires_authorization()
     #region Revoke Tenant Access Tests
 
     [Fact]
-    public async Task RevokeTenantAccess_with_valid_data_succeeds()
+    public async Task RevokeTenantAccess_with_valid_data_returns_no_content()
     {
         var sysClient = await CreateAuthenticatedClientAsync();
         var email = $"revoke-{Guid.NewGuid():N}@example.com";
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"revoke{Guid.NewGuid():N}",
@@ -299,7 +253,7 @@ await sysClient.PostAsJsonAsync(
 
         // Revoke access
         var revokeResponse = await sysClient.DeleteAsync($"/admin/users/{userId}/tenants/{IdmtApiFactory.DefaultTenantIdentifier}");
-        await revokeResponse.AssertSuccess();
+        Assert.Equal(HttpStatusCode.NoContent, revokeResponse.StatusCode);
     }
 
     [Fact]
@@ -309,7 +263,7 @@ public async Task RevokeTenantAccess_removes_access()
         var email = $"revoke-remove-{Guid.NewGuid():N}@example.com";
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"revokeremove{Guid.NewGuid():N}",
@@ -323,15 +277,16 @@ await sysClient.PostAsJsonAsync(
             new { ExpiresAt = (DateTime?)null });
 
         // Verify access exists
-        var tenantsBeforeRevoke = await sysClient.GetFromJsonAsync<TenantInfoResponse[]>($"/admin/users/{userId}/tenants");
-        Assert.Contains(tenantsBeforeRevoke!, t => t.Identifier == IdmtApiFactory.DefaultTenantIdentifier);
+        var beforeRevoke = await sysClient.GetFromJsonAsync<PaginatedResponse<TenantInfoResponse>>($"/admin/users/{userId}/tenants");
+        Assert.Contains(beforeRevoke!.Items, t => t.Identifier == IdmtApiFactory.DefaultTenantIdentifier);
 
         // Revoke access
-        await sysClient.DeleteAsync($"/admin/users/{userId}/tenants/{IdmtApiFactory.DefaultTenantIdentifier}");
+        var revokeResp = await sysClient.DeleteAsync($"/admin/users/{userId}/tenants/{IdmtApiFactory.DefaultTenantIdentifier}");
+        Assert.Equal(HttpStatusCode.NoContent, revokeResp.StatusCode);
 
         // Verify access is removed
-        var tenantsAfterRevoke = await sysClient.GetFromJsonAsync<TenantInfoResponse[]>($"/admin/users/{userId}/tenants");
-        Assert.DoesNotContain(tenantsAfterRevoke!, t => t.Identifier == IdmtApiFactory.DefaultTenantIdentifier);
+        var afterRevoke = await sysClient.GetFromJsonAsync<PaginatedResponse<TenantInfoResponse>>($"/admin/users/{userId}/tenants");
+        Assert.DoesNotContain(afterRevoke!.Items, t => t.Identifier == IdmtApiFactory.DefaultTenantIdentifier);
     }
 
     [Fact]
@@ -363,7 +318,7 @@ public async Task GetUserTenants_returns_user_accessible_tenants()
         var email = $"usertenants-{Guid.NewGuid():N}@example.com";
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"usertenants{Guid.NewGuid():N}",
@@ -380,10 +335,10 @@ await sysClient.PostAsJsonAsync(
         var response = await sysClient.GetAsync($"/admin/users/{userId}/tenants");
         await response.AssertSuccess();
 
-        var tenants = await response.Content.ReadFromJsonAsync<TenantInfoResponse[]>();
-        Assert.NotNull(tenants);
-        Assert.NotEmpty(tenants);
-        Assert.Contains(tenants!, t => t.Identifier == IdmtApiFactory.DefaultTenantIdentifier);
+        var paginated = await response.Content.ReadFromJsonAsync<PaginatedResponse<TenantInfoResponse>>();
+        Assert.NotNull(paginated);
+        Assert.NotEmpty(paginated!.Items);
+        Assert.Contains(paginated.Items, t => t.Identifier == IdmtApiFactory.DefaultTenantIdentifier);
     }
 
     [Fact]
@@ -393,7 +348,7 @@ public async Task GetUserTenants_returns_empty_for_user_without_access()
         var email = $"notenants-{Guid.NewGuid():N}@example.com";
 
         // Register user without granting tenant access
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"notenants{Guid.NewGuid():N}",
@@ -405,19 +360,22 @@ public async Task GetUserTenants_returns_empty_for_user_without_access()
         var response = await sysClient.GetAsync($"/admin/users/{userId}/tenants");
         await response.AssertSuccess();
 
-        var tenants = await response.Content.ReadFromJsonAsync<TenantInfoResponse[]>();
-        Assert.NotNull(tenants);
-        Assert.Empty(tenants!);
+        var paginated = await response.Content.ReadFromJsonAsync<PaginatedResponse<TenantInfoResponse>>();
+        Assert.NotNull(paginated);
+        Assert.Empty(paginated!.Items);
     }
 
     [Fact]
-    public async Task GetUserTenants_with_nonexistent_user_succeeds_empty()
+    public async Task GetUserTenants_with_nonexistent_user_returns_ok_empty()
     {
         var sysClient = await CreateAuthenticatedClientAsync();
 
         var response = await sysClient.GetAsync($"/admin/users/{Guid.NewGuid()}/tenants");
-        // May return 200 with empty or 404
-        Assert.True(response.IsSuccessStatusCode || response.StatusCode == HttpStatusCode.NotFound);
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+        var paginated = await response.Content.ReadFromJsonAsync<PaginatedResponse<TenantInfoResponse>>();
+        Assert.NotNull(paginated);
+        Assert.Empty(paginated!.Items);
     }
 
     [Fact]
@@ -430,4 +388,114 @@ public async Task GetUserTenants_requires_authorization()
     }
 
     #endregion
+
+    #region Get All Tenants Tests
+
+    [Fact]
+    public async Task GetAllTenants_returns_ok_with_tenant_list()
+    {
+        var sysClient = await CreateAuthenticatedClientAsync();
+
+        var response = await sysClient.GetAsync("/admin/tenants");
+        Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+        var paginated = await response.Content.ReadFromJsonAsync<PaginatedResponse<TenantInfoResponse>>();
+        Assert.NotNull(paginated);
+    }
+
+    [Fact]
+    public async Task GetAllTenants_requires_authorization()
+    {
+        var client = Factory.CreateClientWithTenant();
+
+        var response = await client.GetAsync("/admin/tenants");
+        Assert.Contains(response.StatusCode, new[] { HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden });
+    }
+
+    [Fact]
+    public async Task GetAllTenants_DoesNotReturnDefaultSystemTenant()
+    {
+        var sysClient = await CreateAuthenticatedClientAsync();
+
+        var response = await sysClient.GetAsync("/admin/tenants");
+        await response.AssertSuccess();
+
+        var paginated = await response.Content.ReadFromJsonAsync<PaginatedResponse<TenantInfoResponse>>();
+        Assert.NotNull(paginated);
+        Assert.DoesNotContain(paginated!.Items, t =>
+            string.Equals(t.Identifier, IdmtApiFactory.DefaultTenantIdentifier, StringComparison.OrdinalIgnoreCase));
+    }
+
+    #endregion
+
+    #region Create Tenant Conflict Tests
+
+    [Fact]
+    public async Task CreateTenant_Returns409_WhenActiveTenantAlreadyExists()
+    {
+        var sysClient = await CreateAuthenticatedClientAsync();
+        var tenantIdentifier = $"conflict-{Guid.NewGuid():N}";
+
+        // Create tenant the first time
+        var createResponse1 = await sysClient.PostAsJsonAsync("/admin/tenants", new
+        {
+            Identifier = tenantIdentifier,
+            Name = "Conflict Tenant"
+        });
+        await createResponse1.AssertSuccess();
+
+        // Try to create the same active tenant again
+        var createResponse2 = await sysClient.PostAsJsonAsync("/admin/tenants", new
+        {
+            Identifier = tenantIdentifier,
+            Name = "Conflict Tenant Again"
+        });
+
+        Assert.Equal(HttpStatusCode.Conflict, createResponse2.StatusCode);
+    }
+
+    #endregion
+
+    #region Delete Default Tenant Tests
+
+    [Fact]
+    public async Task DeleteTenant_ReturnsForbidden_WhenDeletingDefaultTenant()
+    {
+        var sysClient = await CreateAuthenticatedClientAsync();
+
+        var deleteResponse = await sysClient.DeleteAsync($"/admin/tenants/{IdmtApiFactory.DefaultTenantIdentifier}");
+
+        // The handler returns ErrorType.Forbidden which maps to TypedResults.Forbid()
+        Assert.Contains(deleteResponse.StatusCode, new[] { HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError });
+    }
+
+    #endregion
+
+    #region Grant Tenant Access Validation Tests
+
+    [Fact]
+    public async Task GrantTenantAccess_Returns400_WhenExpiresAtIsInPast()
+    {
+        var sysClient = await CreateAuthenticatedClientAsync();
+        var email = $"grant-past-{Guid.NewGuid():N}@example.com";
+
+        // Register user
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
+        {
+            Email = email,
+            Username = $"grantpast{Guid.NewGuid():N}",
+            Role = IdmtDefaultRoleTypes.SysSupport
+        });
+        var userId = Guid.Parse((await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>())!.UserId!);
+
+        // Grant access with a past expiration date
+        var pastDate = DateTime.UtcNow.AddDays(-1);
+        var grantResponse = await sysClient.PostAsJsonAsync(
+            $"/admin/users/{userId}/tenants/{IdmtApiFactory.DefaultTenantIdentifier}",
+            new { ExpiresAt = pastDate });
+
+        Assert.Equal(HttpStatusCode.BadRequest, grantResponse.StatusCode);
+    }
+
+    #endregion
 }
diff --git a/src/tests/Idmt.BasicSample.Tests/AuthIntegrationTests.cs b/src/tests/Idmt.BasicSample.Tests/AuthIntegrationTests.cs
index 5326f78..0708dd8 100644
--- a/src/tests/Idmt.BasicSample.Tests/AuthIntegrationTests.cs
+++ b/src/tests/Idmt.BasicSample.Tests/AuthIntegrationTests.cs
@@ -2,16 +2,17 @@
 using System.Net.Http.Headers;
 using System.Net.Http.Json;
 using Idmt.Plugin.Features.Auth;
-using Idmt.Plugin.Features.Manage;
 using Idmt.Plugin.Models;
-using Microsoft.AspNetCore.WebUtilities;
+using Idmt.Plugin.Persistence;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
 using Moq;
 
 namespace Idmt.BasicSample.Tests;
 
 /// <summary>
 /// Integration tests for Authentication endpoints.
-/// Covers: /auth/login, /auth/token, /auth/logout, /auth/refresh, /auth/confirmEmail, /auth/resendConfirmationEmail, /auth/forgotPassword, /auth/resetPassword
+/// Covers: /auth/login, /auth/token, /auth/logout, /auth/refresh, /auth/confirm-email, /auth/resend-confirmation-email, /auth/forgot-password, /auth/reset-password
 /// </summary>
 public class AuthIntegrationTests : BaseIntegrationTest
 {
@@ -89,6 +90,20 @@ public async Task Login_with_empty_password_returns_validation_error()
         Assert.False(response.IsSuccessStatusCode);
     }
 
+    [Fact]
+    public async Task Login_WithUsername_Succeeds()
+    {
+        var client = Factory.CreateClientWithTenant();
+
+        var response = await client.PostAsJsonAsync("/auth/login", new
+        {
+            Username = "sysadmin",
+            Password = IdmtApiFactory.SysAdminPassword
+        });
+
+        await response.AssertSuccess();
+    }
+
     #endregion
 
     #region Token Tests (Bearer Token-based)
@@ -143,6 +158,72 @@ public async Task Token_allows_accessing_protected_endpoints()
         await protectedResponse.AssertSuccess();
     }
 
+    [Fact]
+    public async Task TokenLogin_WithUsername_Succeeds()
+    {
+        var client = Factory.CreateClientWithTenant();
+
+        var response = await client.PostAsJsonAsync("/auth/token", new
+        {
+            Username = "sysadmin",
+            Password = IdmtApiFactory.SysAdminPassword
+        });
+
+        await response.AssertSuccess();
+        var tokens = await response.Content.ReadFromJsonAsync<Login.AccessTokenResponse>();
+        Assert.NotNull(tokens);
+        Assert.False(string.IsNullOrWhiteSpace(tokens!.AccessToken));
+        Assert.False(string.IsNullOrWhiteSpace(tokens.RefreshToken));
+    }
+
+    [Fact]
+    public async Task TokenLogin_ReturnsCorrectExpiresIn()
+    {
+        var client = Factory.CreateClientWithTenant();
+
+        var response = await client.PostAsJsonAsync("/auth/token", new
+        {
+            Email = IdmtApiFactory.SysAdminEmail,
+            Password = IdmtApiFactory.SysAdminPassword
+        });
+
+        await response.AssertSuccess();
+        var tokens = await response.Content.ReadFromJsonAsync<Login.AccessTokenResponse>();
+        Assert.NotNull(tokens);
+        Assert.Equal("Bearer", tokens!.TokenType);
+        Assert.True(tokens.ExpiresIn > 0, "ExpiresIn should be a positive number of seconds");
+    }
+
+    [Fact]
+    public async Task Login_WithInactiveTenant_ReturnsError()
+    {
+        // Create a tenant and then soft-delete it
+        var tenantIdentifier = $"inactive-{Guid.NewGuid():N}";
+        var sysClient = await CreateAuthenticatedClientAsync();
+
+        // Create tenant via API
+        var createResponse = await sysClient.PostAsJsonAsync("/admin/tenants", new
+        {
+            Identifier = tenantIdentifier,
+            Name = "Inactive Tenant"
+        });
+        await createResponse.AssertSuccess();
+
+        // Delete (soft-delete) the tenant
+        var deleteResponse = await sysClient.DeleteAsync($"/admin/tenants/{tenantIdentifier}");
+        Assert.Equal(HttpStatusCode.NoContent, deleteResponse.StatusCode);
+
+        // Attempt login on the inactive tenant
+        var client = Factory.CreateClientWithTenant(tenantIdentifier);
+        var loginResponse = await client.PostAsJsonAsync("/auth/token", new
+        {
+            Email = IdmtApiFactory.SysAdminEmail,
+            Password = IdmtApiFactory.SysAdminPassword
+        });
+
+        Assert.False(loginResponse.IsSuccessStatusCode);
+    }
+
     [Fact]
     public async Task Token_without_bearer_prefix_is_rejected()
     {
@@ -169,6 +250,14 @@ public async Task Token_without_bearer_prefix_is_rejected()
     [Fact]
     public async Task RefreshToken_with_valid_token_returns_new_tokens()
     {
+        // Clean up any revoked tokens from other tests (e.g., Logout_clears_session)
+        // to ensure the fresh login token is not considered revoked.
+        using (var scope = Factory.Services.CreateScope())
+        {
+            var db = scope.ServiceProvider.GetRequiredService<IdmtDbContext>();
+            await db.RevokedTokens.ExecuteDeleteAsync();
+        }
+
         var client = Factory.CreateClientWithTenant();
 
         var loginResponse = await client.PostAsJsonAsync("/auth/token", new
@@ -245,84 +334,46 @@ public async Task Logout_clears_session()
         Assert.Equal(HttpStatusCode.NoContent, logoutResponse.StatusCode);
     }
 
+    [Fact]
+    public async Task Logout_WithoutAuthentication_Returns401()
+    {
+        var client = Factory.CreateClientWithTenant();
+
+        var logoutResponse = await client.PostAsync("/auth/logout", content: null);
+
+        Assert.Contains(logoutResponse.StatusCode, new[] { HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden, HttpStatusCode.Found });
+    }
+
     #endregion
 
     #region Confirm Email Tests
 
-    [Fact(Skip = "Confirmation email currently is superseded by password setup during user registration")]
+    [Fact]
     public async Task ConfirmEmail_with_valid_token_succeeds()
     {
         var sysClient = await CreateAuthenticatedClientAsync();
         var newEmail = $"confirm-{Guid.NewGuid():N}@example.com";
 
-        var emailSenderMock = Factory.EmailSenderMock;
-        var resetPasswordCapture = new List<string>();
-        emailSenderMock.Setup(x => x.SendPasswordResetCodeAsync(
-            It.IsAny<IdmtUser>(),
-            It.IsAny<string>(),
-            It.IsAny<string>()))
-            .Callback<IdmtUser, string, string>((user, code, link) => resetPasswordCapture.Add(code));
-
-        // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        // Register user (email is unconfirmed at this point)
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = newEmail,
             Username = $"confirm{Guid.NewGuid():N}",
             Role = IdmtDefaultRoleTypes.TenantAdmin
         });
-        var registerResponseValue = await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>();
-        var passwordSetupToken = registerResponseValue!.PasswordSetupToken!;
-
-        // First, set the initial password using the password setup token
-        using var publicClient = Factory.CreateClient();
-
-        var resetResponse = await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = newEmail,
-                ["token"] = passwordSetupToken
-            }),
-            new { NewPassword = "InitialPassword1!" });
-        await resetResponse.AssertSuccess();
-
-        // Now request a confirmation email to get the email confirmation token
-        using var tenantClient = Factory.CreateClientWithTenant();
-
-        // Authenticate the client
-        var loginResponse = await tenantClient.PostAsJsonAsync("/auth/token", new
-        {
-            Email = newEmail,
-            Password = "InitialPassword1!"
-        });
-        var tokens = await loginResponse.Content.ReadFromJsonAsync<Login.AccessTokenResponse>();
-        tenantClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens!.AccessToken);
-
-        var resendResponse = await tenantClient.PostAsJsonAsync($"/auth/resendConfirmationEmail?useApiLinks=true", new
-        {
-            Email = newEmail
-        });
-        await resendResponse.AssertSuccess();
-
-        // Get message sent by the email sender
-
-        // var resendResponseValue = await resendResponse.Content.ReadFromJsonAsync<ResendConfirmationEmail.ResendConfirmationEmailResponse>();
-        // var confirmToken = resendResponseValue!.ConfirmationToken;
+        await registerResponse.AssertSuccess();
 
-        // if (confirmToken is null)
-        // {
-        //     // Password reset is confirming email, so we skip the rest of the test
-        //     return;
-        // }
+        // Generate email confirmation token directly via UserManager
+        var confirmToken = await GenerateEmailConfirmationTokenAsync(newEmail);
+        var encodedToken = EncodeToken(confirmToken);
 
-        // // Now confirm email using the email confirmation token
-        // var confirmResponse = await publicClient.GetAsync(
-        //     $"/auth/confirmEmail?tenantIdentifier={IdmtApiFactory.DefaultTenantIdentifier}&email={newEmail}&token={Uri.EscapeDataString(confirmToken)}");
+        // Confirm email via POST /confirm-email with Base64URL-encoded token
+        using var publicClient = Factory.CreateClient();
+        var confirmResponse = await publicClient.PostAsJsonAsync(
+            "/auth/confirm-email",
+            new { TenantIdentifier = IdmtApiFactory.DefaultTenantIdentifier, Email = newEmail, Token = encodedToken });
 
-        // await confirmResponse.AssertSuccess();
-        // var result = await confirmResponse.Content.ReadFromJsonAsync<ConfirmEmail.ConfirmEmailResponse>();
-        // Assert.NotNull(result);
-        // Assert.True(result!.Success);
+        await confirmResponse.AssertSuccess();
     }
 
     [Fact]
@@ -331,8 +382,9 @@ public async Task ConfirmEmail_with_invalid_token_fails()
         var newEmail = $"invalid-{Guid.NewGuid():N}@example.com";
         using var publicClient = Factory.CreateClient();
 
-        var confirmResponse = await publicClient.GetAsync(
-            $"/auth/confirmEmail?tenantIdentifier={IdmtApiFactory.DefaultTenantIdentifier}&email={newEmail}&token=invalid-token");
+        var confirmResponse = await publicClient.PostAsJsonAsync(
+            "/auth/confirm-email",
+            new { TenantIdentifier = IdmtApiFactory.DefaultTenantIdentifier, Email = newEmail, Token = "invalid-token" });
 
         Assert.False(confirmResponse.IsSuccessStatusCode);
     }
@@ -343,8 +395,9 @@ public async Task ConfirmEmail_with_invalid_tenant_fails()
         var newEmail = $"confirm-{Guid.NewGuid():N}@example.com";
         using var publicClient = Factory.CreateClient();
 
-        var confirmResponse = await publicClient.GetAsync(
-            $"/auth/confirmEmail?tenantIdentifier=nonexistent-tenant&email={newEmail}&token=some-token");
+        var confirmResponse = await publicClient.PostAsJsonAsync(
+            "/auth/confirm-email",
+            new { TenantIdentifier = "nonexistent-tenant", Email = newEmail, Token = "some-token" });
 
         Assert.False(confirmResponse.IsSuccessStatusCode);
     }
@@ -354,8 +407,9 @@ public async Task ConfirmEmail_with_missing_email_fails()
     {
         using var publicClient = Factory.CreateClient();
 
-        var confirmResponse = await publicClient.GetAsync(
-            $"/auth/confirmEmail?tenantIdentifier={IdmtApiFactory.DefaultTenantIdentifier}&email=&token=some-token");
+        var confirmResponse = await publicClient.PostAsJsonAsync(
+            "/auth/confirm-email",
+            new { TenantIdentifier = IdmtApiFactory.DefaultTenantIdentifier, Email = "", Token = "some-token" });
 
         Assert.False(confirmResponse.IsSuccessStatusCode);
     }
@@ -366,8 +420,9 @@ public async Task ConfirmEmail_with_missing_token_fails()
         var newEmail = $"confirm-{Guid.NewGuid():N}@example.com";
         using var publicClient = Factory.CreateClient();
 
-        var confirmResponse = await publicClient.GetAsync(
-            $"/auth/confirmEmail?tenantIdentifier={IdmtApiFactory.DefaultTenantIdentifier}&email={newEmail}&token=");
+        var confirmResponse = await publicClient.PostAsJsonAsync(
+            "/auth/confirm-email",
+            new { TenantIdentifier = IdmtApiFactory.DefaultTenantIdentifier, Email = newEmail, Token = "" });
 
         Assert.False(confirmResponse.IsSuccessStatusCode);
     }
@@ -383,7 +438,7 @@ public async Task ResendConfirmationEmail_for_unconfirmed_user_succeeds()
         var newEmail = $"resend-{Guid.NewGuid():N}@example.com";
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = newEmail,
             Username = $"resend{Guid.NewGuid():N}",
@@ -393,7 +448,7 @@ public async Task ResendConfirmationEmail_for_unconfirmed_user_succeeds()
 
         // Resend confirmation email
         using var publicClient = Factory.CreateClientWithTenant();
-        var resendResponse = await publicClient.PostAsJsonAsync($"/auth/resendConfirmationEmail?useApiLinks=true", new
+        var resendResponse = await publicClient.PostAsJsonAsync($"/auth/resend-confirmation-email", new
         {
             Email = newEmail
         });
@@ -404,14 +459,14 @@ public async Task ResendConfirmationEmail_for_unconfirmed_user_succeeds()
         // Assert.True(result!.Success);
     }
 
-    [Fact(Skip = "Email is currently being confirmed during password setup")]
+    [Fact]
     public async Task ResendConfirmationEmail_sends_email()
     {
         var sysClient = await CreateAuthenticatedClientAsync();
         var newEmail = $"resend-{Guid.NewGuid():N}@example.com";
 
-        // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        // Register user (email is unconfirmed)
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = newEmail,
             Username = $"resend{Guid.NewGuid():N}",
@@ -423,7 +478,7 @@ public async Task ResendConfirmationEmail_sends_email()
 
         // Resend confirmation email
         using var publicClient = Factory.CreateClientWithTenant();
-        var resendResponse = await publicClient.PostAsJsonAsync($"/auth/resendConfirmationEmail?useApiLinks=false", new
+        var resendResponse = await publicClient.PostAsJsonAsync("/auth/resend-confirmation-email", new
         {
             Email = newEmail
         });
@@ -442,7 +497,7 @@ public async Task ResendConfirmationEmail_with_invalid_email_returns_validation_
     {
         using var publicClient = Factory.CreateClientWithTenant();
 
-        var resendResponse = await publicClient.PostAsJsonAsync($"/auth/resendConfirmationEmail?useApiLinks=false", new
+        var resendResponse = await publicClient.PostAsJsonAsync($"/auth/resend-confirmation-email", new
         {
             Email = "not-an-email"
         });
@@ -454,7 +509,7 @@ public async Task ResendConfirmationEmail_with_nonexistent_email_returns_validat
     {
         using var publicClient = Factory.CreateClientWithTenant();
 
-        var resendResponse = await publicClient.PostAsJsonAsync($"/auth/resendConfirmationEmail?useApiLinks=false", new
+        var resendResponse = await publicClient.PostAsJsonAsync($"/auth/resend-confirmation-email", new
         {
             Email = "nonexistent@example.com"
         });
@@ -473,7 +528,7 @@ public async Task ForgotPassword_generates_reset_token()
         var sysClient = await CreateAuthenticatedClientAsync();
 
         // Create user first
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"forgot{Guid.NewGuid():N}",
@@ -481,23 +536,18 @@ public async Task ForgotPassword_generates_reset_token()
         });
         await registerResponse.AssertSuccess();
 
-        // Set initial password
+        // Set initial password using a token generated directly via UserManager
+        var setupToken = await GeneratePasswordResetTokenAsync(email);
         using var publicClient = Factory.CreateClient();
-        var setupToken = (await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>())!.PasswordSetupToken;
         await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = email,
-                ["token"] = setupToken
-            }),
-            new { NewPassword = "InitialPassword1!" });
+            "/auth/reset-password",
+            new { TenantIdentifier = IdmtApiFactory.DefaultTenantIdentifier, Email = email, Token = EncodeToken(setupToken), NewPassword = "InitialPassword1!" });
 
         Factory.EmailSenderMock.Invocations.Clear();
 
         // Request forgot password
         using var tenantClient = Factory.CreateClientWithTenant();
-        var forgotResponse = await tenantClient.PostAsJsonAsync("/auth/forgotPassword?useApiLinks=false", new { Email = email });
+        var forgotResponse = await tenantClient.PostAsJsonAsync("/auth/forgot-password", new { Email = email });
         await forgotResponse.AssertSuccess();
 
         // Verify email was sent
@@ -513,7 +563,7 @@ public async Task ForgotPassword_with_invalid_email_returns_validation_error()
     {
         using var client = Factory.CreateClientWithTenant();
 
-        var response = await client.PostAsJsonAsync("/auth/forgotPassword?useApiLinks=false", new { Email = "invalid-email" });
+        var response = await client.PostAsJsonAsync("/auth/forgot-password", new { Email = "invalid-email" });
         Assert.False(response.IsSuccessStatusCode);
     }
 
@@ -522,11 +572,35 @@ public async Task ForgotPassword_with_nonexistent_email_succeeds_silently()
     {
         using var client = Factory.CreateClientWithTenant();
 
-        var response = await client.PostAsJsonAsync("/auth/forgotPassword?useApiLinks=false", new { Email = "nonexistent@example.com" });
+        var response = await client.PostAsJsonAsync("/auth/forgot-password", new { Email = "nonexistent@example.com" });
         // Should succeed for security (don't leak user existence)
         Assert.True(response.IsSuccessStatusCode);
     }
 
+    [Fact]
+    public async Task ResetPassword_Returns400_WhenTenantIdentifierMissing()
+    {
+        using var publicClient = Factory.CreateClient();
+
+        var resetResponse = await publicClient.PostAsJsonAsync(
+            "/auth/reset-password",
+            new { TenantIdentifier = "", Email = "test@example.com", Token = "some-token", NewPassword = "NewPassword1!" });
+
+        Assert.False(resetResponse.IsSuccessStatusCode);
+    }
+
+    [Fact]
+    public async Task ResetPassword_Returns400_WhenTokenMissing()
+    {
+        using var publicClient = Factory.CreateClient();
+
+        var resetResponse = await publicClient.PostAsJsonAsync(
+            "/auth/reset-password",
+            new { TenantIdentifier = IdmtApiFactory.DefaultTenantIdentifier, Email = "test@example.com", Token = "", NewPassword = "NewPassword1!" });
+
+        Assert.False(resetResponse.IsSuccessStatusCode);
+    }
+
     #endregion
 
     #region Reset Password Tests
@@ -538,24 +612,20 @@ public async Task ResetPassword_with_valid_token_succeeds()
         var sysClient = await CreateAuthenticatedClientAsync();
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"reset{Guid.NewGuid():N}",
             Role = IdmtDefaultRoleTypes.TenantAdmin
         });
-        var resetToken = (await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>())!.PasswordSetupToken;
+        await registerResponse.AssertSuccess();
+        var resetToken = await GeneratePasswordResetTokenAsync(email);
 
         // Reset password with token
         using var publicClient = Factory.CreateClient();
         var resetResponse = await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = email,
-                ["token"] = resetToken
-            }),
-            new { NewPassword = "NewPassword1!" });
+            "/auth/reset-password",
+            new { TenantIdentifier = IdmtApiFactory.DefaultTenantIdentifier, Email = email, Token = EncodeToken(resetToken), NewPassword = "NewPassword1!" });
 
         await resetResponse.AssertSuccess();
     }
@@ -567,25 +637,21 @@ public async Task ResetPassword_with_new_password_allows_login()
         var sysClient = await CreateAuthenticatedClientAsync();
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"resetlogin{Guid.NewGuid():N}",
             Role = IdmtDefaultRoleTypes.TenantAdmin
         });
-        var resetToken = (await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>())!.PasswordSetupToken;
+        await registerResponse.AssertSuccess();
+        var resetToken = await GeneratePasswordResetTokenAsync(email);
 
         // Reset password
         using var publicClient = Factory.CreateClient();
         const string newPassword = "NewPassword1!";
         await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = email,
-                ["token"] = resetToken
-            }),
-            new { NewPassword = newPassword });
+            "/auth/reset-password",
+            new { TenantIdentifier = IdmtApiFactory.DefaultTenantIdentifier, Email = email, Token = EncodeToken(resetToken), NewPassword = newPassword });
 
         // Login with new password
         using var loginClient = Factory.CreateClientWithTenant();
@@ -605,13 +671,8 @@ public async Task ResetPassword_with_invalid_token_fails()
         using var publicClient = Factory.CreateClient();
 
         var resetResponse = await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = email,
-                ["token"] = "invalid-token"
-            }),
-            new { NewPassword = "NewPassword1!" });
+            "/auth/reset-password",
+            new { TenantIdentifier = IdmtApiFactory.DefaultTenantIdentifier, Email = email, Token = "invalid-token", NewPassword = "NewPassword1!" });
 
         Assert.False(resetResponse.IsSuccessStatusCode);
     }
@@ -623,24 +684,20 @@ public async Task ResetPassword_with_weak_password_fails()
         var sysClient = await CreateAuthenticatedClientAsync();
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"resetweak{Guid.NewGuid():N}",
             Role = IdmtDefaultRoleTypes.TenantAdmin
         });
-        var resetToken = (await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>())!.PasswordSetupToken;
+        await registerResponse.AssertSuccess();
+        var resetToken = await GeneratePasswordResetTokenAsync(email);
 
         // Try reset with weak password
         using var publicClient = Factory.CreateClient();
         var resetResponse = await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = email,
-                ["token"] = resetToken
-            }),
-            new { NewPassword = "weak" });
+            "/auth/reset-password",
+            new { TenantIdentifier = IdmtApiFactory.DefaultTenantIdentifier, Email = email, Token = EncodeToken(resetToken), NewPassword = "weak" });
 
         Assert.False(resetResponse.IsSuccessStatusCode);
     }
diff --git a/src/tests/Idmt.BasicSample.Tests/BaseIntegrationTest.cs b/src/tests/Idmt.BasicSample.Tests/BaseIntegrationTest.cs
index 7e3dfa7..55fc357 100644
--- a/src/tests/Idmt.BasicSample.Tests/BaseIntegrationTest.cs
+++ b/src/tests/Idmt.BasicSample.Tests/BaseIntegrationTest.cs
@@ -1,6 +1,12 @@
 using System.Net.Http.Headers;
 using System.Net.Http.Json;
+using System.Text;
+using Finbuckle.MultiTenant.Abstractions;
 using Idmt.Plugin.Features.Auth;
+using Idmt.Plugin.Features.Manage;
+using Idmt.Plugin.Models;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.DependencyInjection;
 using Moq;
 
 namespace Idmt.BasicSample.Tests;
@@ -61,4 +67,101 @@ protected HttpClient CreateClientWithToken(string? tenantId = null, string? toke
         var tokens = await response.Content.ReadFromJsonAsync<Login.AccessTokenResponse>();
         return tokens?.AccessToken;
     }
+
+    /// <summary>
+    /// Registers a new user via the API and sets their password using UserManager to generate
+    /// a password reset token directly (since the token is no longer returned in the response).
+    /// Returns the user ID.
+    /// </summary>
+    protected async Task<(string UserId, string Email)> RegisterAndSetPasswordAsync(
+        HttpClient authenticatedClient,
+        string password,
+        string? email = null,
+        string? username = null,
+        string role = IdmtDefaultRoleTypes.TenantAdmin,
+        string? tenantIdentifier = null)
+    {
+        email ??= $"user-{Guid.NewGuid():N}@example.com";
+        username ??= $"user{Guid.NewGuid():N}";
+        tenantIdentifier ??= IdmtApiFactory.DefaultTenantIdentifier;
+
+        // Register the user via the API
+        var registerResponse = await authenticatedClient.PostAsJsonAsync("/manage/users", new
+        {
+            Email = email,
+            Username = username,
+            Role = role,
+        });
+        await registerResponse.AssertSuccess();
+        var registerResult = await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>();
+        var userId = registerResult!.UserId!;
+
+        // Generate a password reset token directly via UserManager
+        var resetToken = await GeneratePasswordResetTokenAsync(email, tenantIdentifier);
+
+        // Set the password using the reset-password endpoint (body-based)
+        // Token must be Base64URL-encoded as the endpoint expects encoded tokens
+        using var publicClient = Factory.CreateClient();
+        var resetResponse = await publicClient.PostAsJsonAsync(
+            "/auth/reset-password",
+            new { TenantIdentifier = tenantIdentifier, Email = email, Token = EncodeToken(resetToken), NewPassword = password });
+        await resetResponse.AssertSuccess();
+
+        return (userId, email);
+    }
+
+    /// <summary>
+    /// Generates a password reset token for a user by accessing UserManager directly.
+    /// This replaces the removed PasswordSetupToken from RegisterUserResponse.
+    /// </summary>
+    protected async Task<string> GeneratePasswordResetTokenAsync(string email, string? tenantIdentifier = null)
+    {
+        tenantIdentifier ??= IdmtApiFactory.DefaultTenantIdentifier;
+
+        using var scope = Factory.Services.CreateScope();
+        var provider = scope.ServiceProvider;
+
+        var store = provider.GetRequiredService<IMultiTenantStore<IdmtTenantInfo>>();
+        var tenant = await store.GetByIdentifierAsync(tenantIdentifier)
+            ?? throw new InvalidOperationException($"Tenant '{tenantIdentifier}' not found.");
+
+        var setter = provider.GetRequiredService<IMultiTenantContextSetter>();
+        setter.MultiTenantContext = new MultiTenantContext<IdmtTenantInfo>(tenant);
+
+        var userManager = provider.GetRequiredService<UserManager<IdmtUser>>();
+        var user = await userManager.FindByEmailAsync(email)
+            ?? throw new InvalidOperationException($"User with email '{email}' not found.");
+
+        return await userManager.GeneratePasswordResetTokenAsync(user);
+    }
+
+    /// <summary>
+    /// Generates an email confirmation token for a user by accessing UserManager directly.
+    /// </summary>
+    protected async Task<string> GenerateEmailConfirmationTokenAsync(string email, string? tenantIdentifier = null)
+    {
+        tenantIdentifier ??= IdmtApiFactory.DefaultTenantIdentifier;
+
+        using var scope = Factory.Services.CreateScope();
+        var provider = scope.ServiceProvider;
+
+        var store = provider.GetRequiredService<IMultiTenantStore<IdmtTenantInfo>>();
+        var tenant = await store.GetByIdentifierAsync(tenantIdentifier)
+            ?? throw new InvalidOperationException($"Tenant '{tenantIdentifier}' not found.");
+
+        var setter = provider.GetRequiredService<IMultiTenantContextSetter>();
+        setter.MultiTenantContext = new MultiTenantContext<IdmtTenantInfo>(tenant);
+
+        var userManager = provider.GetRequiredService<UserManager<IdmtUser>>();
+        var user = await userManager.FindByEmailAsync(email)
+            ?? throw new InvalidOperationException($"User with email '{email}' not found.");
+
+        return await userManager.GenerateEmailConfirmationTokenAsync(user);
+    }
+
+    /// <summary>
+    /// Base64URL-encodes a token for use with API endpoints that expect encoded tokens.
+    /// </summary>
+    protected static string EncodeToken(string token)
+        => Microsoft.AspNetCore.WebUtilities.WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(token));
 }
diff --git a/src/tests/Idmt.BasicSample.Tests/Idmt.BasicSample.Tests.csproj b/src/tests/Idmt.BasicSample.Tests/Idmt.BasicSample.Tests.csproj
index 78571bb..a526a95 100644
--- a/src/tests/Idmt.BasicSample.Tests/Idmt.BasicSample.Tests.csproj
+++ b/src/tests/Idmt.BasicSample.Tests/Idmt.BasicSample.Tests.csproj
@@ -8,10 +8,10 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.1" />
-    <PackageReference Include="coverlet.collector" Version="6.0.4" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.1" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.0.1" />
+    <PackageReference Include="Microsoft.AspNetCore.Mvc.Testing" Version="10.0.3" />
+    <PackageReference Include="coverlet.collector" Version="8.0.0" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.3" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.3.0" />
     <PackageReference Include="Moq" Version="4.20.72" />
     <PackageReference Include="xunit" Version="2.9.3" />
     <PackageReference Include="xunit.runner.visualstudio" Version="3.1.5" />
diff --git a/src/tests/Idmt.BasicSample.Tests/IdmtApiFactory.cs b/src/tests/Idmt.BasicSample.Tests/IdmtApiFactory.cs
index a9d0409..4c60066 100644
--- a/src/tests/Idmt.BasicSample.Tests/IdmtApiFactory.cs
+++ b/src/tests/Idmt.BasicSample.Tests/IdmtApiFactory.cs
@@ -45,6 +45,12 @@ protected override void ConfigureWebHost(IWebHostBuilder builder)
         var configSettings = new Dictionary<string, string?>
         {
             { "Idmt:Application:ClientUrl", "http://localhost" },
+            { "Idmt:Application:ApiPrefix", "" },
+            // Use EnsureCreated for integration tests — SQLite in-memory does not support
+            // migrations, and the test factory's SeedAsync initialises the schema directly
+            // via EnsureCreatedAsync before the seeding scope runs.
+            { "Idmt:Database:DatabaseInitialization", "EnsureCreated" },
+            { "Idmt:RateLimiting:Enabled", "false" },
         };
         // Add strategies as indexed array for proper deserialization
         for (int i = 0; i < _strategies.Length; i++)
diff --git a/src/tests/Idmt.BasicSample.Tests/ManageIntegrationTests.cs b/src/tests/Idmt.BasicSample.Tests/ManageIntegrationTests.cs
index 5f082b8..21376c9 100644
--- a/src/tests/Idmt.BasicSample.Tests/ManageIntegrationTests.cs
+++ b/src/tests/Idmt.BasicSample.Tests/ManageIntegrationTests.cs
@@ -4,8 +4,6 @@
 using Idmt.Plugin.Features.Auth;
 using Idmt.Plugin.Features.Manage;
 using Idmt.Plugin.Models;
-using Microsoft.AspNetCore.WebUtilities;
-
 namespace Idmt.BasicSample.Tests;
 
 /// <summary>
@@ -24,7 +22,7 @@ public async Task RegisterUser_with_valid_data_succeeds()
         var sysClient = await CreateAuthenticatedClientAsync();
         var newEmail = $"user-{Guid.NewGuid():N}@example.com";
 
-        var response = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var response = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = newEmail,
             Username = $"user{Guid.NewGuid():N}",
@@ -35,16 +33,15 @@ public async Task RegisterUser_with_valid_data_succeeds()
         var result = await response.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>();
         Assert.NotNull(result);
         Assert.NotNull(result!.UserId);
-        Assert.NotNull(result.PasswordSetupToken);
     }
 
     [Fact]
-    public async Task RegisterUser_returns_setup_token()
+    public async Task RegisterUser_returns_user_id()
     {
         var sysClient = await CreateAuthenticatedClientAsync();
         var newEmail = $"token-{Guid.NewGuid():N}@example.com";
 
-        var response = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var response = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = newEmail,
             Username = $"token{Guid.NewGuid():N}",
@@ -52,7 +49,7 @@ public async Task RegisterUser_returns_setup_token()
         });
 
         var result = await response.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>();
-        Assert.False(string.IsNullOrWhiteSpace(result!.PasswordSetupToken));
+        Assert.False(string.IsNullOrWhiteSpace(result!.UserId));
     }
 
     [Fact]
@@ -62,7 +59,7 @@ public async Task RegisterUser_with_duplicate_email_fails()
         var email = $"duplicate-{Guid.NewGuid():N}@example.com";
 
         // Register first user
-        await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"user1{Guid.NewGuid():N}",
@@ -70,7 +67,7 @@ public async Task RegisterUser_with_duplicate_email_fails()
         });
 
         // Try to register with same email
-        var response = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var response = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"user2{Guid.NewGuid():N}",
@@ -87,7 +84,7 @@ public async Task RegisterUser_with_duplicate_username_fails()
         var username = $"dupuser{Guid.NewGuid():N}";
 
         // Register first user
-        await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = $"email1-{Guid.NewGuid():N}@example.com",
             Username = username,
@@ -95,7 +92,7 @@ public async Task RegisterUser_with_duplicate_username_fails()
         });
 
         // Try to register with same username
-        var response = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var response = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = $"email2-{Guid.NewGuid():N}@example.com",
             Username = username,
@@ -110,7 +107,7 @@ public async Task RegisterUser_with_invalid_email_fails()
     {
         var sysClient = await CreateAuthenticatedClientAsync();
 
-        var response = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var response = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = "not-an-email",
             Username = $"user{Guid.NewGuid():N}",
@@ -125,7 +122,7 @@ public async Task RegisterUser_with_empty_email_fails()
     {
         var sysClient = await CreateAuthenticatedClientAsync();
 
-        var response = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var response = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = "",
             Username = $"user{Guid.NewGuid():N}",
@@ -140,7 +137,7 @@ public async Task RegisterUser_with_empty_username_fails()
     {
         var sysClient = await CreateAuthenticatedClientAsync();
 
-        var response = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var response = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = $"user-{Guid.NewGuid():N}@example.com",
             Username = "",
@@ -155,7 +152,7 @@ public async Task RegisterUser_requires_authorization()
     {
         var client = Factory.CreateClientWithTenant();
 
-        var response = await client.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var response = await client.PostAsJsonAsync("/manage/users", new
         {
             Email = $"user-{Guid.NewGuid():N}@example.com",
             Username = $"user{Guid.NewGuid():N}",
@@ -165,6 +162,63 @@ public async Task RegisterUser_requires_authorization()
         Assert.Contains(response.StatusCode, new[] { HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden });
     }
 
+    [Fact]
+    public async Task RegisterUser_WithSysAdminRole_SucceedsWhenCalledBySysAdmin()
+    {
+        // The seeded user is a SysAdmin, so registering another SysAdmin should succeed
+        var sysClient = await CreateAuthenticatedClientAsync();
+        var newEmail = $"sysadmin-reg-{Guid.NewGuid():N}@example.com";
+
+        var response = await sysClient.PostAsJsonAsync("/manage/users", new
+        {
+            Email = newEmail,
+            Username = $"sysadminreg{Guid.NewGuid():N}",
+            Role = IdmtDefaultRoleTypes.SysAdmin
+        });
+
+        await response.AssertSuccess();
+        var result = await response.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>();
+        Assert.NotNull(result);
+        Assert.NotNull(result!.UserId);
+    }
+
+    [Fact]
+    public async Task RegisterUser_WithSysAdminRole_ReturnsForbidden_WhenCalledByTenantAdmin()
+    {
+        // First, create a TenantAdmin user with password
+        var sysClient = await CreateAuthenticatedClientAsync();
+        var tenantAdminEmail = $"tadmin-{Guid.NewGuid():N}@example.com";
+        var tenantAdminPassword = "TenantAdmin1!";
+
+        await RegisterAndSetPasswordAsync(
+            sysClient,
+            tenantAdminPassword,
+            email: tenantAdminEmail,
+            username: $"tadmin{Guid.NewGuid():N}",
+            role: IdmtDefaultRoleTypes.TenantAdmin);
+
+        // Login as the TenantAdmin
+        var loginClient = Factory.CreateClientWithTenant();
+        var loginResponse = await loginClient.PostAsJsonAsync("/auth/token", new
+        {
+            Email = tenantAdminEmail,
+            Password = tenantAdminPassword
+        });
+        await loginResponse.AssertSuccess();
+        var tokens = await loginResponse.Content.ReadFromJsonAsync<Login.AccessTokenResponse>();
+        loginClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens!.AccessToken);
+
+        // Try to register a SysAdmin user as TenantAdmin - should be forbidden
+        var response = await loginClient.PostAsJsonAsync("/manage/users", new
+        {
+            Email = $"newadmin-{Guid.NewGuid():N}@example.com",
+            Username = $"newadmin{Guid.NewGuid():N}",
+            Role = IdmtDefaultRoleTypes.SysAdmin
+        });
+
+        Assert.Contains(response.StatusCode, new[] { HttpStatusCode.Forbidden, HttpStatusCode.InternalServerError });
+    }
+
     #endregion
 
     #region Unregister User Tests
@@ -176,7 +230,7 @@ public async Task UnregisterUser_with_valid_id_succeeds()
         var email = $"unregister-{Guid.NewGuid():N}@example.com";
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"unreg{Guid.NewGuid():N}",
@@ -205,27 +259,9 @@ public async Task UnregisterUser_prevents_login_after_deletion()
         var password = "TempPassword1!";
         var sysClient = await CreateAuthenticatedClientAsync();
 
-        // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
-        {
-            Email = email,
-            Username = $"deleted{Guid.NewGuid():N}",
-            Role = IdmtDefaultRoleTypes.TenantAdmin
-        });
-        var registerResponseValue = await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>();
-        var resetToken = registerResponseValue!.PasswordSetupToken;
-        var userId = Guid.Parse(registerResponseValue!.UserId!);
-
-        // Set password
-        using var publicClient = Factory.CreateClient();
-        await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = email,
-                ["token"] = resetToken
-            }),
-            new { NewPassword = password });
+        // Register user and set password
+        var (userIdStr, _) = await RegisterAndSetPasswordAsync(sysClient, password, email: email, username: $"deleted{Guid.NewGuid():N}");
+        var userId = Guid.Parse(userIdStr);
 
         // Verify login works
         var loginClient = Factory.CreateClientWithTenant();
@@ -260,7 +296,7 @@ public async Task UpdateUser_deactivate_user_succeeds()
         var email = $"deactivate-{Guid.NewGuid():N}@example.com";
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"deact{Guid.NewGuid():N}",
@@ -280,7 +316,7 @@ public async Task UpdateUser_reactivate_user_succeeds()
         var email = $"reactivate-{Guid.NewGuid():N}@example.com";
 
         // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users", new
         {
             Email = email,
             Username = $"reactiv{Guid.NewGuid():N}",
@@ -303,27 +339,9 @@ public async Task UpdateUser_prevents_login_when_deactivated()
         var password = "TempPassword1!";
         var sysClient = await CreateAuthenticatedClientAsync();
 
-        // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
-        {
-            Email = email,
-            Username = $"deactlogin{Guid.NewGuid():N}",
-            Role = IdmtDefaultRoleTypes.TenantAdmin
-        });
-        var registerResponseValue = await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>();
-        var resetToken = registerResponseValue!.PasswordSetupToken;
-        var userId = Guid.Parse(registerResponseValue!.UserId!);
-
-        // Set password
-        using var publicClient = Factory.CreateClient();
-        await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = email,
-                ["token"] = resetToken
-            }),
-            new { NewPassword = password });
+        // Register user and set password
+        var (userIdStr, _) = await RegisterAndSetPasswordAsync(sysClient, password, email: email, username: $"deactlogin{Guid.NewGuid():N}");
+        var userId = Guid.Parse(userIdStr);
 
         // Deactivate user
         await sysClient.PutAsJsonAsync($"/manage/users/{userId}", new { IsActive = false });
@@ -368,7 +386,7 @@ public async Task GetUserInfo_returns_authenticated_user_details()
         Assert.NotNull(userInfo);
         Assert.Equal(IdmtApiFactory.SysAdminEmail, userInfo!.Email);
         Assert.NotEmpty(userInfo.Id);
-        Assert.NotEmpty(userInfo.Role);
+        Assert.NotEmpty(userInfo.Roles);
         Assert.NotEmpty(userInfo.TenantIdentifier);
     }
 
@@ -379,24 +397,8 @@ public async Task GetUserInfo_returns_correct_role()
         var email = $"role-{Guid.NewGuid():N}@example.com";
 
         // Register user with TenantAdmin role
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
-        {
-            Email = email,
-            Username = $"role{Guid.NewGuid():N}",
-            Role = IdmtDefaultRoleTypes.TenantAdmin
-        });
-        var resetToken = (await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>())!.PasswordSetupToken;
-
-        // Set password and login
-        using var publicClient = Factory.CreateClient();
-        await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = email,
-                ["token"] = resetToken
-            }),
-            new { NewPassword = "Password1!" });
+        // Register user and set password
+        await RegisterAndSetPasswordAsync(sysClient, "Password1!", email: email, username: $"role{Guid.NewGuid():N}");
 
         var loginClient = Factory.CreateClientWithTenant();
         var loginResponse = await loginClient.PostAsJsonAsync("/auth/token", new { Email = email, Password = "Password1!" });
@@ -406,7 +408,7 @@ await publicClient.PostAsJsonAsync(
         var infoResponse = await loginClient.GetAsync("/manage/info");
         var info = await infoResponse.Content.ReadFromJsonAsync<GetUserInfo.GetUserInfoResponse>();
 
-        Assert.Equal(IdmtDefaultRoleTypes.TenantAdmin, info!.Role);
+        Assert.Contains(IdmtDefaultRoleTypes.TenantAdmin, info!.Roles);
     }
 
     [Fact]
@@ -429,23 +431,7 @@ public async Task UpdateUserInfo_change_password_succeeds()
         var sysClient = await CreateAuthenticatedClientAsync();
 
         // Register and setup user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
-        {
-            Email = email,
-            Username = $"pwdchange{Guid.NewGuid():N}",
-            Role = IdmtDefaultRoleTypes.TenantAdmin
-        });
-        var setupToken = (await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>())!.PasswordSetupToken;
-
-        using var publicClient = Factory.CreateClient();
-        await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = email,
-                ["token"] = setupToken
-            }),
-            new { NewPassword = "OldPassword1!" });
+        await RegisterAndSetPasswordAsync(sysClient, "OldPassword1!", email: email, username: $"pwdchange{Guid.NewGuid():N}");
 
         // Login and change password
         var loginClient = Factory.CreateClientWithTenant();
@@ -477,23 +463,7 @@ public async Task UpdateUserInfo_change_password_requires_old_password()
         var sysClient = await CreateAuthenticatedClientAsync();
 
         // Register and setup user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
-        {
-            Email = email,
-            Username = $"pwdverify{Guid.NewGuid():N}",
-            Role = IdmtDefaultRoleTypes.TenantAdmin
-        });
-        var setupToken = (await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>())!.PasswordSetupToken;
-
-        using var publicClient = Factory.CreateClient();
-        await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = email,
-                ["token"] = setupToken
-            }),
-            new { NewPassword = "CurrentPassword1!" });
+        await RegisterAndSetPasswordAsync(sysClient, "CurrentPassword1!", email: email, username: $"pwdverify{Guid.NewGuid():N}");
 
         // Login
         var loginClient = Factory.CreateClientWithTenant();
@@ -518,24 +488,8 @@ public async Task UpdateUserInfo_change_username_succeeds()
         var newUsername = $"user{Guid.NewGuid():N}";
         var sysClient = await CreateAuthenticatedClientAsync();
 
-        // Register user
-        var registerResponse = await sysClient.PostAsJsonAsync("/manage/users?useApiLinks=false", new
-        {
-            Email = email,
-            Username = oldUsername,
-            Role = IdmtDefaultRoleTypes.TenantAdmin
-        });
-        var setupToken = (await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>())!.PasswordSetupToken;
-
-        using var publicClient = Factory.CreateClient();
-        await publicClient.PostAsJsonAsync(
-            QueryHelpers.AddQueryString("/auth/resetPassword", new Dictionary<string, string?>
-            {
-                ["tenantIdentifier"] = IdmtApiFactory.DefaultTenantIdentifier,
-                ["email"] = email,
-                ["token"] = setupToken
-            }),
-            new { NewPassword = "Password1!" });
+        // Register user and set password
+        await RegisterAndSetPasswordAsync(sysClient, "Password1!", email: email, username: oldUsername);
 
         // Login and change username
         var loginClient = Factory.CreateClientWithTenant();
diff --git a/src/tests/Idmt.BasicSample.Tests/MultiTenancyIntegrationTests.cs b/src/tests/Idmt.BasicSample.Tests/MultiTenancyIntegrationTests.cs
index d51e49b..ca9afa3 100644
--- a/src/tests/Idmt.BasicSample.Tests/MultiTenancyIntegrationTests.cs
+++ b/src/tests/Idmt.BasicSample.Tests/MultiTenancyIntegrationTests.cs
@@ -28,8 +28,8 @@ private async Task EnsureTenantsExistAsync()
         using var scope = Factory.Services.CreateScope();
         var handler = scope.ServiceProvider.GetRequiredService<CreateTenant.ICreateTenantHandler>();
 
-        await handler.HandleAsync(new CreateTenant.CreateTenantRequest(TenantA, TenantA, "Tenant A"));
-        await handler.HandleAsync(new CreateTenant.CreateTenantRequest(TenantB, TenantB, "Tenant B"));
+        await handler.HandleAsync(new CreateTenant.CreateTenantRequest(TenantA, TenantA));
+        await handler.HandleAsync(new CreateTenant.CreateTenantRequest(TenantB, TenantB));
     }
 
     private async Task CreateUserInTenantAsync(string tenantIdentifier, string email, string password, string role = IdmtDefaultRoleTypes.TenantAdmin)
@@ -186,28 +186,28 @@ public async Task User_can_only_see_their_own_tenant_info()
     }
 
     [Fact]
-    public async Task User_in_other_tenant_cannot_see_system_info_for_current_tenant()
+    public async Task User_in_other_tenant_cannot_access_protected_endpoint_for_current_tenant()
     {
         await EnsureTenantsExistAsync();
 
         // Create user in Tenant A
-        var emailA = $"sysinfo-{Guid.NewGuid():N}@example.com";
+        var emailA = $"crosstoken-{Guid.NewGuid():N}@example.com";
         var passwordA = "PasswordA1!";
         await CreateUserInTenantAsync(TenantA, emailA, passwordA, IdmtDefaultRoleTypes.SysSupport);
 
-        // Get system info for Tenant A
+        // Login as Tenant A user
         var clientA = Factory.CreateClientWithTenant(TenantA);
         var loginA = await clientA.PostAsJsonAsync("/auth/token", new { Email = emailA, Password = passwordA });
         var tokens = await loginA.Content.ReadFromJsonAsync<Login.AccessTokenResponse>();
 
         clientA.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens!.AccessToken);
-        var infoResponseA = await clientA.GetAsync("/admin/info");
-        var infoA = await infoResponseA.Content.ReadFromJsonAsync<GetSystemInfo.SystemInfoResponse>();
+        var infoResponseA = await clientA.GetAsync("/manage/info");
+        Assert.True(infoResponseA.IsSuccessStatusCode);
 
         // Try to access Tenant B with Tenant A token
         var clientB = Factory.CreateClientWithTenant(TenantB);
         clientB.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tokens.AccessToken);
-        var infoResponseB = await clientB.GetAsync("/admin/info");
+        var infoResponseB = await clientB.GetAsync("/manage/info");
 
         Assert.Contains(infoResponseB.StatusCode, new[] { HttpStatusCode.NotFound, HttpStatusCode.Unauthorized, HttpStatusCode.Forbidden });
     }
@@ -296,21 +296,21 @@ public async Task Complete_user_lifecycle_flow_across_tenants()
         using var adminClientA = Factory.CreateClientWithTenant(TenantA);
         var admin = await CreateAdminForTenantAsync(adminClientA, TenantA, initialAdminEmail, initialAdminPassword);
 
-        var registerResponse = await admin.PostAsJsonAsync("/manage/users?useApiLinks=false", new
+        var registerResponse = await admin.PostAsJsonAsync("/manage/users", new
         {
             Email = emailA,
             Username = usernameA,
             Role = IdmtDefaultRoleTypes.TenantAdmin
         });
         await registerResponse.AssertSuccess();
-        var registerResult = await registerResponse.Content.ReadFromJsonAsync<RegisterUser.RegisterUserResponse>();
 
         // 2. Set Password
         const string setupPassword = "SetupPassword1!";
+        var setupToken = await GeneratePasswordResetTokenAsync(emailA, TenantA);
         using var publicClient = Factory.CreateClient();
         var resetResponse = await publicClient.PostAsJsonAsync(
-            $"/auth/resetPassword?tenantIdentifier={TenantA}&email={emailA}&token={Uri.EscapeDataString(registerResult!.PasswordSetupToken!)}",
-            new { NewPassword = setupPassword });
+            "/auth/reset-password",
+            new { TenantIdentifier = TenantA, Email = emailA, Token = EncodeToken(setupToken), NewPassword = setupPassword });
         await resetResponse.AssertSuccess();
 
         // 3. Login in Tenant A (Success)
diff --git a/src/tests/Idmt.UnitTests/Configuration/IdmtOptionsValidatorTests.cs b/src/tests/Idmt.UnitTests/Configuration/IdmtOptionsValidatorTests.cs
new file mode 100644
index 0000000..fb8b4e7
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Configuration/IdmtOptionsValidatorTests.cs
@@ -0,0 +1,394 @@
+using Idmt.Plugin.Configuration;
+using Microsoft.Extensions.Options;
+
+namespace Idmt.UnitTests.Configuration;
+
+/// <summary>
+/// Unit tests for <see cref="IdmtOptionsValidator"/>.
+/// Each test group targets one of the six validation rules so that failures
+/// pinpoint the exact rule that is violated.
+/// </summary>
+public class IdmtOptionsValidatorTests
+{
+    private readonly IdmtOptionsValidator _sut = new();
+
+    // ---------------------------------------------------------------------------
+    // Helpers
+    // ---------------------------------------------------------------------------
+
+    /// <summary>
+    /// Builds the minimum-valid options that satisfy every rule.
+    /// Individual tests mutate copies of this to isolate the rule under test.
+    /// </summary>
+    private static IdmtOptions ValidOptions() => new()
+    {
+        Application = new ApplicationOptions
+        {
+            ApiPrefix = "/api/v1",
+            EmailConfirmationMode = EmailConfirmationMode.ClientForm,
+            ClientUrl = "https://myapp.com",
+            ConfirmEmailFormPath = "/confirm-email",
+            ResetPasswordFormPath = "/reset-password"
+        },
+        MultiTenant = new MultiTenantOptions
+        {
+            DefaultTenantName = "System Tenant",
+            Strategies = [IdmtMultiTenantStrategy.Header]
+        }
+    };
+
+    private ValidateOptionsResult Validate(IdmtOptions options) =>
+        _sut.Validate(null, options);
+
+    // ---------------------------------------------------------------------------
+    // Baseline: fully valid options produce no failures
+    // ---------------------------------------------------------------------------
+
+    [Fact]
+    public void Validate_Succeeds_WhenAllRulesAreSatisfied()
+    {
+        var result = Validate(ValidOptions());
+
+        Assert.False(result.Failed);
+    }
+
+    // ---------------------------------------------------------------------------
+    // Rule 1 — ApiPrefix must not be null
+    // ---------------------------------------------------------------------------
+
+    [Fact]
+    public void Validate_Fails_WhenApiPrefixIsNull()
+    {
+        var options = ValidOptions();
+        options.Application.ApiPrefix = null!;
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(ApplicationOptions.ApiPrefix)));
+    }
+
+    [Fact]
+    public void Validate_Succeeds_WhenApiPrefixIsEmptyString()
+    {
+        // Empty string is the documented opt-out for the legacy unprefixed behavior.
+        var options = ValidOptions();
+        options.Application.ApiPrefix = string.Empty;
+
+        var result = Validate(options);
+
+        Assert.False(result.Failed);
+    }
+
+    [Fact]
+    public void Validate_Succeeds_WhenApiPrefixHasValue()
+    {
+        var options = ValidOptions();
+        options.Application.ApiPrefix = "/v2";
+
+        var result = Validate(options);
+
+        Assert.False(result.Failed);
+    }
+
+    // ---------------------------------------------------------------------------
+    // Rule 2 — ClientUrl is required when EmailConfirmationMode == ClientForm
+    // ---------------------------------------------------------------------------
+
+    [Fact]
+    public void Validate_Fails_WhenClientFormModeAndClientUrlIsNull()
+    {
+        var options = ValidOptions();
+        options.Application.EmailConfirmationMode = EmailConfirmationMode.ClientForm;
+        options.Application.ClientUrl = null;
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(ApplicationOptions.ClientUrl)));
+    }
+
+    [Fact]
+    public void Validate_Fails_WhenClientFormModeAndClientUrlIsWhitespace()
+    {
+        var options = ValidOptions();
+        options.Application.EmailConfirmationMode = EmailConfirmationMode.ClientForm;
+        options.Application.ClientUrl = "   ";
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(ApplicationOptions.ClientUrl)));
+    }
+
+    [Fact]
+    public void Validate_Succeeds_WhenServerConfirmModeAndClientUrlIsNull()
+    {
+        // ClientUrl is only required for ClientForm mode; ServerConfirm does not need it.
+        var options = ValidOptions();
+        options.Application.EmailConfirmationMode = EmailConfirmationMode.ServerConfirm;
+        options.Application.ClientUrl = null;
+
+        var result = Validate(options);
+
+        Assert.False(result.Failed);
+    }
+
+    // ---------------------------------------------------------------------------
+    // Rule 3 — Form paths are required when ClientUrl is set
+    // ---------------------------------------------------------------------------
+
+    [Fact]
+    public void Validate_Fails_WhenClientUrlSetAndConfirmEmailFormPathIsNull()
+    {
+        var options = ValidOptions();
+        options.Application.ClientUrl = "https://myapp.com";
+        options.Application.ConfirmEmailFormPath = null!;
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(ApplicationOptions.ConfirmEmailFormPath)));
+    }
+
+    [Fact]
+    public void Validate_Fails_WhenClientUrlSetAndConfirmEmailFormPathIsWhitespace()
+    {
+        var options = ValidOptions();
+        options.Application.ClientUrl = "https://myapp.com";
+        options.Application.ConfirmEmailFormPath = "  ";
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(ApplicationOptions.ConfirmEmailFormPath)));
+    }
+
+    [Fact]
+    public void Validate_Fails_WhenClientUrlSetAndResetPasswordFormPathIsNull()
+    {
+        var options = ValidOptions();
+        options.Application.ClientUrl = "https://myapp.com";
+        options.Application.ResetPasswordFormPath = null!;
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(ApplicationOptions.ResetPasswordFormPath)));
+    }
+
+    [Fact]
+    public void Validate_Fails_WhenClientUrlSetAndResetPasswordFormPathIsWhitespace()
+    {
+        var options = ValidOptions();
+        options.Application.ClientUrl = "https://myapp.com";
+        options.Application.ResetPasswordFormPath = "   ";
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(ApplicationOptions.ResetPasswordFormPath)));
+    }
+
+    [Fact]
+    public void Validate_Fails_WhenClientUrlSetAndBothFormPathsAreInvalid()
+    {
+        var options = ValidOptions();
+        options.Application.ClientUrl = "https://myapp.com";
+        options.Application.ConfirmEmailFormPath = null!;
+        options.Application.ResetPasswordFormPath = null!;
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(ApplicationOptions.ConfirmEmailFormPath)));
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(ApplicationOptions.ResetPasswordFormPath)));
+    }
+
+    [Fact]
+    public void Validate_Succeeds_WhenClientUrlNullAndFormPathsAreNotChecked()
+    {
+        // When ClientUrl is null / not set, form paths are irrelevant and should not be checked.
+        var options = ValidOptions();
+        options.Application.EmailConfirmationMode = EmailConfirmationMode.ServerConfirm;
+        options.Application.ClientUrl = null;
+        options.Application.ConfirmEmailFormPath = null!;
+        options.Application.ResetPasswordFormPath = null!;
+
+        var result = Validate(options);
+
+        Assert.False(result.Failed);
+    }
+
+    // ---------------------------------------------------------------------------
+    // Rule 4 — DefaultTenantIdentifier must not be null or empty (const guard)
+    // ---------------------------------------------------------------------------
+
+    [Fact]
+    public void Validate_Succeeds_BecauseDefaultTenantIdentifierConstIsNeverNullOrEmpty()
+    {
+        // MultiTenantOptions.DefaultTenantIdentifier is a compile-time constant.
+        // The validator checks it defensively; this test documents that the
+        // constant is correctly set and the rule never fails under normal usage.
+        var result = Validate(ValidOptions());
+
+        Assert.False(result.Failed);
+        Assert.False(string.IsNullOrWhiteSpace(MultiTenantOptions.DefaultTenantIdentifier));
+    }
+
+    // ---------------------------------------------------------------------------
+    // Rule 5 — DefaultTenantName must not be null or empty
+    // ---------------------------------------------------------------------------
+
+    [Fact]
+    public void Validate_Fails_WhenDefaultTenantNameIsNull()
+    {
+        var options = ValidOptions();
+        options.MultiTenant.DefaultTenantName = null!;
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(MultiTenantOptions.DefaultTenantName)));
+    }
+
+    [Fact]
+    public void Validate_Fails_WhenDefaultTenantNameIsEmpty()
+    {
+        var options = ValidOptions();
+        options.MultiTenant.DefaultTenantName = string.Empty;
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(MultiTenantOptions.DefaultTenantName)));
+    }
+
+    [Fact]
+    public void Validate_Fails_WhenDefaultTenantNameIsWhitespace()
+    {
+        var options = ValidOptions();
+        options.MultiTenant.DefaultTenantName = "   ";
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(MultiTenantOptions.DefaultTenantName)));
+    }
+
+    [Fact]
+    public void Validate_Succeeds_WhenDefaultTenantNameHasValue()
+    {
+        var options = ValidOptions();
+        options.MultiTenant.DefaultTenantName = "My System Tenant";
+
+        var result = Validate(options);
+
+        Assert.False(result.Failed);
+    }
+
+    // ---------------------------------------------------------------------------
+    // Rule 6 — At least one strategy must be configured
+    // ---------------------------------------------------------------------------
+
+    [Fact]
+    public void Validate_Fails_WhenStrategiesIsEmpty()
+    {
+        var options = ValidOptions();
+        options.MultiTenant.Strategies = [];
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+        Assert.Contains(result.Failures!, f => f.Contains(nameof(MultiTenantOptions.Strategies)));
+    }
+
+    [Fact]
+    public void Validate_Succeeds_WhenSingleStrategyConfigured()
+    {
+        var options = ValidOptions();
+        options.MultiTenant.Strategies = [IdmtMultiTenantStrategy.Claim];
+
+        var result = Validate(options);
+
+        Assert.False(result.Failed);
+    }
+
+    [Fact]
+    public void Validate_Succeeds_WhenMultipleStrategiesConfigured()
+    {
+        var options = ValidOptions();
+        options.MultiTenant.Strategies =
+        [
+            IdmtMultiTenantStrategy.Header,
+            IdmtMultiTenantStrategy.Claim,
+            IdmtMultiTenantStrategy.Route
+        ];
+
+        var result = Validate(options);
+
+        Assert.False(result.Failed);
+    }
+
+    // ---------------------------------------------------------------------------
+    // Multiple failures — all violations are reported in a single pass
+    // ---------------------------------------------------------------------------
+
+    [Fact]
+    public void Validate_ReportsAllFailures_WhenMultipleRulesAreViolated()
+    {
+        var options = new IdmtOptions
+        {
+            Application = new ApplicationOptions
+            {
+                ApiPrefix = null!,
+                EmailConfirmationMode = EmailConfirmationMode.ClientForm,
+                ClientUrl = null          // violates rule 2
+                                          // form paths are null but not checked because ClientUrl is null
+            },
+            MultiTenant = new MultiTenantOptions
+            {
+                DefaultTenantName = string.Empty,  // violates rule 5
+                Strategies = []                    // violates rule 6
+            }
+        };
+
+        var result = Validate(options);
+
+        Assert.True(result.Failed);
+
+        var failures = result.Failures!.ToList();
+
+        // Rule 1: ApiPrefix is null
+        Assert.Contains(failures, f => f.Contains(nameof(ApplicationOptions.ApiPrefix)));
+        // Rule 2: ClientUrl missing for ClientForm mode
+        Assert.Contains(failures, f => f.Contains(nameof(ApplicationOptions.ClientUrl)));
+        // Rule 5: DefaultTenantName is empty
+        Assert.Contains(failures, f => f.Contains(nameof(MultiTenantOptions.DefaultTenantName)));
+        // Rule 6: no strategies
+        Assert.Contains(failures, f => f.Contains(nameof(MultiTenantOptions.Strategies)));
+    }
+
+    // ---------------------------------------------------------------------------
+    // Named-instance validation — validator handles null option name gracefully
+    // ---------------------------------------------------------------------------
+
+    [Fact]
+    public void Validate_Succeeds_WhenCalledWithExplicitNamedInstance()
+    {
+        var result = _sut.Validate("CustomName", ValidOptions());
+
+        Assert.False(result.Failed);
+    }
+
+    [Fact]
+    public void Validate_Fails_WithExplicitNamedInstance_WhenRulesAreViolated()
+    {
+        var options = ValidOptions();
+        options.MultiTenant.Strategies = [];
+
+        var result = _sut.Validate("CustomName", options);
+
+        Assert.True(result.Failed);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Configuration/RateLimitingOptionsTests.cs b/src/tests/Idmt.UnitTests/Configuration/RateLimitingOptionsTests.cs
new file mode 100644
index 0000000..72fc0b8
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Configuration/RateLimitingOptionsTests.cs
@@ -0,0 +1,99 @@
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Features;
+
+namespace Idmt.UnitTests.Configuration;
+
+public class RateLimitingOptionsTests
+{
+    // ------------------------------------------------------------------
+    // Default values
+    // ------------------------------------------------------------------
+
+    [Fact]
+    public void Enabled_DefaultsToTrue()
+    {
+        var options = new RateLimitingOptions();
+        Assert.True(options.Enabled);
+    }
+
+    [Fact]
+    public void PermitLimit_DefaultsToTen()
+    {
+        var options = new RateLimitingOptions();
+        Assert.Equal(10, options.PermitLimit);
+    }
+
+    [Fact]
+    public void WindowInSeconds_DefaultsToSixty()
+    {
+        var options = new RateLimitingOptions();
+        Assert.Equal(60, options.WindowInSeconds);
+    }
+
+    // ------------------------------------------------------------------
+    // IdmtOptions integration
+    // ------------------------------------------------------------------
+
+    [Fact]
+    public void IdmtOptions_ExposesRateLimitingProperty_WithDefaults()
+    {
+        var idmtOptions = new IdmtOptions();
+
+        Assert.NotNull(idmtOptions.RateLimiting);
+        Assert.True(idmtOptions.RateLimiting.Enabled);
+        Assert.Equal(10, idmtOptions.RateLimiting.PermitLimit);
+        Assert.Equal(60, idmtOptions.RateLimiting.WindowInSeconds);
+    }
+
+    [Fact]
+    public void IdmtOptions_Default_HasRateLimitingEnabled()
+    {
+        var defaults = IdmtOptions.Default;
+
+        Assert.NotNull(defaults.RateLimiting);
+        Assert.True(defaults.RateLimiting.Enabled);
+    }
+
+    // ------------------------------------------------------------------
+    // Custom values round-trip
+    // ------------------------------------------------------------------
+
+    [Fact]
+    public void RateLimitingOptions_CanBeDisabled()
+    {
+        var options = new RateLimitingOptions { Enabled = false };
+        Assert.False(options.Enabled);
+    }
+
+    [Theory]
+    [InlineData(1)]
+    [InlineData(5)]
+    [InlineData(100)]
+    public void RateLimitingOptions_AcceptsCustomPermitLimit(int permitLimit)
+    {
+        var options = new RateLimitingOptions { PermitLimit = permitLimit };
+        Assert.Equal(permitLimit, options.PermitLimit);
+    }
+
+    [Theory]
+    [InlineData(10)]
+    [InlineData(30)]
+    [InlineData(300)]
+    public void RateLimitingOptions_AcceptsCustomWindowInSeconds(int window)
+    {
+        var options = new RateLimitingOptions { WindowInSeconds = window };
+        Assert.Equal(window, options.WindowInSeconds);
+    }
+
+    // ------------------------------------------------------------------
+    // AuthEndpoints policy name constant
+    // ------------------------------------------------------------------
+
+    [Fact]
+    public void AuthEndpoints_AuthRateLimiterPolicy_IsIdmtAuth()
+    {
+        // The policy name must match the name registered in AddRateLimiter so that
+        // RequireRateLimiting wires up to the correct limiter at runtime.
+        Assert.Equal("idmt-auth", AuthEndpoints.AuthRateLimiterPolicy);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Admin/CreateTenantHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Admin/CreateTenantHandlerTests.cs
new file mode 100644
index 0000000..7b28b31
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Admin/CreateTenantHandlerTests.cs
@@ -0,0 +1,221 @@
+using ErrorOr;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Errors;
+using Idmt.Plugin.Features.Admin;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Admin;
+
+public class CreateTenantHandlerTests
+{
+    private readonly Mock<IMultiTenantStore<IdmtTenantInfo>> _tenantStoreMock;
+    private readonly Mock<ITenantOperationService> _tenantOpsMock;
+    private readonly IOptions<IdmtOptions> _options;
+    private readonly CreateTenant.CreateTenantHandler _handler;
+
+    public CreateTenantHandlerTests()
+    {
+        _tenantStoreMock = new Mock<IMultiTenantStore<IdmtTenantInfo>>();
+        _tenantOpsMock = new Mock<ITenantOperationService>();
+        _options = Options.Create(new IdmtOptions());
+
+        _handler = new CreateTenant.CreateTenantHandler(
+            _tenantStoreMock.Object,
+            _tenantOpsMock.Object,
+            _options,
+            NullLogger<CreateTenant.CreateTenantHandler>.Instance);
+    }
+
+    private void SetupRoleSeedSuccess()
+    {
+        _tenantOpsMock
+            .Setup(x => x.ExecuteInTenantScopeAsync(
+                It.IsAny<string>(),
+                It.IsAny<Func<IServiceProvider, Task<ErrorOr<Success>>>>(),
+                It.IsAny<bool>()))
+            .ReturnsAsync(Result.Success);
+    }
+
+    private void SetupRoleSeedFailure()
+    {
+        _tenantOpsMock
+            .Setup(x => x.ExecuteInTenantScopeAsync(
+                It.IsAny<string>(),
+                It.IsAny<Func<IServiceProvider, Task<ErrorOr<Success>>>>(),
+                It.IsAny<bool>()))
+            .ReturnsAsync(IdmtErrors.Tenant.RoleSeedFailed);
+    }
+
+    [Fact]
+    public async Task ReactivatesInactiveTenant_AndReturnsExistingId()
+    {
+        // Arrange
+        var existingTenant = new IdmtTenantInfo("existing-id", "test-tenant", "Test Tenant") { IsActive = false };
+
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("test-tenant"))
+            .ReturnsAsync(existingTenant);
+
+        _tenantStoreMock
+            .Setup(x => x.UpdateAsync(It.Is<IdmtTenantInfo>(t => t.IsActive && t.Id == "existing-id")))
+            .ReturnsAsync(true);
+
+        SetupRoleSeedSuccess();
+
+        var request = new CreateTenant.CreateTenantRequest("test-tenant", "Test Tenant");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.False(result.IsError);
+        Assert.Equal("existing-id", result.Value.Id);
+        Assert.Equal("test-tenant", result.Value.Identifier);
+
+        _tenantStoreMock.Verify(
+            x => x.UpdateAsync(It.Is<IdmtTenantInfo>(t => t.IsActive && t.Id == "existing-id")),
+            Times.Once);
+
+        _tenantStoreMock.Verify(x => x.AddAsync(It.IsAny<IdmtTenantInfo>()), Times.Never);
+    }
+
+    [Fact]
+    public async Task ReturnsCreationFailed_WhenStoreAddFails()
+    {
+        // Arrange
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("new-tenant"))
+            .ReturnsAsync((IdmtTenantInfo?)null);
+
+        _tenantStoreMock
+            .Setup(x => x.AddAsync(It.IsAny<IdmtTenantInfo>()))
+            .ReturnsAsync(false);
+
+        var request = new CreateTenant.CreateTenantRequest("new-tenant", "New Tenant");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.CreationFailed", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsUpdateFailed_WhenReactivationUpdateFails()
+    {
+        // Arrange
+        var inactiveTenant = new IdmtTenantInfo("tid", "inactive-tenant", "Inactive") { IsActive = false };
+
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("inactive-tenant"))
+            .ReturnsAsync(inactiveTenant);
+
+        _tenantStoreMock
+            .Setup(x => x.UpdateAsync(It.IsAny<IdmtTenantInfo>()))
+            .ReturnsAsync(false);
+
+        var request = new CreateTenant.CreateTenantRequest("inactive-tenant", "Inactive");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.UpdateFailed", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsRoleSeedFailed_WhenRoleCreationFails()
+    {
+        // Arrange
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("new-tenant"))
+            .ReturnsAsync((IdmtTenantInfo?)null);
+
+        _tenantStoreMock
+            .Setup(x => x.AddAsync(It.IsAny<IdmtTenantInfo>()))
+            .ReturnsAsync(true);
+
+        SetupRoleSeedFailure();
+
+        var request = new CreateTenant.CreateTenantRequest("new-tenant", "New Tenant");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.RoleSeedFailed", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task SeedsExtraRoles_WhenConfiguredInOptions()
+    {
+        // Arrange
+        var optionsWithExtraRoles = Options.Create(new IdmtOptions
+        {
+            Identity = new IdmtAuthOptions
+            {
+                ExtraRoles = ["CustomRole1", "CustomRole2"]
+            }
+        });
+
+        var handler = new CreateTenant.CreateTenantHandler(
+            _tenantStoreMock.Object,
+            _tenantOpsMock.Object,
+            optionsWithExtraRoles,
+            NullLogger<CreateTenant.CreateTenantHandler>.Instance);
+
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("new-tenant"))
+            .ReturnsAsync((IdmtTenantInfo?)null);
+
+        _tenantStoreMock
+            .Setup(x => x.AddAsync(It.IsAny<IdmtTenantInfo>()))
+            .ReturnsAsync(true);
+
+        // Capture the callback to verify roles passed
+        Func<IServiceProvider, Task<ErrorOr<Success>>>? capturedOperation = null;
+        _tenantOpsMock
+            .Setup(x => x.ExecuteInTenantScopeAsync(
+                It.IsAny<string>(),
+                It.IsAny<Func<IServiceProvider, Task<ErrorOr<Success>>>>(),
+                It.IsAny<bool>()))
+            .Callback<string, Func<IServiceProvider, Task<ErrorOr<Success>>>, bool>((_, op, _) => capturedOperation = op)
+            .ReturnsAsync(Result.Success);
+
+        var request = new CreateTenant.CreateTenantRequest("new-tenant", "New Tenant");
+
+        // Act
+        var result = await handler.HandleAsync(request);
+
+        // Assert
+        Assert.False(result.IsError);
+        Assert.NotNull(capturedOperation);
+
+        // Verify the tenant operation was called with requireActive: false
+        _tenantOpsMock.Verify(
+            x => x.ExecuteInTenantScopeAsync(
+                "new-tenant",
+                It.IsAny<Func<IServiceProvider, Task<ErrorOr<Success>>>>(),
+                false),
+            Times.Once);
+
+        // Verify that the operation was invoked, confirming the handler proceeded with role seeding.
+        // The extra roles (CustomRole1, CustomRole2) are combined with DefaultRoles inside the handler's
+        // GuaranteeTenantRolesAsync method. The fact that the operation was called with the tenant scope
+        // confirms the role seeding path was executed.
+        _tenantOpsMock.Verify(
+            x => x.ExecuteInTenantScopeAsync(
+                It.IsAny<string>(),
+                It.IsAny<Func<IServiceProvider, Task<ErrorOr<Success>>>>(),
+                It.IsAny<bool>()),
+            Times.Once);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Admin/DeleteTenantHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Admin/DeleteTenantHandlerTests.cs
new file mode 100644
index 0000000..f399d64
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Admin/DeleteTenantHandlerTests.cs
@@ -0,0 +1,90 @@
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Features.Admin;
+using Idmt.Plugin.Models;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Admin;
+
+public class DeleteTenantHandlerTests
+{
+    private readonly Mock<IMultiTenantStore<IdmtTenantInfo>> _tenantStoreMock;
+    private readonly DeleteTenant.DeleteTenantHandler _handler;
+
+    public DeleteTenantHandlerTests()
+    {
+        _tenantStoreMock = new Mock<IMultiTenantStore<IdmtTenantInfo>>();
+
+        _handler = new DeleteTenant.DeleteTenantHandler(
+            _tenantStoreMock.Object,
+            NullLogger<DeleteTenant.DeleteTenantHandler>.Instance);
+    }
+
+    [Fact]
+    public async Task ReturnsCannotDeleteDefault_WhenDeletingDefaultTenant()
+    {
+        // Act
+        var result = await _handler.HandleAsync(MultiTenantOptions.DefaultTenantIdentifier);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.CannotDeleteDefault", result.FirstError.Code);
+
+        // Store should never be called
+        _tenantStoreMock.Verify(x => x.GetByIdentifierAsync(It.IsAny<string>()), Times.Never);
+    }
+
+    [Theory]
+    [InlineData("System-Tenant")]
+    [InlineData("SYSTEM-TENANT")]
+    [InlineData("system-TENANT")]
+    [InlineData("System-tenant")]
+    public async Task ReturnsCannotDeleteDefault_ForCaseVariants(string identifier)
+    {
+        // Act
+        var result = await _handler.HandleAsync(identifier);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.CannotDeleteDefault", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsNotFound_WhenTenantDoesNotExist()
+    {
+        // Arrange
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("nonexistent"))
+            .ReturnsAsync((IdmtTenantInfo?)null);
+
+        // Act
+        var result = await _handler.HandleAsync("nonexistent");
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.NotFound", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsDeletionFailed_WhenUpdateFails()
+    {
+        // Arrange
+        var tenant = new IdmtTenantInfo("tid", "my-tenant", "My Tenant") { IsActive = true };
+
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("my-tenant"))
+            .ReturnsAsync(tenant);
+
+        _tenantStoreMock
+            .Setup(x => x.UpdateAsync(It.Is<IdmtTenantInfo>(t => !t.IsActive)))
+            .ReturnsAsync(false);
+
+        // Act
+        var result = await _handler.HandleAsync("my-tenant");
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.DeletionFailed", result.FirstError.Code);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Admin/GetAllTenantsHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Admin/GetAllTenantsHandlerTests.cs
new file mode 100644
index 0000000..f5c9a32
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Admin/GetAllTenantsHandlerTests.cs
@@ -0,0 +1,144 @@
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Features.Admin;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Persistence;
+using Idmt.Plugin.Services;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Admin;
+
+public class GetAllTenantsHandlerTests : IDisposable
+{
+    private readonly IdmtDbContext _dbContext;
+    private readonly GetAllTenants.GetAllTenantsHandler _handler;
+
+    public GetAllTenantsHandlerTests()
+    {
+        var tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        var currentUserServiceMock = new Mock<ICurrentUserService>();
+
+        var dummyTenant = new IdmtTenantInfo("sys-id", "system-test", "System Test");
+        var dummyContext = new MultiTenantContext<IdmtTenantInfo>(dummyTenant);
+        tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(dummyContext);
+
+        var options = new DbContextOptionsBuilder<IdmtDbContext>()
+            .UseInMemoryDatabase(databaseName: Guid.NewGuid().ToString())
+            .Options;
+
+        _dbContext = new IdmtDbContext(
+            tenantAccessorMock.Object,
+            options,
+            currentUserServiceMock.Object,
+            TimeProvider.System,
+            NullLogger<IdmtDbContext>.Instance);
+
+        _handler = new GetAllTenants.GetAllTenantsHandler(
+            _dbContext,
+            NullLogger<GetAllTenants.GetAllTenantsHandler>.Instance);
+    }
+
+    [Fact]
+    public async Task ExcludesDefaultTenant_FromResults()
+    {
+        // Arrange
+        _dbContext.Set<IdmtTenantInfo>().AddRange(
+            new IdmtTenantInfo("id1", MultiTenantOptions.DefaultTenantIdentifier, "System Tenant"),
+            new IdmtTenantInfo("id2", "tenant-a", "Tenant A"),
+            new IdmtTenantInfo("id3", "tenant-b", "Tenant B"));
+        await _dbContext.SaveChangesAsync();
+
+        // Act
+        var result = await _handler.HandleAsync(page: 1, pageSize: 100);
+
+        // Assert
+        Assert.False(result.IsError);
+        Assert.Equal(2, result.Value.TotalCount);
+        Assert.DoesNotContain(result.Value.Items, t => t.Identifier == MultiTenantOptions.DefaultTenantIdentifier);
+    }
+
+    [Fact]
+    public async Task ReturnsTenantsOrderedByName()
+    {
+        // Arrange
+        _dbContext.Set<IdmtTenantInfo>().AddRange(
+            new IdmtTenantInfo("id1", "tenant-z", "Zebra Corp"),
+            new IdmtTenantInfo("id2", "tenant-a", "Alpha Inc"),
+            new IdmtTenantInfo("id3", "tenant-m", "Midway LLC"));
+        await _dbContext.SaveChangesAsync();
+
+        // Act
+        var result = await _handler.HandleAsync(page: 1, pageSize: 100);
+
+        // Assert
+        Assert.False(result.IsError);
+        Assert.Equal(3, result.Value.TotalCount);
+        Assert.Equal("Alpha Inc", result.Value.Items[0].Name);
+        Assert.Equal("Midway LLC", result.Value.Items[1].Name);
+        Assert.Equal("Zebra Corp", result.Value.Items[2].Name);
+    }
+
+    [Fact]
+    public async Task Pagination_ReturnsCorrectPage_AndHasMore()
+    {
+        // Arrange — seed 5 tenants (names chosen so ordering is predictable: A–E)
+        _dbContext.Set<IdmtTenantInfo>().AddRange(
+            new IdmtTenantInfo("id1", "tenant-a", "Tenant A"),
+            new IdmtTenantInfo("id2", "tenant-b", "Tenant B"),
+            new IdmtTenantInfo("id3", "tenant-c", "Tenant C"),
+            new IdmtTenantInfo("id4", "tenant-d", "Tenant D"),
+            new IdmtTenantInfo("id5", "tenant-e", "Tenant E"));
+        await _dbContext.SaveChangesAsync();
+
+        // Act — request page 2 with page size 2
+        var result = await _handler.HandleAsync(page: 2, pageSize: 2);
+
+        // Assert
+        Assert.False(result.IsError);
+        Assert.Equal(5, result.Value.TotalCount);
+        Assert.Equal(2, result.Value.Items.Count);
+        Assert.Equal("Tenant C", result.Value.Items[0].Name); // 3rd overall
+        Assert.Equal("Tenant D", result.Value.Items[1].Name); // 4th overall
+        Assert.True(result.Value.HasMore);                    // "Tenant E" remains
+    }
+
+    [Fact]
+    public async Task LastPage_HasMore_IsFalse()
+    {
+        // Arrange
+        _dbContext.Set<IdmtTenantInfo>().AddRange(
+            new IdmtTenantInfo("id1", "tenant-a", "Tenant A"),
+            new IdmtTenantInfo("id2", "tenant-b", "Tenant B"),
+            new IdmtTenantInfo("id3", "tenant-c", "Tenant C"));
+        await _dbContext.SaveChangesAsync();
+
+        // Act — page size exactly matches total count
+        var result = await _handler.HandleAsync(page: 1, pageSize: 3);
+
+        // Assert
+        Assert.False(result.IsError);
+        Assert.Equal(3, result.Value.TotalCount);
+        Assert.Equal(3, result.Value.Items.Count);
+        Assert.False(result.Value.HasMore);
+    }
+
+    [Fact]
+    public async Task EmptyStore_ReturnsEmptyPage()
+    {
+        // No data seeded.
+
+        var result = await _handler.HandleAsync(page: 1, pageSize: 25);
+
+        Assert.False(result.IsError);
+        Assert.Equal(0, result.Value.TotalCount);
+        Assert.Empty(result.Value.Items);
+        Assert.False(result.Value.HasMore);
+    }
+
+    public void Dispose()
+    {
+        _dbContext.Dispose();
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Admin/GetUserTenantsHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Admin/GetUserTenantsHandlerTests.cs
new file mode 100644
index 0000000..184be66
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Admin/GetUserTenantsHandlerTests.cs
@@ -0,0 +1,107 @@
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Features.Admin;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Persistence;
+using Idmt.Plugin.Services;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Time.Testing;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Admin;
+
+public class GetUserTenantsHandlerTests : IDisposable
+{
+    private readonly IdmtDbContext _dbContext;
+    private readonly FakeTimeProvider _timeProvider;
+    private readonly GetUserTenants.GetUserTenantsHandler _handler;
+
+    public GetUserTenantsHandlerTests()
+    {
+        var tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        var currentUserServiceMock = new Mock<ICurrentUserService>();
+
+        var dummyTenant = new IdmtTenantInfo("sys-id", "system-test", "System Test");
+        var dummyContext = new MultiTenantContext<IdmtTenantInfo>(dummyTenant);
+        tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(dummyContext);
+
+        var options = new DbContextOptionsBuilder<IdmtDbContext>()
+            .UseInMemoryDatabase(databaseName: Guid.NewGuid().ToString())
+            .Options;
+
+        _dbContext = new IdmtDbContext(
+            tenantAccessorMock.Object,
+            options,
+            currentUserServiceMock.Object,
+            TimeProvider.System,
+            NullLogger<IdmtDbContext>.Instance);
+
+        _timeProvider = new FakeTimeProvider(new DateTimeOffset(2026, 3, 4, 12, 0, 0, TimeSpan.Zero));
+
+        _handler = new GetUserTenants.GetUserTenantsHandler(
+            _dbContext,
+            _timeProvider,
+            NullLogger<GetUserTenants.GetUserTenantsHandler>.Instance);
+    }
+
+    [Fact]
+    public async Task ExcludesExpiredAccess_FromResults()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var tenantId = "tenant-1";
+
+        // Seed a tenant
+        _dbContext.Set<IdmtTenantInfo>().Add(
+            new IdmtTenantInfo(tenantId, "active-tenant", "Active Tenant"));
+
+        // Seed an expired access record
+        _dbContext.TenantAccess.Add(new TenantAccess
+        {
+            UserId = userId,
+            TenantId = tenantId,
+            IsActive = true,
+            ExpiresAt = new DateTime(2026, 3, 3, 0, 0, 0, DateTimeKind.Utc) // yesterday
+        });
+        await _dbContext.SaveChangesAsync();
+
+        // Act
+        var result = await _handler.HandleAsync(userId, 1, 10);
+
+        // Assert
+        Assert.False(result.IsError);
+        Assert.Equal(0, result.Value.TotalCount);
+    }
+
+    [Fact]
+    public async Task ExcludesInactiveAccess_FromResults()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var tenantId = "tenant-2";
+
+        _dbContext.Set<IdmtTenantInfo>().Add(
+            new IdmtTenantInfo(tenantId, "some-tenant", "Some Tenant"));
+
+        _dbContext.TenantAccess.Add(new TenantAccess
+        {
+            UserId = userId,
+            TenantId = tenantId,
+            IsActive = false,
+            ExpiresAt = null
+        });
+        await _dbContext.SaveChangesAsync();
+
+        // Act
+        var result = await _handler.HandleAsync(userId, 1, 10);
+
+        // Assert
+        Assert.False(result.IsError);
+        Assert.Equal(0, result.Value.TotalCount);
+    }
+
+    public void Dispose()
+    {
+        _dbContext.Dispose();
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Admin/GrantTenantAccessHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Admin/GrantTenantAccessHandlerTests.cs
new file mode 100644
index 0000000..33dc9f7
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Admin/GrantTenantAccessHandlerTests.cs
@@ -0,0 +1,346 @@
+using ErrorOr;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Features.Admin;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Persistence;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Time.Testing;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Admin;
+
+public class GrantTenantAccessHandlerTests : IDisposable
+{
+    private readonly Mock<ITenantOperationService> _tenantOpsMock;
+    private readonly FakeTimeProvider _timeProvider;
+    private readonly IdmtDbContext _dbContext;
+    private readonly Mock<IMultiTenantStore<IdmtTenantInfo>> _tenantStoreMock;
+    private readonly Mock<UserManager<IdmtUser>> _userManagerMock;
+    private readonly GrantTenantAccess.GrantTenantAccessHandler _handler;
+
+    public GrantTenantAccessHandlerTests()
+    {
+        _tenantOpsMock = new Mock<ITenantOperationService>();
+        _timeProvider = new FakeTimeProvider(new DateTimeOffset(2026, 3, 4, 12, 0, 0, TimeSpan.Zero));
+
+        // Set up InMemory DbContext
+        var tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        var currentUserServiceMock = new Mock<ICurrentUserService>();
+        var dummyTenant = new IdmtTenantInfo("sys-id", "system-test", "System Test");
+        var dummyContext = new MultiTenantContext<IdmtTenantInfo>(dummyTenant);
+        tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(dummyContext);
+
+        var dbOptions = new DbContextOptionsBuilder<IdmtDbContext>()
+            .UseInMemoryDatabase(databaseName: Guid.NewGuid().ToString())
+            .Options;
+
+        _dbContext = new IdmtDbContext(
+            tenantAccessorMock.Object,
+            dbOptions,
+            currentUserServiceMock.Object,
+            TimeProvider.System,
+            NullLogger<IdmtDbContext>.Instance);
+
+        _tenantStoreMock = new Mock<IMultiTenantStore<IdmtTenantInfo>>();
+
+        var userStoreMock = new Mock<IUserStore<IdmtUser>>();
+        _userManagerMock = new Mock<UserManager<IdmtUser>>(
+            userStoreMock.Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        // Issue 19 fix: inject dependencies directly — no IServiceProvider wrapper required.
+        _handler = new GrantTenantAccess.GrantTenantAccessHandler(
+            _dbContext,
+            _userManagerMock.Object,
+            _tenantStoreMock.Object,
+            _tenantOpsMock.Object,
+            _timeProvider,
+            NullLogger<GrantTenantAccess.GrantTenantAccessHandler>.Instance);
+    }
+
+    [Fact]
+    public async Task ReturnsValidationError_WhenExpiresAtIsInPast()
+    {
+        // Arrange - time is 2026-03-04 12:00 UTC; expiration is yesterday
+        var pastDate = new DateTimeOffset(2026, 3, 3, 0, 0, 0, TimeSpan.Zero);
+
+        // Act
+        var result = await _handler.HandleAsync(Guid.NewGuid(), "some-tenant", pastDate);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal(ErrorType.Validation, result.FirstError.Type);
+        Assert.Equal("ExpiresAt", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsValidationError_WhenExpiresAtEqualsNow()
+    {
+        // Arrange - exactly the current time (boundary: <= means equal is rejected)
+        var exactNow = _timeProvider.GetUtcNow();
+
+        // Act
+        var result = await _handler.HandleAsync(Guid.NewGuid(), "some-tenant", exactNow);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal(ErrorType.Validation, result.FirstError.Type);
+        Assert.Equal("ExpiresAt", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsUserNotFound_WhenUserDoesNotExist()
+    {
+        // Arrange - no user in DbContext
+        var nonExistentUserId = Guid.NewGuid();
+
+        // Act
+        var result = await _handler.HandleAsync(nonExistentUserId, "some-tenant");
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.NotFound", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsTenantInactive_WhenTargetTenantIsInactive()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        _dbContext.Users.Add(new IdmtUser
+        {
+            Id = userId,
+            UserName = "testuser",
+            Email = "test@test.com",
+            TenantId = "sys-id"
+        });
+        await _dbContext.SaveChangesAsync();
+
+        var inactiveTenant = new IdmtTenantInfo("tid", "inactive-tenant", "Inactive") { IsActive = false };
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("inactive-tenant"))
+            .ReturnsAsync(inactiveTenant);
+
+        // Act
+        var result = await _handler.HandleAsync(userId, "inactive-tenant");
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.Inactive", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsNoRolesAssigned_WhenUserHasNoRoles()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        _dbContext.Users.Add(new IdmtUser
+        {
+            Id = userId,
+            UserName = "noroles",
+            Email = "noroles@test.com",
+            TenantId = "sys-id"
+        });
+        await _dbContext.SaveChangesAsync();
+
+        var activeTenant = new IdmtTenantInfo("tid", "active-tenant", "Active") { IsActive = true };
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("active-tenant"))
+            .ReturnsAsync(activeTenant);
+
+        _userManagerMock
+            .Setup(x => x.GetRolesAsync(It.IsAny<IdmtUser>()))
+            .ReturnsAsync(new List<string>());
+
+        // Act
+        var result = await _handler.HandleAsync(userId, "active-tenant");
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.NoRolesAssigned", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReactivatesExistingAccess_WhenRecordAlreadyExists()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var tenantId = "target-tid";
+
+        _dbContext.Users.Add(new IdmtUser
+        {
+            Id = userId,
+            UserName = "existinguser",
+            Email = "existing@test.com",
+            TenantId = "sys-id"
+        });
+
+        // Pre-existing inactive access record
+        _dbContext.TenantAccess.Add(new TenantAccess
+        {
+            UserId = userId,
+            TenantId = tenantId,
+            IsActive = false,
+            ExpiresAt = null
+        });
+        await _dbContext.SaveChangesAsync();
+
+        var activeTenant = new IdmtTenantInfo(tenantId, "target-tenant", "Target") { IsActive = true };
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("target-tenant"))
+            .ReturnsAsync(activeTenant);
+
+        _userManagerMock
+            .Setup(x => x.GetRolesAsync(It.IsAny<IdmtUser>()))
+            .ReturnsAsync(new List<string> { "SysAdmin" });
+
+        var futureExpiry = new DateTimeOffset(2026, 12, 31, 0, 0, 0, TimeSpan.Zero);
+
+        _tenantOpsMock
+            .Setup(x => x.ExecuteInTenantScopeAsync(
+                "target-tenant",
+                It.IsAny<Func<IServiceProvider, Task<ErrorOr<Success>>>>(),
+                It.IsAny<bool>()))
+            .ReturnsAsync(Result.Success);
+
+        // Act
+        var result = await _handler.HandleAsync(userId, "target-tenant", futureExpiry);
+
+        // Assert
+        Assert.False(result.IsError);
+
+        // Verify the access record was reactivated with new expiry
+        var access = await _dbContext.TenantAccess
+            .FirstOrDefaultAsync(ta => ta.UserId == userId && ta.TenantId == tenantId);
+
+        Assert.NotNull(access);
+        Assert.True(access.IsActive);
+        Assert.Equal(futureExpiry, access.ExpiresAt);
+    }
+
+    [Fact]
+    public async Task ReturnsAccessError_AndExecutesCompensatingAction_WhenSaveChangesFails()
+    {
+        // Arrange — build a completely separate handler whose DbContext throws on SaveChangesAsync.
+        // We share an InMemory database name so the seed context and the throwing context see the same data.
+
+        var tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        var currentUserServiceMock = new Mock<ICurrentUserService>();
+        var dummyTenant = new IdmtTenantInfo("sys-id", "system-test", "System Test");
+        var dummyContext = new MultiTenantContext<IdmtTenantInfo>(dummyTenant);
+        tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(dummyContext);
+
+        var sharedDbName = Guid.NewGuid().ToString();
+        var dbOptions = new DbContextOptionsBuilder<IdmtDbContext>()
+            .UseInMemoryDatabase(databaseName: sharedDbName)
+            .Options;
+
+        // Seed a user in a normal (non-throwing) context
+        var userId = Guid.NewGuid();
+        using (var seedContext = new IdmtDbContext(
+            tenantAccessorMock.Object, dbOptions,
+            currentUserServiceMock.Object, TimeProvider.System,
+            NullLogger<IdmtDbContext>.Instance))
+        {
+            seedContext.Users.Add(new IdmtUser
+            {
+                Id = userId,
+                UserName = "compuser",
+                Email = "comp@test.com",
+                TenantId = "sys-id"
+            });
+            await seedContext.SaveChangesAsync();
+        }
+
+        // Create the throwing DbContext that shares the same InMemory database
+        var throwingContext = new ThrowOnSaveDbContext(
+            tenantAccessorMock.Object,
+            new DbContextOptionsBuilder<ThrowOnSaveDbContext>()
+                .UseInMemoryDatabase(databaseName: sharedDbName)
+                .Options,
+            currentUserServiceMock.Object,
+            TimeProvider.System,
+            NullLogger<IdmtDbContext>.Instance);
+
+        // Set up mocks
+        var tenantStoreMock = new Mock<IMultiTenantStore<IdmtTenantInfo>>();
+        var activeTenant = new IdmtTenantInfo("tid", "comp-tenant", "CompTenant") { IsActive = true };
+        tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("comp-tenant"))
+            .ReturnsAsync(activeTenant);
+
+        var userStoreMock = new Mock<IUserStore<IdmtUser>>();
+        var userManagerMock = new Mock<UserManager<IdmtUser>>(
+            userStoreMock.Object, null!, null!, null!, null!, null!, null!, null!, null!);
+        userManagerMock
+            .Setup(x => x.GetRolesAsync(It.IsAny<IdmtUser>()))
+            .ReturnsAsync(new List<string> { "SysAdmin" });
+
+        var tenantOpsMock = new Mock<ITenantOperationService>();
+
+        // Both calls to ExecuteInTenantScopeAsync return Success:
+        //   1st call — tenant-scope user creation
+        //   2nd call — compensating action after SaveChanges failure
+        tenantOpsMock
+            .Setup(x => x.ExecuteInTenantScopeAsync(
+                "comp-tenant",
+                It.IsAny<Func<IServiceProvider, Task<ErrorOr<Success>>>>(),
+                It.IsAny<bool>()))
+            .ReturnsAsync(Result.Success);
+
+        // Issue 19 fix: inject throwing context and mocks directly — no IServiceProvider wrapper.
+        var handler = new GrantTenantAccess.GrantTenantAccessHandler(
+            throwingContext,
+            userManagerMock.Object,
+            tenantStoreMock.Object,
+            tenantOpsMock.Object,
+            _timeProvider,
+            NullLogger<GrantTenantAccess.GrantTenantAccessHandler>.Instance);
+
+        // Act
+        var result = await handler.HandleAsync(userId, "comp-tenant");
+
+        // Assert — handler should return Tenant.AccessError after the compensating action
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.AccessError", result.FirstError.Code);
+
+        // Verify the compensating action was invoked (2 total calls: tenant user creation + compensation)
+        tenantOpsMock.Verify(
+            x => x.ExecuteInTenantScopeAsync(
+                "comp-tenant",
+                It.IsAny<Func<IServiceProvider, Task<ErrorOr<Success>>>>(),
+                It.IsAny<bool>()),
+            Times.Exactly(2));
+    }
+
+    public void Dispose()
+    {
+        _dbContext.Dispose();
+    }
+
+    /// <summary>
+    /// A test-only <see cref="IdmtDbContext"/> subclass whose <c>SaveChangesAsync</c> always
+    /// throws a <see cref="DbUpdateException"/>, simulating a persistence failure so we can
+    /// verify the handler's compensating action fires.
+    /// </summary>
+    private sealed class ThrowOnSaveDbContext : IdmtDbContext
+    {
+        public ThrowOnSaveDbContext(
+            IMultiTenantContextAccessor multiTenantContextAccessor,
+            DbContextOptions options,
+            ICurrentUserService currentUserService,
+            TimeProvider timeProvider,
+            ILogger<IdmtDbContext> logger)
+            : base(multiTenantContextAccessor, options, currentUserService, timeProvider, logger)
+        {
+        }
+
+        public override Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
+        {
+            throw new DbUpdateException("Simulated save failure");
+        }
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Admin/RevokeTenantAccessHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Admin/RevokeTenantAccessHandlerTests.cs
new file mode 100644
index 0000000..1f1337c
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Admin/RevokeTenantAccessHandlerTests.cs
@@ -0,0 +1,136 @@
+using ErrorOr;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Features.Admin;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Persistence;
+using Idmt.Plugin.Services;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Admin;
+
+public class RevokeTenantAccessHandlerTests : IDisposable
+{
+    private readonly Mock<ITenantOperationService> _tenantOpsMock;
+    private readonly IdmtDbContext _dbContext;
+    private readonly Mock<IMultiTenantStore<IdmtTenantInfo>> _tenantStoreMock;
+    private readonly RevokeTenantAccess.RevokeTenantAccessHandler _handler;
+
+    public RevokeTenantAccessHandlerTests()
+    {
+        _tenantOpsMock = new Mock<ITenantOperationService>();
+
+        // InMemory DbContext
+        var tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        var currentUserServiceMock = new Mock<ICurrentUserService>();
+        var dummyTenant = new IdmtTenantInfo("sys-id", "system-test", "System Test");
+        var dummyContext = new MultiTenantContext<IdmtTenantInfo>(dummyTenant);
+        tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(dummyContext);
+
+        var dbOptions = new DbContextOptionsBuilder<IdmtDbContext>()
+            .UseInMemoryDatabase(databaseName: Guid.NewGuid().ToString())
+            .Options;
+
+        _dbContext = new IdmtDbContext(
+            tenantAccessorMock.Object,
+            dbOptions,
+            currentUserServiceMock.Object,
+            TimeProvider.System,
+            NullLogger<IdmtDbContext>.Instance);
+
+        _tenantStoreMock = new Mock<IMultiTenantStore<IdmtTenantInfo>>();
+
+        _handler = new RevokeTenantAccess.RevokeTenantAccessHandler(
+            _dbContext,
+            _tenantStoreMock.Object,
+            _tenantOpsMock.Object,
+            NullLogger<RevokeTenantAccess.RevokeTenantAccessHandler>.Instance);
+    }
+
+    [Fact]
+    public async Task ReturnsAccessNotFound_WhenNoAccessRecord()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+
+        _dbContext.Users.Add(new IdmtUser
+        {
+            Id = userId,
+            UserName = "testuser",
+            Email = "test@test.com",
+            TenantId = "sys-id"
+        });
+        await _dbContext.SaveChangesAsync();
+
+        var tenant = new IdmtTenantInfo("tid", "target-tenant", "Target");
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("target-tenant"))
+            .ReturnsAsync(tenant);
+
+        // No access record seeded
+
+        // Act
+        var result = await _handler.HandleAsync(userId, "target-tenant");
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.AccessNotFound", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task SucceedsGracefully_WhenUserNotInTenantScope()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var tenantId = "tid";
+
+        _dbContext.Users.Add(new IdmtUser
+        {
+            Id = userId,
+            UserName = "scopeuser",
+            Email = "scope@test.com",
+            TenantId = "sys-id"
+        });
+
+        _dbContext.TenantAccess.Add(new TenantAccess
+        {
+            UserId = userId,
+            TenantId = tenantId,
+            IsActive = true
+        });
+        await _dbContext.SaveChangesAsync();
+
+        var tenant = new IdmtTenantInfo(tenantId, "target-tenant", "Target");
+        _tenantStoreMock
+            .Setup(x => x.GetByIdentifierAsync("target-tenant"))
+            .ReturnsAsync(tenant);
+
+        // ExecuteInTenantScopeAsync succeeds (user not found in tenant scope is handled gracefully
+        // in the handler by returning Result.Success when targetUser is null)
+        _tenantOpsMock
+            .Setup(x => x.ExecuteInTenantScopeAsync(
+                "target-tenant",
+                It.IsAny<Func<IServiceProvider, Task<ErrorOr<Success>>>>(),
+                false))
+            .ReturnsAsync(Result.Success);
+
+        // Act
+        var result = await _handler.HandleAsync(userId, "target-tenant");
+
+        // Assert
+        Assert.False(result.IsError);
+
+        // Verify the access record was deactivated
+        var access = await _dbContext.TenantAccess
+            .FirstOrDefaultAsync(ta => ta.UserId == userId && ta.TenantId == tenantId);
+
+        Assert.NotNull(access);
+        Assert.False(access.IsActive);
+    }
+
+    public void Dispose()
+    {
+        _dbContext.Dispose();
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Auth/ConfirmEmailHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Auth/ConfirmEmailHandlerTests.cs
new file mode 100644
index 0000000..8b1020b
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Auth/ConfirmEmailHandlerTests.cs
@@ -0,0 +1,121 @@
+using ErrorOr;
+using Idmt.Plugin.Features.Auth;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Auth;
+
+public class ConfirmEmailHandlerTests
+{
+    private readonly Mock<ITenantOperationService> _tenantOpsMock;
+    private readonly ConfirmEmail.ConfirmEmailHandler _handler;
+
+    public ConfirmEmailHandlerTests()
+    {
+        _tenantOpsMock = new Mock<ITenantOperationService>();
+
+        _handler = new ConfirmEmail.ConfirmEmailHandler(
+            _tenantOpsMock.Object,
+            NullLogger<ConfirmEmail.ConfirmEmailHandler>.Instance);
+    }
+
+    [Fact]
+    public async Task ReturnsConfirmationFailed_WhenUserNotFound()
+    {
+        // Arrange
+        var userManagerMock = new Mock<UserManager<IdmtUser>>(
+            new Mock<IUserStore<IdmtUser>>().Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        userManagerMock
+            .Setup(u => u.FindByEmailAsync(It.IsAny<string>()))
+            .ReturnsAsync((IdmtUser?)null);
+
+        SetupTenantOpsToInvokeLambda(userManagerMock);
+
+        var request = new ConfirmEmail.ConfirmEmailRequest("test-tenant", "notfound@test.com", "token123");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Email.ConfirmationFailed", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsConfirmationFailed_WhenTokenIsInvalid()
+    {
+        // Arrange
+        var user = new IdmtUser { UserName = "test", Email = "test@test.com", TenantId = "t1" };
+
+        var userManagerMock = new Mock<UserManager<IdmtUser>>(
+            new Mock<IUserStore<IdmtUser>>().Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        userManagerMock
+            .Setup(u => u.FindByEmailAsync(It.IsAny<string>()))
+            .ReturnsAsync(user);
+
+        userManagerMock
+            .Setup(u => u.ConfirmEmailAsync(user, It.IsAny<string>()))
+            .ReturnsAsync(IdentityResult.Failed(new IdentityError { Code = "InvalidToken", Description = "Invalid token" }));
+
+        SetupTenantOpsToInvokeLambda(userManagerMock);
+
+        var request = new ConfirmEmail.ConfirmEmailRequest("test-tenant", "test@test.com", "bad-token");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Email.ConfirmationFailed", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsUnexpected_OnException()
+    {
+        // Arrange
+        var userManagerMock = new Mock<UserManager<IdmtUser>>(
+            new Mock<IUserStore<IdmtUser>>().Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        userManagerMock
+            .Setup(u => u.FindByEmailAsync(It.IsAny<string>()))
+            .ThrowsAsync(new InvalidOperationException("Database error"));
+
+        SetupTenantOpsToInvokeLambda(userManagerMock);
+
+        var request = new ConfirmEmail.ConfirmEmailRequest("test-tenant", "test@test.com", "token123");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("General.Unexpected", result.FirstError.Code);
+    }
+
+    #region Helpers
+
+    private void SetupTenantOpsToInvokeLambda(Mock<UserManager<IdmtUser>> userManagerMock)
+    {
+        _tenantOpsMock
+            .Setup(t => t.ExecuteInTenantScopeAsync(
+                It.IsAny<string>(),
+                It.IsAny<Func<IServiceProvider, Task<ErrorOr<Success>>>>(),
+                It.IsAny<bool>()))
+            .Returns<string, Func<IServiceProvider, Task<ErrorOr<Success>>>, bool>(
+                async (_, operation, _) =>
+                {
+                    var serviceProviderMock = new Mock<IServiceProvider>();
+                    serviceProviderMock
+                        .Setup(sp => sp.GetService(typeof(UserManager<IdmtUser>)))
+                        .Returns(userManagerMock.Object);
+                    return await operation(serviceProviderMock.Object);
+                });
+    }
+
+    #endregion
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Auth/ForgotPasswordHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Auth/ForgotPasswordHandlerTests.cs
new file mode 100644
index 0000000..38864c9
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Auth/ForgotPasswordHandlerTests.cs
@@ -0,0 +1,101 @@
+using Idmt.Plugin.Features.Auth;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Auth;
+
+public class ForgotPasswordHandlerTests
+{
+    private readonly Mock<UserManager<IdmtUser>> _userManagerMock;
+    private readonly Mock<IEmailSender<IdmtUser>> _emailSenderMock;
+    private readonly Mock<IIdmtLinkGenerator> _linkGeneratorMock;
+    private readonly ForgotPassword.ForgotPasswordHandler _handler;
+
+    public ForgotPasswordHandlerTests()
+    {
+        _userManagerMock = new Mock<UserManager<IdmtUser>>(
+            new Mock<IUserStore<IdmtUser>>().Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        _emailSenderMock = new Mock<IEmailSender<IdmtUser>>();
+        _linkGeneratorMock = new Mock<IIdmtLinkGenerator>();
+
+        _handler = new ForgotPassword.ForgotPasswordHandler(
+            _userManagerMock.Object,
+            _emailSenderMock.Object,
+            _linkGeneratorMock.Object,
+            NullLogger<ForgotPassword.ForgotPasswordHandler>.Instance);
+    }
+
+    [Fact]
+    public async Task ReturnsSuccess_WhenUserIsInactive()
+    {
+        // Arrange - user exists but is inactive
+        var user = new IdmtUser
+        {
+            UserName = "inactive",
+            Email = "inactive@test.com",
+            IsActive = false,
+            TenantId = "t1"
+        };
+
+        _userManagerMock
+            .Setup(u => u.FindByEmailAsync("inactive@test.com"))
+            .ReturnsAsync(user);
+
+        var request = new ForgotPassword.ForgotPasswordRequest("inactive@test.com");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert - returns success but no email should be sent
+        Assert.False(result.IsError);
+        _emailSenderMock.Verify(
+            e => e.SendPasswordResetCodeAsync(It.IsAny<IdmtUser>(), It.IsAny<string>(), It.IsAny<string>()),
+            Times.Never);
+        _userManagerMock.Verify(
+            u => u.GeneratePasswordResetTokenAsync(It.IsAny<IdmtUser>()),
+            Times.Never);
+    }
+
+    [Fact]
+    public async Task GeneratesPasswordResetLink_WhenUserExists()
+    {
+        // Arrange
+        var user = new IdmtUser
+        {
+            UserName = "testuser",
+            Email = "test@test.com",
+            IsActive = true,
+            TenantId = "t1"
+        };
+
+        _userManagerMock
+            .Setup(u => u.FindByEmailAsync("test@test.com"))
+            .ReturnsAsync(user);
+
+        _userManagerMock
+            .Setup(u => u.GeneratePasswordResetTokenAsync(user))
+            .ReturnsAsync("reset-token-123");
+
+        _linkGeneratorMock
+            .Setup(l => l.GeneratePasswordResetLink("test@test.com", "reset-token-123"))
+            .Returns("https://app.example.com/reset-password?token=encoded-token");
+
+        var request = new ForgotPassword.ForgotPasswordRequest("test@test.com");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.False(result.IsError);
+        _linkGeneratorMock.Verify(
+            l => l.GeneratePasswordResetLink("test@test.com", "reset-token-123"),
+            Times.Once);
+        _emailSenderMock.Verify(
+            e => e.SendPasswordResetCodeAsync(user, "test@test.com", "https://app.example.com/reset-password?token=encoded-token"),
+            Times.Once);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Auth/LoginHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Auth/LoginHandlerTests.cs
new file mode 100644
index 0000000..f4b9e8e
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Auth/LoginHandlerTests.cs
@@ -0,0 +1,276 @@
+using System.Security.Claims;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Features.Auth;
+using Idmt.Plugin.Models;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Auth;
+
+public class LoginHandlerTests
+{
+    private readonly Mock<UserManager<IdmtUser>> _userManagerMock;
+    private readonly Mock<SignInManager<IdmtUser>> _signInManagerMock;
+    private readonly Mock<IMultiTenantContextAccessor> _tenantAccessorMock;
+    private readonly Mock<TimeProvider> _timeProviderMock;
+    private readonly Login.LoginHandler _handler;
+
+    public LoginHandlerTests()
+    {
+        var userStoreMock = Mock.Of<IUserStore<IdmtUser>>();
+        _userManagerMock = new Mock<UserManager<IdmtUser>>(
+            userStoreMock,
+            null!, null!, null!, null!, null!, null!, null!, null!);
+
+        // SignInManager requires UserManager, IHttpContextAccessor, IUserClaimsPrincipalFactory,
+        // IOptions<IdentityOptions>, ILogger, IAuthenticationSchemeProvider, IUserConfirmation
+        var httpContextAccessorMock = new Mock<IHttpContextAccessor>();
+        var authServiceMock = new Mock<IAuthenticationService>();
+        authServiceMock.Setup(x => x.SignInAsync(
+                It.IsAny<HttpContext>(),
+                It.IsAny<string>(),
+                It.IsAny<ClaimsPrincipal>(),
+                It.IsAny<AuthenticationProperties>()))
+            .Returns(Task.CompletedTask);
+        var serviceProviderMock = new Mock<IServiceProvider>();
+        serviceProviderMock.Setup(x => x.GetService(typeof(IAuthenticationService)))
+            .Returns(authServiceMock.Object);
+        var httpContext = new DefaultHttpContext { RequestServices = serviceProviderMock.Object };
+        // SignInManager.Context accesses HttpContextAccessor.HttpContext
+        httpContextAccessorMock.Setup(x => x.HttpContext).Returns(httpContext);
+
+        _signInManagerMock = new Mock<SignInManager<IdmtUser>>(
+            _userManagerMock.Object,
+            httpContextAccessorMock.Object,
+            Mock.Of<IUserClaimsPrincipalFactory<IdmtUser>>(),
+            Mock.Of<IOptions<IdentityOptions>>(),
+            NullLogger<SignInManager<IdmtUser>>.Instance,
+            Mock.Of<IAuthenticationSchemeProvider>(),
+            Mock.Of<IUserConfirmation<IdmtUser>>());
+
+        _tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        _timeProviderMock = new Mock<TimeProvider>();
+        _timeProviderMock.Setup(x => x.GetUtcNow()).Returns(new DateTimeOffset(2026, 1, 1, 0, 0, 0, TimeSpan.Zero));
+
+        _handler = new Login.LoginHandler(
+            _userManagerMock.Object,
+            _signInManagerMock.Object,
+            _tenantAccessorMock.Object,
+            Options.Create(new IdmtOptions()),
+            _timeProviderMock.Object,
+            NullLogger<Login.LoginHandler>.Instance);
+    }
+
+    private static Login.LoginRequest CreateRequest(
+        string? email = "test@example.com",
+        string? username = null,
+        string password = "Password123!",
+        string? twoFactorCode = null,
+        string? twoFactorRecoveryCode = null) =>
+        new()
+        {
+            Email = email,
+            Username = username,
+            Password = password,
+            TwoFactorCode = twoFactorCode,
+            TwoFactorRecoveryCode = twoFactorRecoveryCode
+        };
+
+    private void SetupActiveTenant()
+    {
+        var tenant = new IdmtTenantInfo("tenant-id", "test-tenant", "Test Tenant");
+        var context = new MultiTenantContext<IdmtTenantInfo>(tenant);
+        _tenantAccessorMock.Setup(x => x.MultiTenantContext).Returns(context);
+    }
+
+    private static IdmtUser CreateActiveUser() =>
+        new()
+        {
+            Id = Guid.NewGuid(),
+            Email = "test@example.com",
+            UserName = "testuser",
+            TenantId = "tenant-id",
+            IsActive = true
+        };
+
+    [Fact]
+    public async Task ReturnsNotResolved_WhenTenantContextIsNull()
+    {
+        _tenantAccessorMock.Setup(x => x.MultiTenantContext).Returns((IMultiTenantContext)null!);
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.NotResolved", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsInactive_WhenTenantIsInactive()
+    {
+        var tenant = new IdmtTenantInfo("tenant-id", "test-tenant", "Test Tenant") { IsActive = false };
+        var context = new MultiTenantContext<IdmtTenantInfo>(tenant);
+        _tenantAccessorMock.Setup(x => x.MultiTenantContext).Returns(context);
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.Inactive", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsUnauthorized_WhenNeitherEmailNorUsernameProvided()
+    {
+        SetupActiveTenant();
+        // Both email and username are null, so no user lookup occurs and user remains null
+        var request = CreateRequest(email: null, username: null);
+
+        var result = await _handler.HandleAsync(request);
+
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.Unauthorized", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsUnauthorized_WhenUserIsInactive()
+    {
+        SetupActiveTenant();
+        var inactiveUser = CreateActiveUser();
+        inactiveUser.IsActive = false;
+
+        _userManagerMock.Setup(x => x.FindByEmailAsync("test@example.com"))
+            .ReturnsAsync(inactiveUser);
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.Unauthorized", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsLockedOut_WhenPasswordCheckReturnsLockedOut()
+    {
+        SetupActiveTenant();
+        var user = CreateActiveUser();
+        _userManagerMock.Setup(x => x.FindByEmailAsync("test@example.com")).ReturnsAsync(user);
+        _signInManagerMock.Setup(x => x.CheckPasswordSignInAsync(user, "Password123!", true))
+            .ReturnsAsync(SignInResult.LockedOut);
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.LockedOut", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsLockedOut_WhenTwoFactorRequiredAndUserIsLockedOut()
+    {
+        SetupActiveTenant();
+        var user = CreateActiveUser();
+        _userManagerMock.Setup(x => x.FindByEmailAsync("test@example.com")).ReturnsAsync(user);
+        _signInManagerMock.Setup(x => x.CheckPasswordSignInAsync(user, "Password123!", true))
+            .ReturnsAsync(SignInResult.TwoFactorRequired);
+        _userManagerMock.Setup(x => x.IsLockedOutAsync(user)).ReturnsAsync(true);
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.LockedOut", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsUnauthorized_WhenTwoFactorCodeIsInvalid()
+    {
+        SetupActiveTenant();
+        var user = CreateActiveUser();
+        _userManagerMock.Setup(x => x.FindByEmailAsync("test@example.com")).ReturnsAsync(user);
+        _signInManagerMock.Setup(x => x.CheckPasswordSignInAsync(user, "Password123!", true))
+            .ReturnsAsync(SignInResult.TwoFactorRequired);
+        _userManagerMock.Setup(x => x.IsLockedOutAsync(user)).ReturnsAsync(false);
+        _userManagerMock.Setup(x => x.VerifyTwoFactorTokenAsync(user, It.IsAny<string>(), "invalid-code"))
+            .ReturnsAsync(false);
+        _userManagerMock.Setup(x => x.AccessFailedAsync(user)).ReturnsAsync(IdentityResult.Success);
+
+        var result = await _handler.HandleAsync(CreateRequest(twoFactorCode: "invalid-code"));
+
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.Unauthorized", result.FirstError.Code);
+        _userManagerMock.Verify(x => x.AccessFailedAsync(user), Times.Once);
+    }
+
+    [Fact]
+    public async Task ReturnsUnauthorized_WhenRecoveryCodeIsInvalid()
+    {
+        SetupActiveTenant();
+        var user = CreateActiveUser();
+        _userManagerMock.Setup(x => x.FindByEmailAsync("test@example.com")).ReturnsAsync(user);
+        _signInManagerMock.Setup(x => x.CheckPasswordSignInAsync(user, "Password123!", true))
+            .ReturnsAsync(SignInResult.TwoFactorRequired);
+        _userManagerMock.Setup(x => x.IsLockedOutAsync(user)).ReturnsAsync(false);
+        _userManagerMock.Setup(x => x.RedeemTwoFactorRecoveryCodeAsync(user, "bad-recovery"))
+            .ReturnsAsync(IdentityResult.Failed(new IdentityError { Code = "InvalidCode", Description = "Invalid" }));
+        _userManagerMock.Setup(x => x.AccessFailedAsync(user)).ReturnsAsync(IdentityResult.Success);
+
+        var result = await _handler.HandleAsync(CreateRequest(twoFactorRecoveryCode: "bad-recovery"));
+
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.Unauthorized", result.FirstError.Code);
+        _userManagerMock.Verify(x => x.AccessFailedAsync(user), Times.Once);
+    }
+
+    [Fact]
+    public async Task ReturnsTwoFactorRequired_WhenBothCodesAreEmpty()
+    {
+        SetupActiveTenant();
+        var user = CreateActiveUser();
+        _userManagerMock.Setup(x => x.FindByEmailAsync("test@example.com")).ReturnsAsync(user);
+        _signInManagerMock.Setup(x => x.CheckPasswordSignInAsync(user, "Password123!", true))
+            .ReturnsAsync(SignInResult.TwoFactorRequired);
+        _userManagerMock.Setup(x => x.IsLockedOutAsync(user)).ReturnsAsync(false);
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.TwoFactorRequired", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task LogsWarning_WhenLastLoginAtUpdateFails()
+    {
+        SetupActiveTenant();
+        var user = CreateActiveUser();
+        _userManagerMock.Setup(x => x.FindByEmailAsync("test@example.com")).ReturnsAsync(user);
+        _signInManagerMock.Setup(x => x.CheckPasswordSignInAsync(user, "Password123!", true))
+            .ReturnsAsync(SignInResult.Success);
+        _signInManagerMock.Setup(x => x.CreateUserPrincipalAsync(user))
+            .ReturnsAsync(new ClaimsPrincipal(new ClaimsIdentity()));
+
+        // Simulate UpdateAsync failure for LastLoginAt
+        _userManagerMock.Setup(x => x.UpdateAsync(user))
+            .ReturnsAsync(IdentityResult.Failed(new IdentityError { Code = "UpdateFailed", Description = "Failed" }));
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        // Should still succeed despite update failure (warning only)
+        Assert.False(result.IsError);
+        Assert.NotNull(result.Value.UserId);
+        Assert.Equal(user.Id, result.Value.UserId);
+    }
+
+    [Fact]
+    public async Task ReturnsUnexpected_WhenExceptionIsThrown()
+    {
+        SetupActiveTenant();
+        _userManagerMock.Setup(x => x.FindByEmailAsync(It.IsAny<string>()))
+            .ThrowsAsync(new InvalidOperationException("Database connection lost"));
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("General.Unexpected", result.FirstError.Code);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Auth/LogoutHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Auth/LogoutHandlerTests.cs
new file mode 100644
index 0000000..7737dad
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Auth/LogoutHandlerTests.cs
@@ -0,0 +1,335 @@
+using System.Security.Claims;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Features.Auth;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Auth;
+
+public class LogoutHandlerTests
+{
+    private const string TenantClaimKey = "tenant";
+
+    private readonly Mock<ILogger<Logout.LogoutHandler>> _loggerMock;
+    private readonly Mock<SignInManager<IdmtUser>> _signInManagerMock;
+    private readonly Mock<ICurrentUserService> _currentUserServiceMock;
+    private readonly Mock<IMultiTenantContextAccessor<IdmtTenantInfo>> _tenantContextAccessorMock;
+    private readonly IOptions<IdmtOptions> _idmtOptions;
+    private readonly Mock<ITokenRevocationService> _tokenRevocationServiceMock;
+    private readonly Logout.LogoutHandler _handler;
+
+    public LogoutHandlerTests()
+    {
+        var userStoreMock = new Mock<IUserStore<IdmtUser>>();
+        var userManagerMock = new Mock<UserManager<IdmtUser>>(
+            userStoreMock.Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        _signInManagerMock = new Mock<SignInManager<IdmtUser>>(
+            userManagerMock.Object,
+            new Mock<Microsoft.AspNetCore.Http.IHttpContextAccessor>().Object,
+            new Mock<IUserClaimsPrincipalFactory<IdmtUser>>().Object,
+            null!, null!, null!, null!);
+
+        _loggerMock = new Mock<ILogger<Logout.LogoutHandler>>();
+        _currentUserServiceMock = new Mock<ICurrentUserService>();
+        _tenantContextAccessorMock = new Mock<IMultiTenantContextAccessor<IdmtTenantInfo>>();
+        _tokenRevocationServiceMock = new Mock<ITokenRevocationService>();
+
+        // Default: no tenant context resolved. Tests that need a resolved tenant override this.
+        _tenantContextAccessorMock
+            .SetupGet(x => x.MultiTenantContext)
+            .Returns((IMultiTenantContext<IdmtTenantInfo>)null!);
+
+        _idmtOptions = Options.Create(new IdmtOptions
+        {
+            MultiTenant = new MultiTenantOptions
+            {
+                StrategyOptions = new Dictionary<string, string>
+                {
+                    [IdmtMultiTenantStrategy.Claim] = TenantClaimKey
+                }
+            }
+        });
+
+        _handler = new Logout.LogoutHandler(
+            _loggerMock.Object,
+            _signInManagerMock.Object,
+            _currentUserServiceMock.Object,
+            _tenantContextAccessorMock.Object,
+            _idmtOptions,
+            _tokenRevocationServiceMock.Object);
+    }
+
+    [Fact]
+    public async Task ReturnsUnexpected_WhenSignOutThrows()
+    {
+        // Arrange
+        _signInManagerMock
+            .Setup(s => s.SignOutAsync())
+            .ThrowsAsync(new InvalidOperationException("SignOut failed"));
+
+        // Act
+        var result = await _handler.HandleAsync();
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("General.Unexpected", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task Logout_ReturnsSuccess_OnHappyPath()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var tenantId = "test-tenant-db-id";
+
+        _currentUserServiceMock.SetupGet(c => c.UserId).Returns(userId);
+        SetupTenantContext(tenantDbId: tenantId, tenantIdentifier: "test-tenant");
+
+        _signInManagerMock
+            .Setup(s => s.SignOutAsync())
+            .Returns(Task.CompletedTask);
+
+        _tokenRevocationServiceMock
+            .Setup(x => x.RevokeUserTokensAsync(userId, tenantId, It.IsAny<CancellationToken>()))
+            .Returns(Task.CompletedTask);
+
+        // Act
+        var result = await _handler.HandleAsync();
+
+        // Assert
+        Assert.False(result.IsError);
+    }
+
+    [Fact]
+    public async Task Logout_CallsRevokeUserTokensAsync_WhenUserAndTenantContextArePresent()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var tenantId = "test-tenant-db-id";
+
+        _currentUserServiceMock.SetupGet(c => c.UserId).Returns(userId);
+        SetupTenantContext(tenantDbId: tenantId, tenantIdentifier: "test-tenant");
+
+        _signInManagerMock
+            .Setup(s => s.SignOutAsync())
+            .Returns(Task.CompletedTask);
+
+        _tokenRevocationServiceMock
+            .Setup(x => x.RevokeUserTokensAsync(userId, tenantId, It.IsAny<CancellationToken>()))
+            .Returns(Task.CompletedTask);
+
+        // Act
+        await _handler.HandleAsync();
+
+        // Assert: revocation is called with the tenant DB Id from the context accessor
+        _tokenRevocationServiceMock.Verify(
+            x => x.RevokeUserTokensAsync(userId, tenantId, It.IsAny<CancellationToken>()),
+            Times.Once);
+    }
+
+    [Fact]
+    public async Task Logout_SkipsRevocation_WhenUserIdIsNull()
+    {
+        // Arrange
+        _currentUserServiceMock.SetupGet(c => c.UserId).Returns((Guid?)null);
+        SetupTenantContext(tenantDbId: "test-tenant-db-id", tenantIdentifier: "test-tenant");
+
+        _signInManagerMock
+            .Setup(s => s.SignOutAsync())
+            .Returns(Task.CompletedTask);
+
+        // Act
+        var result = await _handler.HandleAsync();
+
+        // Assert
+        Assert.False(result.IsError);
+        _tokenRevocationServiceMock.Verify(
+            x => x.RevokeUserTokensAsync(It.IsAny<Guid>(), It.IsAny<string>(), It.IsAny<CancellationToken>()),
+            Times.Never);
+    }
+
+    [Fact]
+    public async Task Logout_SkipsRevocationAndLogsWarning_WhenTenantContextIsNull()
+    {
+        // Arrange: the multi-tenant strategy produced no context (e.g. header or route strategy
+        // does not fire during logout). The accessor default in the constructor returns null.
+        // The principal has a tenant claim that the warning should surface in its message.
+        var userId = Guid.NewGuid();
+        var tenantIdentifierFromClaim = "acme-corp";
+        var principal = BuildPrincipalWithTenantClaim(TenantClaimKey, tenantIdentifierFromClaim);
+
+        _currentUserServiceMock.SetupGet(c => c.UserId).Returns(userId);
+        _currentUserServiceMock.SetupGet(c => c.User).Returns(principal);
+
+        _signInManagerMock
+            .Setup(s => s.SignOutAsync())
+            .Returns(Task.CompletedTask);
+
+        // Act
+        var result = await _handler.HandleAsync();
+
+        // Assert: sign-out still returns 204 — the user is signed out even without revocation
+        Assert.False(result.IsError);
+        _tokenRevocationServiceMock.Verify(
+            x => x.RevokeUserTokensAsync(It.IsAny<Guid>(), It.IsAny<string>(), It.IsAny<CancellationToken>()),
+            Times.Never);
+
+        // Assert: warning is logged and identifies the tenant from bearer claims so operators
+        // can diagnose the misconfigured strategy
+        VerifyLogWarningContains(tenantIdentifierFromClaim);
+    }
+
+    [Fact]
+    public async Task Logout_LogsWarning_WithNotPresentPlaceholder_WhenBothTenantContextAndClaimAreNull()
+    {
+        // Arrange: neither the multi-tenant context nor the bearer principal carry any tenant
+        // information — the warning should still be emitted with a diagnostic placeholder.
+        var userId = Guid.NewGuid();
+        var principalWithNoTenantClaim = new ClaimsPrincipal(new ClaimsIdentity([], "Bearer"));
+
+        _currentUserServiceMock.SetupGet(c => c.UserId).Returns(userId);
+        _currentUserServiceMock.SetupGet(c => c.User).Returns(principalWithNoTenantClaim);
+
+        _signInManagerMock
+            .Setup(s => s.SignOutAsync())
+            .Returns(Task.CompletedTask);
+
+        // Act
+        var result = await _handler.HandleAsync();
+
+        // Assert
+        Assert.False(result.IsError);
+        _tokenRevocationServiceMock.Verify(
+            x => x.RevokeUserTokensAsync(It.IsAny<Guid>(), It.IsAny<string>(), It.IsAny<CancellationToken>()),
+            Times.Never);
+
+        VerifyLogWarningContains("<not present in claims>");
+    }
+
+    [Fact]
+    public async Task Logout_LogsWarning_WhenTenantContextExistsButTenantInfoIsNull()
+    {
+        // Arrange: Finbuckle returned a context object (resolution ran) but found no matching
+        // tenant store entry — TenantInfo is null, so Id cannot be resolved.
+        var userId = Guid.NewGuid();
+        var tenantIdentifierFromClaim = "unknown-tenant";
+        var principal = BuildPrincipalWithTenantClaim(TenantClaimKey, tenantIdentifierFromClaim);
+
+        _currentUserServiceMock.SetupGet(c => c.UserId).Returns(userId);
+        _currentUserServiceMock.SetupGet(c => c.User).Returns(principal);
+
+        var contextWithNullTenantInfo = new Mock<IMultiTenantContext<IdmtTenantInfo>>();
+        contextWithNullTenantInfo.SetupGet(c => c.TenantInfo).Returns((IdmtTenantInfo)null!);
+        _tenantContextAccessorMock
+            .SetupGet(a => a.MultiTenantContext)
+            .Returns(contextWithNullTenantInfo.Object);
+
+        _signInManagerMock
+            .Setup(s => s.SignOutAsync())
+            .Returns(Task.CompletedTask);
+
+        // Act
+        var result = await _handler.HandleAsync();
+
+        // Assert
+        Assert.False(result.IsError);
+        _tokenRevocationServiceMock.Verify(
+            x => x.RevokeUserTokensAsync(It.IsAny<Guid>(), It.IsAny<string>(), It.IsAny<CancellationToken>()),
+            Times.Never);
+
+        VerifyLogWarningContains(tenantIdentifierFromClaim);
+    }
+
+    [Fact]
+    public async Task Logout_UsesConfiguredClaimKey_WhenReadingTenantIdentifierForWarning()
+    {
+        // Arrange: a non-default claim key is configured; the handler must read the tenant
+        // identifier from the correct claim type when composing the warning message.
+        const string customClaimKey = "custom_tenant_claim";
+        const string tenantIdentifierValue = "my-org";
+
+        var options = Options.Create(new IdmtOptions
+        {
+            MultiTenant = new MultiTenantOptions
+            {
+                StrategyOptions = new Dictionary<string, string>
+                {
+                    [IdmtMultiTenantStrategy.Claim] = customClaimKey
+                }
+            }
+        });
+
+        var principal = BuildPrincipalWithTenantClaim(customClaimKey, tenantIdentifierValue);
+        _currentUserServiceMock.SetupGet(c => c.UserId).Returns(Guid.NewGuid());
+        _currentUserServiceMock.SetupGet(c => c.User).Returns(principal);
+
+        // Tenant context remains null (default)
+
+        _signInManagerMock
+            .Setup(s => s.SignOutAsync())
+            .Returns(Task.CompletedTask);
+
+        var handlerWithCustomOptions = new Logout.LogoutHandler(
+            _loggerMock.Object,
+            _signInManagerMock.Object,
+            _currentUserServiceMock.Object,
+            _tenantContextAccessorMock.Object,
+            options,
+            _tokenRevocationServiceMock.Object);
+
+        // Act
+        await handlerWithCustomOptions.HandleAsync();
+
+        // Assert: warning contains the value from the custom claim key
+        VerifyLogWarningContains(tenantIdentifierValue);
+    }
+
+    #region Helpers
+
+    /// <summary>
+    /// Configures the tenant context accessor to return a fully resolved tenant.
+    /// </summary>
+    private void SetupTenantContext(string tenantDbId, string tenantIdentifier)
+    {
+        var tenantInfo = new IdmtTenantInfo(tenantDbId, tenantIdentifier, tenantIdentifier);
+        var context = new MultiTenantContext<IdmtTenantInfo>(tenantInfo);
+        _tenantContextAccessorMock
+            .SetupGet(x => x.MultiTenantContext)
+            .Returns(context);
+    }
+
+    private static ClaimsPrincipal BuildPrincipalWithTenantClaim(string claimKey, string claimValue)
+    {
+        var claims = new List<Claim>
+        {
+            new(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString()),
+            new(claimKey, claimValue)
+        };
+        return new ClaimsPrincipal(new ClaimsIdentity(claims, "Bearer"));
+    }
+
+    /// <summary>
+    /// Verifies that ILogger.LogWarning was called at least once with a formatted message
+    /// that contains the expected substring.
+    /// </summary>
+    private void VerifyLogWarningContains(string expectedSubstring)
+    {
+        _loggerMock.Verify(
+            l => l.Log(
+                LogLevel.Warning,
+                It.IsAny<EventId>(),
+                It.Is<It.IsAnyType>((state, _) => state.ToString()!.Contains(expectedSubstring)),
+                null,
+                It.IsAny<Func<It.IsAnyType, Exception?, string>>()),
+            Times.Once,
+            $"Expected a LogWarning call whose message contains '{expectedSubstring}'.");
+    }
+
+    #endregion
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Auth/RefreshTokenHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Auth/RefreshTokenHandlerTests.cs
new file mode 100644
index 0000000..f64949e
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Auth/RefreshTokenHandlerTests.cs
@@ -0,0 +1,357 @@
+using System.Security.Claims;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Features.Auth;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.BearerToken;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Options;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Auth;
+
+public class RefreshTokenHandlerTests
+{
+    private const string TenantClaimKey = "tenant";
+    private const string TestTenantIdentifier = "test-tenant";
+
+    private readonly Mock<IOptionsMonitor<BearerTokenOptions>> _bearerOptionsMock;
+    private readonly Mock<TimeProvider> _timeProviderMock;
+    private readonly Mock<SignInManager<IdmtUser>> _signInManagerMock;
+    private readonly Mock<IMultiTenantContextAccessor<IdmtTenantInfo>> _tenantContextAccessorMock;
+    private readonly IOptions<IdmtOptions> _idmtOptions;
+    private readonly Mock<ITokenRevocationService> _tokenRevocationServiceMock;
+    private readonly RefreshToken.RefreshTokenHandler _handler;
+
+    public RefreshTokenHandlerTests()
+    {
+        _bearerOptionsMock = new Mock<IOptionsMonitor<BearerTokenOptions>>();
+        _timeProviderMock = new Mock<TimeProvider>();
+
+        var userStoreMock = new Mock<IUserStore<IdmtUser>>();
+        _signInManagerMock = CreateSignInManagerMock(userStoreMock);
+
+        _tenantContextAccessorMock = new Mock<IMultiTenantContextAccessor<IdmtTenantInfo>>();
+
+        _idmtOptions = Options.Create(new IdmtOptions
+        {
+            MultiTenant = new MultiTenantOptions
+            {
+                StrategyOptions = new Dictionary<string, string>
+                {
+                    [IdmtMultiTenantStrategy.Claim] = TenantClaimKey
+                }
+            }
+        });
+
+        _tokenRevocationServiceMock = new Mock<ITokenRevocationService>();
+
+        _handler = new RefreshToken.RefreshTokenHandler(
+            _bearerOptionsMock.Object,
+            _timeProviderMock.Object,
+            _signInManagerMock.Object,
+            _tenantContextAccessorMock.Object,
+            _idmtOptions,
+            _tokenRevocationServiceMock.Object);
+    }
+
+    [Fact]
+    public async Task ReturnsInvalidToken_WhenTicketIsNull()
+    {
+        // Arrange - protector returns null (unprotect fails)
+        SetupBearerOptions(unprotectResult: null);
+
+        var request = new RefreshToken.RefreshTokenRequest("invalid-token");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Token.Invalid", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsInvalidToken_WhenTokenIsExpired()
+    {
+        // Arrange - token expired in the past
+        var expiredUtc = new DateTimeOffset(2025, 1, 1, 0, 0, 0, TimeSpan.Zero);
+        var ticket = CreateTicket(expiresUtc: expiredUtc);
+        SetupBearerOptions(unprotectResult: ticket);
+
+        // TimeProvider returns a time after expiry
+        _timeProviderMock
+            .Setup(t => t.GetUtcNow())
+            .Returns(expiredUtc.AddHours(1));
+
+        var request = new RefreshToken.RefreshTokenRequest("expired-token");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Token.Invalid", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsInvalidToken_WhenSecurityStampValidationFails()
+    {
+        // Arrange - security stamp validation returns null
+        var expiresUtc = new DateTimeOffset(2026, 1, 1, 0, 0, 0, TimeSpan.Zero);
+        var ticket = CreateTicket(expiresUtc: expiresUtc);
+        SetupBearerOptions(unprotectResult: ticket);
+
+        _timeProviderMock
+            .Setup(t => t.GetUtcNow())
+            .Returns(expiresUtc.AddHours(-1));
+
+        _signInManagerMock
+            .Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>()))
+            .ReturnsAsync((IdmtUser?)null);
+
+        var request = new RefreshToken.RefreshTokenRequest("bad-stamp-token");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Token.Invalid", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsUnauthorized_WhenUserIsInactive()
+    {
+        // Arrange
+        var user = new IdmtUser { UserName = "test", Email = "test@test.com", IsActive = false, TenantId = "t1" };
+        var expiresUtc = new DateTimeOffset(2026, 1, 1, 0, 0, 0, TimeSpan.Zero);
+        var ticket = CreateTicket(expiresUtc: expiresUtc);
+        SetupBearerOptions(unprotectResult: ticket);
+
+        _timeProviderMock
+            .Setup(t => t.GetUtcNow())
+            .Returns(expiresUtc.AddHours(-1));
+
+        _signInManagerMock
+            .Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>()))
+            .ReturnsAsync(user);
+
+        var request = new RefreshToken.RefreshTokenRequest("inactive-user-token");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.Unauthorized", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsUnauthorized_WhenTokenTenantClaimIsNull()
+    {
+        // Arrange - ticket has no tenant claim
+        var user = new IdmtUser { UserName = "test", Email = "test@test.com", IsActive = true, TenantId = "t1" };
+        var expiresUtc = new DateTimeOffset(2026, 1, 1, 0, 0, 0, TimeSpan.Zero);
+        var ticket = CreateTicket(expiresUtc: expiresUtc, tenantClaim: null);
+        SetupBearerOptions(unprotectResult: ticket);
+
+        _timeProviderMock
+            .Setup(t => t.GetUtcNow())
+            .Returns(expiresUtc.AddHours(-1));
+
+        _signInManagerMock
+            .Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>()))
+            .ReturnsAsync(user);
+
+        SetupTenantContext(TestTenantIdentifier);
+
+        var request = new RefreshToken.RefreshTokenRequest("no-tenant-claim-token");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.Unauthorized", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsUnauthorized_WhenTokenTenantDoesNotMatchCurrentTenant()
+    {
+        // Arrange - token tenant is different from current tenant
+        var user = new IdmtUser { UserName = "test", Email = "test@test.com", IsActive = true, TenantId = "t1" };
+        var expiresUtc = new DateTimeOffset(2026, 1, 1, 0, 0, 0, TimeSpan.Zero);
+        var ticket = CreateTicket(expiresUtc: expiresUtc, tenantClaim: "other-tenant");
+        SetupBearerOptions(unprotectResult: ticket);
+
+        _timeProviderMock
+            .Setup(t => t.GetUtcNow())
+            .Returns(expiresUtc.AddHours(-1));
+
+        _signInManagerMock
+            .Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>()))
+            .ReturnsAsync(user);
+
+        SetupTenantContext(TestTenantIdentifier);
+
+        var request = new RefreshToken.RefreshTokenRequest("wrong-tenant-token");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.Unauthorized", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsUnauthorized_WhenCurrentTenantIsNull()
+    {
+        // Arrange - current tenant context is null
+        var user = new IdmtUser { UserName = "test", Email = "test@test.com", IsActive = true, TenantId = "t1" };
+        var expiresUtc = new DateTimeOffset(2026, 1, 1, 0, 0, 0, TimeSpan.Zero);
+        var ticket = CreateTicket(expiresUtc: expiresUtc, tenantClaim: TestTenantIdentifier);
+        SetupBearerOptions(unprotectResult: ticket);
+
+        _timeProviderMock
+            .Setup(t => t.GetUtcNow())
+            .Returns(expiresUtc.AddHours(-1));
+
+        _signInManagerMock
+            .Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>()))
+            .ReturnsAsync(user);
+
+        // No tenant context set - accessor returns null
+        _tenantContextAccessorMock
+            .SetupGet(a => a.MultiTenantContext)
+            .Returns((IMultiTenantContext<IdmtTenantInfo>)null!);
+
+        var request = new RefreshToken.RefreshTokenRequest("null-tenant-token");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.Unauthorized", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsTokenRevoked_WhenTokenIsRevoked()
+    {
+        // Arrange - set up a valid refresh ticket that passes all existing checks
+        var tenantId = "tid-12345";
+        var user = new IdmtUser { UserName = "test", Email = "test@test.com", IsActive = true, TenantId = tenantId };
+        var expiresUtc = new DateTimeOffset(2026, 6, 1, 0, 0, 0, TimeSpan.Zero);
+        var issuedUtc = new DateTimeOffset(2026, 5, 2, 0, 0, 0, TimeSpan.Zero);
+        var ticket = CreateTicket(expiresUtc: expiresUtc, tenantClaim: TestTenantIdentifier, issuedUtc: issuedUtc);
+        SetupBearerOptions(unprotectResult: ticket);
+
+        _timeProviderMock
+            .Setup(t => t.GetUtcNow())
+            .Returns(expiresUtc.AddHours(-1));
+
+        _signInManagerMock
+            .Setup(s => s.ValidateSecurityStampAsync(It.IsAny<ClaimsPrincipal>()))
+            .ReturnsAsync(user);
+
+        SetupTenantContext(TestTenantIdentifier, tenantId);
+
+        _tokenRevocationServiceMock
+            .Setup(x => x.IsTokenRevokedAsync(user.Id, tenantId, issuedUtc, It.IsAny<CancellationToken>()))
+            .ReturnsAsync(true);
+
+        var request = new RefreshToken.RefreshTokenRequest("revoked-token");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Token.Revoked", result.FirstError.Code);
+    }
+
+    #region Helpers
+
+    private static Mock<SignInManager<IdmtUser>> CreateSignInManagerMock(Mock<IUserStore<IdmtUser>> userStoreMock)
+    {
+        var userManagerMock = new Mock<UserManager<IdmtUser>>(
+            userStoreMock.Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        return new Mock<SignInManager<IdmtUser>>(
+            userManagerMock.Object,
+            new Mock<Microsoft.AspNetCore.Http.IHttpContextAccessor>().Object,
+            new Mock<IUserClaimsPrincipalFactory<IdmtUser>>().Object,
+            null!, null!, null!, null!);
+    }
+
+    private void SetupBearerOptions(AuthenticationTicket? unprotectResult)
+    {
+        var protectorMock = new Mock<ISecureDataFormat<AuthenticationTicket>>();
+        protectorMock
+            .Setup(p => p.Unprotect(It.IsAny<string>()))
+            .Returns(unprotectResult!);
+
+        var bearerOptions = new BearerTokenOptions
+        {
+            RefreshTokenProtector = protectorMock.Object
+        };
+
+        _bearerOptionsMock
+            .Setup(o => o.Get(IdentityConstants.BearerScheme))
+            .Returns(bearerOptions);
+    }
+
+    private static AuthenticationTicket CreateTicket(
+        DateTimeOffset? expiresUtc,
+        string? tenantClaim = TestTenantIdentifier,
+        DateTimeOffset? issuedUtc = null)
+    {
+        var claims = new List<Claim>
+        {
+            new(ClaimTypes.Name, "testuser"),
+            new(ClaimTypes.NameIdentifier, Guid.NewGuid().ToString())
+        };
+
+        if (tenantClaim is not null)
+        {
+            claims.Add(new Claim(TenantClaimKey, tenantClaim));
+        }
+
+        var identity = new ClaimsIdentity(claims, "Bearer");
+        var principal = new ClaimsPrincipal(identity);
+
+        var properties = new AuthenticationProperties
+        {
+            ExpiresUtc = expiresUtc,
+            IssuedUtc = issuedUtc
+        };
+
+        return new AuthenticationTicket(principal, properties, IdentityConstants.BearerScheme);
+    }
+
+    private void SetupTenantContext(string? tenantIdentifier, string? tenantId = null)
+    {
+        if (tenantIdentifier is null)
+        {
+            _tenantContextAccessorMock
+                .SetupGet(a => a.MultiTenantContext)
+                .Returns((IMultiTenantContext<IdmtTenantInfo>)null!);
+        }
+        else
+        {
+            var tenantInfo = tenantId is not null
+                ? new IdmtTenantInfo(tenantId, tenantIdentifier, tenantIdentifier)
+                : new IdmtTenantInfo(tenantIdentifier, tenantIdentifier);
+            var tenantContext = new MultiTenantContext<IdmtTenantInfo>(tenantInfo);
+            _tenantContextAccessorMock
+                .SetupGet(a => a.MultiTenantContext)
+                .Returns(tenantContext);
+        }
+    }
+
+    #endregion
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Auth/ResendConfirmationEmailHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Auth/ResendConfirmationEmailHandlerTests.cs
new file mode 100644
index 0000000..e9199c0
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Auth/ResendConfirmationEmailHandlerTests.cs
@@ -0,0 +1,63 @@
+using Idmt.Plugin.Features.Auth;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Auth;
+
+public class ResendConfirmationEmailHandlerTests
+{
+    private readonly Mock<UserManager<IdmtUser>> _userManagerMock;
+    private readonly Mock<IEmailSender<IdmtUser>> _emailSenderMock;
+    private readonly Mock<IIdmtLinkGenerator> _linkGeneratorMock;
+    private readonly ResendConfirmationEmail.ResendConfirmationEmailHandler _handler;
+
+    public ResendConfirmationEmailHandlerTests()
+    {
+        _userManagerMock = new Mock<UserManager<IdmtUser>>(
+            new Mock<IUserStore<IdmtUser>>().Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        _emailSenderMock = new Mock<IEmailSender<IdmtUser>>();
+        _linkGeneratorMock = new Mock<IIdmtLinkGenerator>();
+
+        _handler = new ResendConfirmationEmail.ResendConfirmationEmailHandler(
+            _userManagerMock.Object,
+            _linkGeneratorMock.Object,
+            _emailSenderMock.Object,
+            NullLogger<ResendConfirmationEmail.ResendConfirmationEmailHandler>.Instance);
+    }
+
+    [Fact]
+    public async Task ReturnsSuccess_WhenEmailAlreadyConfirmed()
+    {
+        // Arrange
+        var user = new IdmtUser
+        {
+            UserName = "confirmed",
+            Email = "confirmed@test.com",
+            EmailConfirmed = true,
+            IsActive = true,
+            TenantId = "t1"
+        };
+
+        _userManagerMock
+            .Setup(u => u.FindByEmailAsync("confirmed@test.com"))
+            .ReturnsAsync(user);
+
+        var request = new ResendConfirmationEmail.ResendConfirmationEmailRequest("confirmed@test.com");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert - returns success but no email should be sent
+        Assert.False(result.IsError);
+        _emailSenderMock.Verify(
+            e => e.SendConfirmationLinkAsync(It.IsAny<IdmtUser>(), It.IsAny<string>(), It.IsAny<string>()),
+            Times.Never);
+        _userManagerMock.Verify(
+            u => u.GenerateEmailConfirmationTokenAsync(It.IsAny<IdmtUser>()),
+            Times.Never);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Auth/ResetPasswordHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Auth/ResetPasswordHandlerTests.cs
new file mode 100644
index 0000000..84f3d3c
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Auth/ResetPasswordHandlerTests.cs
@@ -0,0 +1,153 @@
+using ErrorOr;
+using Idmt.Plugin.Features.Auth;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Auth;
+
+public class ResetPasswordHandlerTests
+{
+    private readonly Mock<ITenantOperationService> _tenantOpsMock;
+    private readonly ResetPassword.ResetPasswordHandler _handler;
+
+    public ResetPasswordHandlerTests()
+    {
+        _tenantOpsMock = new Mock<ITenantOperationService>();
+
+        _handler = new ResetPassword.ResetPasswordHandler(
+            _tenantOpsMock.Object,
+            NullLogger<ResetPassword.ResetPasswordHandler>.Instance);
+    }
+
+    [Fact]
+    public async Task ReturnsResetFailed_WhenUserIsInactive()
+    {
+        // Arrange
+        var user = new IdmtUser
+        {
+            UserName = "inactive",
+            Email = "inactive@test.com",
+            IsActive = false,
+            TenantId = "t1"
+        };
+
+        var userManagerMock = new Mock<UserManager<IdmtUser>>(
+            new Mock<IUserStore<IdmtUser>>().Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        userManagerMock
+            .Setup(u => u.FindByEmailAsync("inactive@test.com"))
+            .ReturnsAsync(user);
+
+        SetupTenantOpsToInvokeLambda(userManagerMock);
+
+        var request = new ResetPassword.ResetPasswordRequest("test-tenant", "inactive@test.com", "token", "NewPass123!");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Password.ResetFailed", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsResetFailed_WhenIdentityResetFails()
+    {
+        // Arrange
+        var user = new IdmtUser
+        {
+            UserName = "testuser",
+            Email = "test@test.com",
+            IsActive = true,
+            TenantId = "t1"
+        };
+
+        var userManagerMock = new Mock<UserManager<IdmtUser>>(
+            new Mock<IUserStore<IdmtUser>>().Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        userManagerMock
+            .Setup(u => u.FindByEmailAsync("test@test.com"))
+            .ReturnsAsync(user);
+
+        userManagerMock
+            .Setup(u => u.ResetPasswordAsync(user, "bad-token", "NewPass123!"))
+            .ReturnsAsync(IdentityResult.Failed(new IdentityError { Code = "InvalidToken", Description = "Invalid token" }));
+
+        SetupTenantOpsToInvokeLambda(userManagerMock);
+
+        var request = new ResetPassword.ResetPasswordRequest("test-tenant", "test@test.com", "bad-token", "NewPass123!");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Password.ResetFailed", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task SetsEmailConfirmed_WhenUserEmailWasUnconfirmed()
+    {
+        // Arrange
+        var user = new IdmtUser
+        {
+            UserName = "testuser",
+            Email = "test@test.com",
+            IsActive = true,
+            EmailConfirmed = false,
+            TenantId = "t1"
+        };
+
+        var userManagerMock = new Mock<UserManager<IdmtUser>>(
+            new Mock<IUserStore<IdmtUser>>().Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        userManagerMock
+            .Setup(u => u.FindByEmailAsync("test@test.com"))
+            .ReturnsAsync(user);
+
+        userManagerMock
+            .Setup(u => u.ResetPasswordAsync(user, "valid-token", "NewPass123!"))
+            .ReturnsAsync(IdentityResult.Success);
+
+        userManagerMock
+            .Setup(u => u.UpdateAsync(user))
+            .ReturnsAsync(IdentityResult.Success);
+
+        SetupTenantOpsToInvokeLambda(userManagerMock);
+
+        var request = new ResetPassword.ResetPasswordRequest("test-tenant", "test@test.com", "valid-token", "NewPass123!");
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.False(result.IsError);
+        Assert.True(user.EmailConfirmed);
+        userManagerMock.Verify(u => u.UpdateAsync(user), Times.Once);
+    }
+
+    #region Helpers
+
+    private void SetupTenantOpsToInvokeLambda(Mock<UserManager<IdmtUser>> userManagerMock)
+    {
+        _tenantOpsMock
+            .Setup(t => t.ExecuteInTenantScopeAsync(
+                It.IsAny<string>(),
+                It.IsAny<Func<IServiceProvider, Task<ErrorOr<Success>>>>(),
+                It.IsAny<bool>()))
+            .Returns<string, Func<IServiceProvider, Task<ErrorOr<Success>>>, bool>(
+                async (_, operation, _) =>
+                {
+                    var serviceProviderMock = new Mock<IServiceProvider>();
+                    serviceProviderMock
+                        .Setup(sp => sp.GetService(typeof(UserManager<IdmtUser>)))
+                        .Returns(userManagerMock.Object);
+                    return await operation(serviceProviderMock.Object);
+                });
+    }
+
+    #endregion
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Auth/TokenLoginHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Auth/TokenLoginHandlerTests.cs
new file mode 100644
index 0000000..4bfd6b8
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Auth/TokenLoginHandlerTests.cs
@@ -0,0 +1,200 @@
+using System.Security.Claims;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Features.Auth;
+using Idmt.Plugin.Models;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.BearerToken;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Auth;
+
+public class TokenLoginHandlerTests
+{
+    private readonly Mock<UserManager<IdmtUser>> _userManagerMock;
+    private readonly Mock<SignInManager<IdmtUser>> _signInManagerMock;
+    private readonly Mock<IMultiTenantContextAccessor> _tenantAccessorMock;
+    private readonly Mock<IOptionsMonitor<BearerTokenOptions>> _bearerOptionsMock;
+    private readonly Mock<TimeProvider> _timeProviderMock;
+    private readonly Login.TokenLoginHandler _handler;
+
+    public TokenLoginHandlerTests()
+    {
+        var userStoreMock = Mock.Of<IUserStore<IdmtUser>>();
+        _userManagerMock = new Mock<UserManager<IdmtUser>>(
+            userStoreMock,
+            null!, null!, null!, null!, null!, null!, null!, null!);
+
+        var httpContextAccessorMock = new Mock<IHttpContextAccessor>();
+        var httpContext = new DefaultHttpContext();
+        httpContextAccessorMock.Setup(x => x.HttpContext).Returns(httpContext);
+
+        _signInManagerMock = new Mock<SignInManager<IdmtUser>>(
+            _userManagerMock.Object,
+            httpContextAccessorMock.Object,
+            Mock.Of<IUserClaimsPrincipalFactory<IdmtUser>>(),
+            Mock.Of<IOptions<IdentityOptions>>(),
+            NullLogger<SignInManager<IdmtUser>>.Instance,
+            Mock.Of<IAuthenticationSchemeProvider>(),
+            Mock.Of<IUserConfirmation<IdmtUser>>());
+
+        _tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        _bearerOptionsMock = new Mock<IOptionsMonitor<BearerTokenOptions>>();
+        _timeProviderMock = new Mock<TimeProvider>();
+        _timeProviderMock.Setup(x => x.GetUtcNow()).Returns(new DateTimeOffset(2026, 1, 1, 0, 0, 0, TimeSpan.Zero));
+
+        _handler = new Login.TokenLoginHandler(
+            _userManagerMock.Object,
+            _signInManagerMock.Object,
+            _tenantAccessorMock.Object,
+            _bearerOptionsMock.Object,
+            _timeProviderMock.Object,
+            NullLogger<Login.TokenLoginHandler>.Instance);
+    }
+
+    private static Login.LoginRequest CreateRequest(
+        string? email = "test@example.com",
+        string? username = null,
+        string password = "Password123!") =>
+        new()
+        {
+            Email = email,
+            Username = username,
+            Password = password
+        };
+
+    private void SetupActiveTenant()
+    {
+        var tenant = new IdmtTenantInfo("tenant-id", "test-tenant", "Test Tenant");
+        var context = new MultiTenantContext<IdmtTenantInfo>(tenant);
+        _tenantAccessorMock.Setup(x => x.MultiTenantContext).Returns(context);
+    }
+
+    private static IdmtUser CreateActiveUser() =>
+        new()
+        {
+            Id = Guid.NewGuid(),
+            Email = "test@example.com",
+            UserName = "testuser",
+            TenantId = "tenant-id",
+            IsActive = true
+        };
+
+    private void SetupBearerTokenOptions()
+    {
+        var bearerOptions = new BearerTokenOptions
+        {
+            BearerTokenExpiration = TimeSpan.FromHours(1),
+            RefreshTokenExpiration = TimeSpan.FromDays(14)
+        };
+
+        // Setup the ticket data format protectors
+        var accessProtectorMock = new Mock<ISecureDataFormat<AuthenticationTicket>>();
+        accessProtectorMock.Setup(x => x.Protect(It.IsAny<AuthenticationTicket>()))
+            .Returns("test-access-token");
+
+        var refreshProtectorMock = new Mock<ISecureDataFormat<AuthenticationTicket>>();
+        refreshProtectorMock.Setup(x => x.Protect(It.IsAny<AuthenticationTicket>()))
+            .Returns("test-refresh-token");
+
+        bearerOptions.BearerTokenProtector = accessProtectorMock.Object;
+        bearerOptions.RefreshTokenProtector = refreshProtectorMock.Object;
+
+        _bearerOptionsMock.Setup(x => x.Get(IdentityConstants.BearerScheme)).Returns(bearerOptions);
+    }
+
+    [Fact]
+    public async Task ReturnsNotResolved_WhenTenantContextIsNull()
+    {
+        _tenantAccessorMock.Setup(x => x.MultiTenantContext).Returns((IMultiTenantContext)null!);
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.NotResolved", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsInactive_WhenTenantIsInactive()
+    {
+        var tenant = new IdmtTenantInfo("tenant-id", "test-tenant", "Test Tenant") { IsActive = false };
+        var context = new MultiTenantContext<IdmtTenantInfo>(tenant);
+        _tenantAccessorMock.Setup(x => x.MultiTenantContext).Returns(context);
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.Inactive", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsUnauthorized_WhenUserIsInactive()
+    {
+        SetupActiveTenant();
+        var inactiveUser = CreateActiveUser();
+        inactiveUser.IsActive = false;
+
+        _userManagerMock.Setup(x => x.FindByEmailAsync("test@example.com"))
+            .ReturnsAsync(inactiveUser);
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.Unauthorized", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsLockedOut_WhenPasswordCheckReturnsLockedOut()
+    {
+        SetupActiveTenant();
+        var user = CreateActiveUser();
+        _userManagerMock.Setup(x => x.FindByEmailAsync("test@example.com")).ReturnsAsync(user);
+        _signInManagerMock.Setup(x => x.CheckPasswordSignInAsync(user, "Password123!", true))
+            .ReturnsAsync(SignInResult.LockedOut);
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("Auth.LockedOut", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsTokenResponse_OnSuccessfulLogin()
+    {
+        SetupActiveTenant();
+        SetupBearerTokenOptions();
+        var user = CreateActiveUser();
+
+        _userManagerMock.Setup(x => x.FindByEmailAsync("test@example.com")).ReturnsAsync(user);
+        _signInManagerMock.Setup(x => x.CheckPasswordSignInAsync(user, "Password123!", true))
+            .ReturnsAsync(SignInResult.Success);
+        _signInManagerMock.Setup(x => x.CreateUserPrincipalAsync(user))
+            .ReturnsAsync(new ClaimsPrincipal(new ClaimsIdentity()));
+        _userManagerMock.Setup(x => x.UpdateAsync(user)).ReturnsAsync(IdentityResult.Success);
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.False(result.IsError);
+        var response = result.Value;
+        Assert.Equal("test-access-token", response.AccessToken);
+        Assert.Equal("test-refresh-token", response.RefreshToken);
+        Assert.Equal(3600L, response.ExpiresIn); // 1 hour in seconds
+        Assert.Equal("Bearer", response.TokenType);
+    }
+
+    [Fact]
+    public async Task ReturnsUnexpected_WhenExceptionIsThrown()
+    {
+        SetupActiveTenant();
+        _userManagerMock.Setup(x => x.FindByEmailAsync(It.IsAny<string>()))
+            .ThrowsAsync(new InvalidOperationException("Database connection lost"));
+
+        var result = await _handler.HandleAsync(CreateRequest());
+
+        Assert.True(result.IsError);
+        Assert.Equal("General.Unexpected", result.FirstError.Code);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Health/BasicHealthCheckTests.cs b/src/tests/Idmt.UnitTests/Features/Health/BasicHealthCheckTests.cs
new file mode 100644
index 0000000..00de325
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Health/BasicHealthCheckTests.cs
@@ -0,0 +1,159 @@
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Features.Health;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Persistence;
+using Idmt.Plugin.Services;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.Extensions.Diagnostics.HealthChecks;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Health;
+
+public class BasicHealthCheckTests
+{
+    private readonly Mock<TimeProvider> _timeProviderMock;
+    private readonly DateTimeOffset _fixedTime = new(2026, 3, 4, 12, 0, 0, TimeSpan.Zero);
+
+    public BasicHealthCheckTests()
+    {
+        _timeProviderMock = new Mock<TimeProvider>();
+        _timeProviderMock.Setup(x => x.GetUtcNow()).Returns(_fixedTime);
+    }
+
+    [Fact]
+    public async Task ReturnsUnhealthy_WhenDatabaseCannotConnect()
+    {
+        // Arrange - use a provider that won't actually connect
+        var dbContext = CreateDbContextWithCanConnect(false);
+        var healthCheck = new BasicHealthCheck(dbContext, _timeProviderMock.Object);
+
+        // Act
+        var result = await healthCheck.CheckHealthAsync(
+            new HealthCheckContext(), CancellationToken.None);
+
+        // Assert
+        Assert.Equal(HealthStatus.Unhealthy, result.Status);
+        Assert.Equal("Database connection failed", result.Description);
+        Assert.NotNull(result.Data);
+        Assert.Equal(false, result.Data["database_connected"]);
+        Assert.Equal(_fixedTime.UtcDateTime, result.Data["timestamp"]);
+    }
+
+    [Fact]
+    public async Task ReturnsUnhealthy_WhenExceptionThrown()
+    {
+        // Arrange - use a context that throws on CanConnectAsync
+        var dbContext = CreateDbContextThatThrows(new InvalidOperationException("Connection refused"));
+        var healthCheck = new BasicHealthCheck(dbContext, _timeProviderMock.Object);
+
+        // Act
+        var result = await healthCheck.CheckHealthAsync(
+            new HealthCheckContext(), CancellationToken.None);
+
+        // Assert
+        Assert.Equal(HealthStatus.Unhealthy, result.Status);
+        Assert.Equal("Database is unhealthy", result.Description);
+        Assert.NotNull(result.Exception);
+        Assert.IsType<InvalidOperationException>(result.Exception);
+        Assert.Equal("Connection refused", result.Exception.Message);
+        Assert.NotNull(result.Data);
+        Assert.Equal(_fixedTime.UtcDateTime, result.Data["timestamp"]);
+    }
+
+    [Fact]
+    public async Task ReturnsHealthy_WithExpectedData()
+    {
+        // Arrange - use InMemory which will successfully "connect"
+        var dbContext = CreateDbContextWithCanConnect(true);
+        var healthCheck = new BasicHealthCheck(dbContext, _timeProviderMock.Object);
+
+        // Act
+        var result = await healthCheck.CheckHealthAsync(
+            new HealthCheckContext(), CancellationToken.None);
+
+        // Assert
+        Assert.Equal(HealthStatus.Healthy, result.Status);
+        Assert.Equal("Database is healthy", result.Description);
+        Assert.NotNull(result.Data);
+        Assert.Equal(true, result.Data["database_connected"]);
+        Assert.Equal(_fixedTime.UtcDateTime, result.Data["timestamp"]);
+    }
+
+    private IdmtDbContext CreateDbContextWithCanConnect(bool canConnect)
+    {
+        var tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        var currentUserServiceMock = new Mock<ICurrentUserService>();
+        var dummyTenant = new IdmtTenantInfo("sys-id", "system-test", "System Test");
+        var dummyContext = new MultiTenantContext<IdmtTenantInfo>(dummyTenant);
+        tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(dummyContext);
+
+        if (canConnect)
+        {
+            // InMemory database will return true for CanConnectAsync
+            var options = new DbContextOptionsBuilder<IdmtDbContext>()
+                .UseInMemoryDatabase(databaseName: Guid.NewGuid().ToString())
+                .Options;
+
+            return new IdmtDbContext(
+                tenantAccessorMock.Object,
+                options,
+                currentUserServiceMock.Object,
+                TimeProvider.System,
+                NullLogger<IdmtDbContext>.Instance);
+        }
+        else
+        {
+            // Use a connection string that will fail - SQLite with invalid path
+            var options = new DbContextOptionsBuilder<IdmtDbContext>()
+                .UseInMemoryDatabase(databaseName: Guid.NewGuid().ToString())
+                .Options;
+
+            var dbContext = new Mock<IdmtDbContext>(
+                tenantAccessorMock.Object,
+                options,
+                currentUserServiceMock.Object,
+                TimeProvider.System,
+                NullLogger<IdmtDbContext>.Instance)
+            { CallBase = true };
+
+            var databaseMock = new Mock<DatabaseFacade>(dbContext.Object);
+            databaseMock
+                .Setup(d => d.CanConnectAsync(It.IsAny<CancellationToken>()))
+                .ReturnsAsync(false);
+            dbContext.SetupGet(x => x.Database).Returns(databaseMock.Object);
+
+            return dbContext.Object;
+        }
+    }
+
+    private IdmtDbContext CreateDbContextThatThrows(Exception exception)
+    {
+        var tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        var currentUserServiceMock = new Mock<ICurrentUserService>();
+        var dummyTenant = new IdmtTenantInfo("sys-id", "system-test", "System Test");
+        var dummyContext = new MultiTenantContext<IdmtTenantInfo>(dummyTenant);
+        tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(dummyContext);
+
+        var options = new DbContextOptionsBuilder<IdmtDbContext>()
+            .UseInMemoryDatabase(databaseName: Guid.NewGuid().ToString())
+            .Options;
+
+        var dbContext = new Mock<IdmtDbContext>(
+            tenantAccessorMock.Object,
+            options,
+            currentUserServiceMock.Object,
+            TimeProvider.System,
+            NullLogger<IdmtDbContext>.Instance)
+        { CallBase = true };
+
+        var databaseMock = new Mock<DatabaseFacade>(dbContext.Object);
+        databaseMock
+            .Setup(d => d.CanConnectAsync(It.IsAny<CancellationToken>()))
+            .ThrowsAsync(exception);
+        dbContext.SetupGet(x => x.Database).Returns(databaseMock.Object);
+
+        return dbContext.Object;
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Manage/GetUserInfoHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Manage/GetUserInfoHandlerTests.cs
new file mode 100644
index 0000000..8f241ce
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Manage/GetUserInfoHandlerTests.cs
@@ -0,0 +1,197 @@
+using System.Security.Claims;
+using ErrorOr;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Features.Manage;
+using Idmt.Plugin.Models;
+using Microsoft.AspNetCore.Identity;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Manage;
+
+public class GetUserInfoHandlerTests
+{
+    private readonly Mock<UserManager<IdmtUser>> _userManagerMock;
+    private readonly Mock<IMultiTenantStore<IdmtTenantInfo>> _tenantStoreMock;
+    private readonly GetUserInfo.GetUserInfoHandler _handler;
+
+    public GetUserInfoHandlerTests()
+    {
+        var userStoreMock = new Mock<IUserStore<IdmtUser>>();
+        _userManagerMock = new Mock<UserManager<IdmtUser>>(
+            userStoreMock.Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        _tenantStoreMock = new Mock<IMultiTenantStore<IdmtTenantInfo>>();
+
+        _handler = new GetUserInfo.GetUserInfoHandler(
+            _userManagerMock.Object,
+            _tenantStoreMock.Object);
+    }
+
+    [Fact]
+    public async Task ReturnsClaimsNotFound_WhenEmailClaimMissing()
+    {
+        // Arrange - principal with no email claim
+        var principal = new ClaimsPrincipal(new ClaimsIdentity([
+            new Claim(ClaimTypes.Name, "testuser")
+        ], "Bearer"));
+
+        // Act
+        var result = await _handler.HandleAsync(principal);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.ClaimsNotFound", result.FirstError.Code);
+        Assert.Equal(ErrorType.Validation, result.FirstError.Type);
+    }
+
+    [Fact]
+    public async Task ReturnsNotFound_WhenUserDoesNotExistInDb()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("nonexistent@test.com");
+        _userManagerMock.Setup(x => x.FindByEmailAsync("nonexistent@test.com"))
+            .ReturnsAsync((IdmtUser?)null);
+
+        // Act
+        var result = await _handler.HandleAsync(principal);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.NotFound", result.FirstError.Code);
+        Assert.Equal(ErrorType.NotFound, result.FirstError.Type);
+    }
+
+    [Fact]
+    public async Task ReturnsNotFound_WhenUserIsInactive()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("inactive@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "inactive",
+            Email = "inactive@test.com",
+            TenantId = "tenant-1",
+            IsActive = false
+        };
+        _userManagerMock.Setup(x => x.FindByEmailAsync("inactive@test.com")).ReturnsAsync(user);
+
+        // Act
+        var result = await _handler.HandleAsync(principal);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.NotFound", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsNoRolesAssigned_WhenUserHasNoRoles()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("noroles@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "noroles",
+            Email = "noroles@test.com",
+            TenantId = "tenant-1",
+            IsActive = true
+        };
+        _userManagerMock.Setup(x => x.FindByEmailAsync("noroles@test.com")).ReturnsAsync(user);
+        _userManagerMock.Setup(x => x.GetRolesAsync(user)).ReturnsAsync([]);
+
+        // Act
+        var result = await _handler.HandleAsync(principal);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.NoRolesAssigned", result.FirstError.Code);
+        Assert.Equal(ErrorType.Validation, result.FirstError.Type);
+    }
+
+    [Fact]
+    public async Task ReturnsTenantNotFound_WhenTenantDoesNotExist()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("user@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "testuser",
+            Email = "user@test.com",
+            TenantId = "missing-tenant",
+            IsActive = true
+        };
+        _userManagerMock.Setup(x => x.FindByEmailAsync("user@test.com")).ReturnsAsync(user);
+        _userManagerMock.Setup(x => x.GetRolesAsync(user)).ReturnsAsync(["TenantAdmin"]);
+        _tenantStoreMock.Setup(x => x.GetAsync("missing-tenant")).ReturnsAsync((IdmtTenantInfo?)null);
+
+        // Act
+        var result = await _handler.HandleAsync(principal);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.NotFound", result.FirstError.Code);
+        Assert.Equal(ErrorType.NotFound, result.FirstError.Type);
+    }
+
+    [Fact]
+    public async Task ReturnsAllRoles_WhenUserHasSingleRole()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("user@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "testuser",
+            Email = "user@test.com",
+            TenantId = "tenant-1",
+            IsActive = true
+        };
+        var tenant = new IdmtTenantInfo("tenant-1", "Tenant One");
+
+        _userManagerMock.Setup(x => x.FindByEmailAsync("user@test.com")).ReturnsAsync(user);
+        _userManagerMock.Setup(x => x.GetRolesAsync(user)).ReturnsAsync(["Member"]);
+        _tenantStoreMock.Setup(x => x.GetAsync("tenant-1")).ReturnsAsync(tenant);
+
+        // Act
+        var result = await _handler.HandleAsync(principal);
+
+        // Assert
+        Assert.False(result.IsError);
+        Assert.Single(result.Value.Roles);
+        Assert.Equal("Member", result.Value.Roles[0]);
+    }
+
+    [Fact]
+    public async Task ReturnsAllRoles_SortedAlphabetically_WhenUserHasMultipleRoles()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("multi@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "multiuser",
+            Email = "multi@test.com",
+            TenantId = "tenant-1",
+            IsActive = true
+        };
+        var tenant = new IdmtTenantInfo("tenant-1", "Tenant One");
+
+        _userManagerMock.Setup(x => x.FindByEmailAsync("multi@test.com")).ReturnsAsync(user);
+        // Roles are intentionally supplied in non-alphabetical order to verify sorting.
+        _userManagerMock.Setup(x => x.GetRolesAsync(user)).ReturnsAsync(["TenantAdmin", "Member", "Auditor"]);
+        _tenantStoreMock.Setup(x => x.GetAsync("tenant-1")).ReturnsAsync(tenant);
+
+        // Act
+        var result = await _handler.HandleAsync(principal);
+
+        // Assert
+        Assert.False(result.IsError);
+        Assert.Equal(3, result.Value.Roles.Count);
+        Assert.Equal(new[] { "Auditor", "Member", "TenantAdmin" }, result.Value.Roles);
+    }
+
+    private static ClaimsPrincipal CreatePrincipalWithEmail(string email)
+    {
+        return new ClaimsPrincipal(new ClaimsIdentity([
+            new Claim(ClaimTypes.Email, email),
+            new Claim(ClaimTypes.Name, "testuser")
+        ], "Bearer"));
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Manage/RegisterHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Manage/RegisterHandlerTests.cs
new file mode 100644
index 0000000..58e2725
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Manage/RegisterHandlerTests.cs
@@ -0,0 +1,227 @@
+using ErrorOr;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Features.Manage;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Persistence;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Diagnostics;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Manage;
+
+public class RegisterHandlerTests : IDisposable
+{
+    private readonly Mock<UserManager<IdmtUser>> _userManagerMock;
+    private readonly Mock<RoleManager<IdmtRole>> _roleManagerMock;
+    private readonly Mock<ICurrentUserService> _currentUserServiceMock;
+    private readonly Mock<ITenantAccessService> _tenantAccessServiceMock;
+    private readonly Mock<IIdmtLinkGenerator> _linkGeneratorMock;
+    private readonly Mock<IEmailSender<IdmtUser>> _emailSenderMock;
+    private readonly IdmtDbContext _dbContext;
+    private readonly RegisterUser.RegisterHandler _handler;
+
+    public RegisterHandlerTests()
+    {
+        var userStoreMock = new Mock<IUserStore<IdmtUser>>();
+        _userManagerMock = new Mock<UserManager<IdmtUser>>(
+            userStoreMock.Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        var roleStoreMock = new Mock<IRoleStore<IdmtRole>>();
+        _roleManagerMock = new Mock<RoleManager<IdmtRole>>(
+            roleStoreMock.Object, null!, null!, null!, null!);
+
+        _currentUserServiceMock = new Mock<ICurrentUserService>();
+        _tenantAccessServiceMock = new Mock<ITenantAccessService>();
+        _linkGeneratorMock = new Mock<IIdmtLinkGenerator>();
+        _emailSenderMock = new Mock<IEmailSender<IdmtUser>>();
+
+        var tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        var dummyTenant = new IdmtTenantInfo("system-test-tenant", "system-test", "System Test Tenant");
+        var dummyContext = new MultiTenantContext<IdmtTenantInfo>(dummyTenant);
+        tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(dummyContext);
+
+        var options = new DbContextOptionsBuilder<IdmtDbContext>()
+            .UseInMemoryDatabase(databaseName: Guid.NewGuid().ToString())
+            .ConfigureWarnings(w => w.Ignore(InMemoryEventId.TransactionIgnoredWarning))
+            .Options;
+
+        _dbContext = new IdmtDbContext(
+            tenantAccessorMock.Object,
+            options,
+            _currentUserServiceMock.Object,
+            TimeProvider.System,
+            NullLogger<IdmtDbContext>.Instance);
+
+        _handler = new RegisterUser.RegisterHandler(
+            NullLogger<RegisterUser.RegisterHandler>.Instance,
+            _userManagerMock.Object,
+            _roleManagerMock.Object,
+            _currentUserServiceMock.Object,
+            _tenantAccessServiceMock.Object,
+            _dbContext,
+            _linkGeneratorMock.Object,
+            _emailSenderMock.Object);
+    }
+
+    [Fact]
+    public async Task ReturnsRoleNotFound_WhenRoleDoesNotExist()
+    {
+        // Arrange
+        _tenantAccessServiceMock.Setup(x => x.CanAssignRole(It.IsAny<string>())).Returns(true);
+        _currentUserServiceMock.SetupGet(x => x.TenantId).Returns("tenant-1");
+        _roleManagerMock.Setup(x => x.RoleExistsAsync("NonExistentRole")).ReturnsAsync(false);
+
+        var request = new RegisterUser.RegisterUserRequest
+        {
+            Email = "user@test.com",
+            Role = "NonExistentRole"
+        };
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.RoleNotFound", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsForbidden_WhenCallerCannotAssignRole()
+    {
+        // Arrange
+        _tenantAccessServiceMock.Setup(x => x.CanAssignRole("SysAdmin")).Returns(false);
+
+        var request = new RegisterUser.RegisterUserRequest
+        {
+            Email = "user@test.com",
+            Role = "SysAdmin"
+        };
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.InsufficientPermissions", result.FirstError.Code);
+        Assert.Equal(ErrorType.Forbidden, result.FirstError.Type);
+    }
+
+    [Fact]
+    public async Task ReturnsTenantNotResolved_WhenTenantIdIsNull()
+    {
+        // Arrange
+        _tenantAccessServiceMock.Setup(x => x.CanAssignRole(It.IsAny<string>())).Returns(true);
+        _currentUserServiceMock.SetupGet(x => x.TenantId).Returns((string?)null);
+
+        var request = new RegisterUser.RegisterUserRequest
+        {
+            Email = "user@test.com",
+            Role = "TenantAdmin"
+        };
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.NotResolved", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task UsesEmailAsUsername_WhenUsernameNotProvided()
+    {
+        // Arrange
+        var email = "user@test.com";
+        _tenantAccessServiceMock.Setup(x => x.CanAssignRole(It.IsAny<string>())).Returns(true);
+        _currentUserServiceMock.SetupGet(x => x.TenantId).Returns("tenant-1");
+        _roleManagerMock.Setup(x => x.RoleExistsAsync(It.IsAny<string>())).ReturnsAsync(true);
+        _userManagerMock
+            .Setup(x => x.CreateAsync(It.IsAny<IdmtUser>()))
+            .ReturnsAsync(IdentityResult.Success);
+        _userManagerMock
+            .Setup(x => x.AddToRoleAsync(It.IsAny<IdmtUser>(), It.IsAny<string>()))
+            .ReturnsAsync(IdentityResult.Success);
+        _userManagerMock
+            .Setup(x => x.GeneratePasswordResetTokenAsync(It.IsAny<IdmtUser>()))
+            .ReturnsAsync("reset-token");
+        _linkGeneratorMock
+            .Setup(x => x.GeneratePasswordResetLink(It.IsAny<string>(), It.IsAny<string>()))
+            .Returns("https://example.com/reset");
+
+        var request = new RegisterUser.RegisterUserRequest
+        {
+            Email = email,
+            Username = null,
+            Role = "TenantAdmin"
+        };
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.False(result.IsError);
+        _userManagerMock.Verify(x => x.CreateAsync(
+            It.Is<IdmtUser>(u => u.UserName == email)), Times.Once);
+    }
+
+    [Fact]
+    public async Task ReturnsCreationFailed_WhenCreateAsyncFails()
+    {
+        // Arrange
+        _tenantAccessServiceMock.Setup(x => x.CanAssignRole(It.IsAny<string>())).Returns(true);
+        _currentUserServiceMock.SetupGet(x => x.TenantId).Returns("tenant-1");
+        _roleManagerMock.Setup(x => x.RoleExistsAsync(It.IsAny<string>())).ReturnsAsync(true);
+        _userManagerMock
+            .Setup(x => x.CreateAsync(It.IsAny<IdmtUser>()))
+            .ReturnsAsync(IdentityResult.Failed(new IdentityError { Description = "Duplicate email" }));
+
+        var request = new RegisterUser.RegisterUserRequest
+        {
+            Email = "user@test.com",
+            Role = "TenantAdmin"
+        };
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.CreationFailed", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ReturnsCreationFailed_WhenRoleAssignmentFails()
+    {
+        // Arrange
+        _tenantAccessServiceMock.Setup(x => x.CanAssignRole(It.IsAny<string>())).Returns(true);
+        _currentUserServiceMock.SetupGet(x => x.TenantId).Returns("tenant-1");
+        _roleManagerMock.Setup(x => x.RoleExistsAsync(It.IsAny<string>())).ReturnsAsync(true);
+        _userManagerMock
+            .Setup(x => x.CreateAsync(It.IsAny<IdmtUser>()))
+            .ReturnsAsync(IdentityResult.Success);
+        _userManagerMock
+            .Setup(x => x.AddToRoleAsync(It.IsAny<IdmtUser>(), It.IsAny<string>()))
+            .ReturnsAsync(IdentityResult.Failed(new IdentityError { Description = "Role assignment failed" }));
+
+        var request = new RegisterUser.RegisterUserRequest
+        {
+            Email = "user@test.com",
+            Role = "TenantAdmin"
+        };
+
+        // Act
+        var result = await _handler.HandleAsync(request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.CreationFailed", result.FirstError.Code);
+    }
+
+    public void Dispose()
+    {
+        _dbContext.Dispose();
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Manage/UnregisterHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Manage/UnregisterHandlerTests.cs
new file mode 100644
index 0000000..871ec82
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Manage/UnregisterHandlerTests.cs
@@ -0,0 +1,171 @@
+using ErrorOr;
+using Idmt.Plugin.Features.Manage;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.EntityFrameworkCore.Query;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Manage;
+
+public class UnregisterHandlerTests
+{
+    private readonly Mock<UserManager<IdmtUser>> _userManagerMock;
+    private readonly Mock<ICurrentUserService> _currentUserServiceMock;
+    private readonly Mock<ITenantAccessService> _tenantAccessServiceMock;
+    private readonly UnregisterUser.UnregisterUserHandler _handler;
+
+    public UnregisterHandlerTests()
+    {
+        var userStoreMock = new Mock<IUserStore<IdmtUser>>();
+        _userManagerMock = new Mock<UserManager<IdmtUser>>(
+            userStoreMock.Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        _currentUserServiceMock = new Mock<ICurrentUserService>();
+        _tenantAccessServiceMock = new Mock<ITenantAccessService>();
+
+        _handler = new UnregisterUser.UnregisterUserHandler(
+            _currentUserServiceMock.Object,
+            NullLogger<UnregisterUser.UnregisterUserHandler>.Instance,
+            _userManagerMock.Object,
+            _tenantAccessServiceMock.Object);
+    }
+
+    [Fact]
+    public async Task ReturnsNotFound_WhenUserDoesNotExist()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        SetupUsersQueryable([]);
+
+        // Act
+        var result = await _handler.HandleAsync(userId);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.NotFound", result.FirstError.Code);
+        Assert.Equal(ErrorType.NotFound, result.FirstError.Type);
+    }
+
+    [Fact]
+    public async Task ReturnsForbidden_WhenCallerCannotManageTargetUser()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var user = new IdmtUser
+        {
+            Id = userId,
+            UserName = "target@test.com",
+            Email = "target@test.com",
+            TenantId = "tenant-1"
+        };
+        SetupUsersQueryable([user]);
+        _userManagerMock.Setup(x => x.GetRolesAsync(user)).ReturnsAsync(["SysAdmin"]);
+        _tenantAccessServiceMock.Setup(x => x.CanManageUser(It.IsAny<IEnumerable<string>>())).Returns(false);
+
+        // Act
+        var result = await _handler.HandleAsync(userId);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.InsufficientPermissions", result.FirstError.Code);
+        Assert.Equal(ErrorType.Forbidden, result.FirstError.Type);
+    }
+
+    [Fact]
+    public async Task ReturnsDeletionFailed_WhenDeleteFails()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var user = new IdmtUser
+        {
+            Id = userId,
+            UserName = "target@test.com",
+            Email = "target@test.com",
+            TenantId = "tenant-1"
+        };
+        SetupUsersQueryable([user]);
+        _userManagerMock.Setup(x => x.GetRolesAsync(user)).ReturnsAsync(["TenantAdmin"]);
+        _tenantAccessServiceMock.Setup(x => x.CanManageUser(It.IsAny<IEnumerable<string>>())).Returns(true);
+        _userManagerMock.Setup(x => x.DeleteAsync(user))
+            .ReturnsAsync(IdentityResult.Failed(new IdentityError { Description = "Delete failed" }));
+
+        // Act
+        var result = await _handler.HandleAsync(userId);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.DeletionFailed", result.FirstError.Code);
+    }
+
+    private void SetupUsersQueryable(List<IdmtUser> users)
+    {
+        var queryable = users.AsQueryable();
+        var mockDbSet = new Mock<IQueryable<IdmtUser>>();
+        mockDbSet.As<IAsyncEnumerable<IdmtUser>>()
+            .Setup(m => m.GetAsyncEnumerator(It.IsAny<CancellationToken>()))
+            .Returns(new TestAsyncEnumerator<IdmtUser>(queryable.GetEnumerator()));
+        mockDbSet.As<IQueryable<IdmtUser>>().Setup(m => m.Provider)
+            .Returns(new TestAsyncQueryProvider<IdmtUser>(queryable.Provider));
+        mockDbSet.As<IQueryable<IdmtUser>>().Setup(m => m.Expression).Returns(queryable.Expression);
+        mockDbSet.As<IQueryable<IdmtUser>>().Setup(m => m.ElementType).Returns(queryable.ElementType);
+        mockDbSet.As<IQueryable<IdmtUser>>().Setup(m => m.GetEnumerator()).Returns(queryable.GetEnumerator());
+
+        _userManagerMock.SetupGet(x => x.Users).Returns(mockDbSet.Object);
+    }
+}
+
+/// <summary>
+/// Test async query provider for mocking EF Core async operations.
+/// </summary>
+internal class TestAsyncQueryProvider<TEntity> : IAsyncQueryProvider
+{
+    private readonly IQueryProvider _inner;
+
+    internal TestAsyncQueryProvider(IQueryProvider inner) => _inner = inner;
+
+    public IQueryable CreateQuery(System.Linq.Expressions.Expression expression) => new TestAsyncEnumerable<TEntity>(expression);
+    public IQueryable<TElement> CreateQuery<TElement>(System.Linq.Expressions.Expression expression) => new TestAsyncEnumerable<TElement>(expression);
+    public object? Execute(System.Linq.Expressions.Expression expression) => _inner.Execute(expression);
+    public TResult Execute<TResult>(System.Linq.Expressions.Expression expression) => _inner.Execute<TResult>(expression);
+    public TResult ExecuteAsync<TResult>(System.Linq.Expressions.Expression expression, CancellationToken cancellationToken = default)
+    {
+        var expectedResultType = typeof(TResult).GetGenericArguments()[0];
+        var executionResult = typeof(IQueryProvider)
+            .GetMethod(nameof(IQueryProvider.Execute), 1, [typeof(System.Linq.Expressions.Expression)])!
+            .MakeGenericMethod(expectedResultType)
+            .Invoke(_inner, [expression]);
+
+        return (TResult)typeof(Task).GetMethod(nameof(Task.FromResult))!
+            .MakeGenericMethod(expectedResultType)
+            .Invoke(null, [executionResult])!;
+    }
+}
+
+internal class TestAsyncEnumerable<T> : EnumerableQuery<T>, IAsyncEnumerable<T>, IQueryable<T>
+{
+    public TestAsyncEnumerable(System.Linq.Expressions.Expression expression) : base(expression) { }
+
+    public IAsyncEnumerator<T> GetAsyncEnumerator(CancellationToken cancellationToken = default)
+        => new TestAsyncEnumerator<T>(this.AsEnumerable().GetEnumerator());
+
+    IQueryProvider IQueryable.Provider => new TestAsyncQueryProvider<T>(this);
+}
+
+internal class TestAsyncEnumerator<T> : IAsyncEnumerator<T>
+{
+    private readonly IEnumerator<T> _inner;
+
+    public TestAsyncEnumerator(IEnumerator<T> inner) => _inner = inner;
+
+    public T Current => _inner.Current;
+
+    public ValueTask DisposeAsync()
+    {
+        _inner.Dispose();
+        return ValueTask.CompletedTask;
+    }
+
+    public ValueTask<bool> MoveNextAsync() => new(_inner.MoveNext());
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Manage/UpdateUserHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Manage/UpdateUserHandlerTests.cs
new file mode 100644
index 0000000..7925166
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Manage/UpdateUserHandlerTests.cs
@@ -0,0 +1,118 @@
+using ErrorOr;
+using Idmt.Plugin.Features.Manage;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Manage;
+
+public class UpdateUserHandlerTests
+{
+    private readonly Mock<UserManager<IdmtUser>> _userManagerMock;
+    private readonly Mock<ITenantAccessService> _tenantAccessServiceMock;
+    private readonly UpdateUser.UpdateUserHandler _handler;
+
+    public UpdateUserHandlerTests()
+    {
+        var userStoreMock = new Mock<IUserStore<IdmtUser>>();
+        _userManagerMock = new Mock<UserManager<IdmtUser>>(
+            userStoreMock.Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        _tenantAccessServiceMock = new Mock<ITenantAccessService>();
+
+        _handler = new UpdateUser.UpdateUserHandler(
+            _userManagerMock.Object,
+            _tenantAccessServiceMock.Object,
+            NullLogger<UpdateUser.UpdateUserHandler>.Instance);
+    }
+
+    [Fact]
+    public async Task ReturnsNotFound_WhenUserDoesNotExist()
+    {
+        // Arrange
+        SetupUsersQueryable([]);
+        var request = new UpdateUser.UpdateUserRequest(IsActive: true);
+
+        // Act
+        var result = await _handler.HandleAsync(Guid.NewGuid(), request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.NotFound", result.FirstError.Code);
+        Assert.Equal(ErrorType.NotFound, result.FirstError.Type);
+    }
+
+    [Fact]
+    public async Task ReturnsForbidden_WhenCannotManageUser()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var user = new IdmtUser
+        {
+            Id = userId,
+            UserName = "target@test.com",
+            Email = "target@test.com",
+            TenantId = "tenant-1"
+        };
+        SetupUsersQueryable([user]);
+        _userManagerMock.Setup(x => x.GetRolesAsync(user)).ReturnsAsync(["SysAdmin"]);
+        _tenantAccessServiceMock.Setup(x => x.CanManageUser(It.IsAny<IEnumerable<string>>())).Returns(false);
+
+        var request = new UpdateUser.UpdateUserRequest(IsActive: false);
+
+        // Act
+        var result = await _handler.HandleAsync(userId, request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.InsufficientPermissions", result.FirstError.Code);
+        Assert.Equal(ErrorType.Forbidden, result.FirstError.Type);
+    }
+
+    [Fact]
+    public async Task ReturnsUpdateFailed_WhenIdentityUpdateFails()
+    {
+        // Arrange
+        var userId = Guid.NewGuid();
+        var user = new IdmtUser
+        {
+            Id = userId,
+            UserName = "target@test.com",
+            Email = "target@test.com",
+            TenantId = "tenant-1",
+            IsActive = true
+        };
+        SetupUsersQueryable([user]);
+        _userManagerMock.Setup(x => x.GetRolesAsync(user)).ReturnsAsync(["TenantAdmin"]);
+        _tenantAccessServiceMock.Setup(x => x.CanManageUser(It.IsAny<IEnumerable<string>>())).Returns(true);
+        _userManagerMock.Setup(x => x.UpdateAsync(user))
+            .ReturnsAsync(IdentityResult.Failed(new IdentityError { Description = "Update failed" }));
+
+        var request = new UpdateUser.UpdateUserRequest(IsActive: false);
+
+        // Act
+        var result = await _handler.HandleAsync(userId, request);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.UpdateFailed", result.FirstError.Code);
+    }
+
+    private void SetupUsersQueryable(List<IdmtUser> users)
+    {
+        var queryable = users.AsQueryable();
+        var mockDbSet = new Mock<IQueryable<IdmtUser>>();
+        mockDbSet.As<IAsyncEnumerable<IdmtUser>>()
+            .Setup(m => m.GetAsyncEnumerator(It.IsAny<CancellationToken>()))
+            .Returns(new TestAsyncEnumerator<IdmtUser>(queryable.GetEnumerator()));
+        mockDbSet.As<IQueryable<IdmtUser>>().Setup(m => m.Provider)
+            .Returns(new TestAsyncQueryProvider<IdmtUser>(queryable.Provider));
+        mockDbSet.As<IQueryable<IdmtUser>>().Setup(m => m.Expression).Returns(queryable.Expression);
+        mockDbSet.As<IQueryable<IdmtUser>>().Setup(m => m.ElementType).Returns(queryable.ElementType);
+        mockDbSet.As<IQueryable<IdmtUser>>().Setup(m => m.GetEnumerator()).Returns(queryable.GetEnumerator());
+
+        _userManagerMock.SetupGet(x => x.Users).Returns(mockDbSet.Object);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Features/Manage/UpdateUserInfoHandlerTests.cs b/src/tests/Idmt.UnitTests/Features/Manage/UpdateUserInfoHandlerTests.cs
new file mode 100644
index 0000000..7cbce7d
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Features/Manage/UpdateUserInfoHandlerTests.cs
@@ -0,0 +1,372 @@
+using System.Security.Claims;
+using ErrorOr;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Features.Manage;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Persistence;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Identity;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Diagnostics;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Features.Manage;
+
+public class UpdateUserInfoHandlerTests : IDisposable
+{
+    private readonly Mock<UserManager<IdmtUser>> _userManagerMock;
+    private readonly Mock<IIdmtLinkGenerator> _linkGeneratorMock;
+    private readonly Mock<IEmailSender<IdmtUser>> _emailSenderMock;
+    private readonly IdmtDbContext _dbContext;
+    private readonly UpdateUserInfo.UpdateUserInfoHandler _handler;
+
+    public UpdateUserInfoHandlerTests()
+    {
+        var userStoreMock = new Mock<IUserStore<IdmtUser>>();
+        _userManagerMock = new Mock<UserManager<IdmtUser>>(
+            userStoreMock.Object, null!, null!, null!, null!, null!, null!, null!, null!);
+
+        _linkGeneratorMock = new Mock<IIdmtLinkGenerator>();
+        _emailSenderMock = new Mock<IEmailSender<IdmtUser>>();
+
+        var tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        var dummyTenant = new IdmtTenantInfo("system-test-tenant", "system-test", "System Test Tenant");
+        var dummyContext = new MultiTenantContext<IdmtTenantInfo>(dummyTenant);
+        tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(dummyContext);
+
+        var currentUserServiceMock = new Mock<ICurrentUserService>();
+
+        var options = new DbContextOptionsBuilder<IdmtDbContext>()
+            .UseInMemoryDatabase(databaseName: Guid.NewGuid().ToString())
+            .ConfigureWarnings(w => w.Ignore(InMemoryEventId.TransactionIgnoredWarning))
+            .Options;
+
+        _dbContext = new IdmtDbContext(
+            tenantAccessorMock.Object,
+            options,
+            currentUserServiceMock.Object,
+            TimeProvider.System,
+            NullLogger<IdmtDbContext>.Instance);
+
+        _handler = new UpdateUserInfo.UpdateUserInfoHandler(
+            _userManagerMock.Object,
+            _dbContext,
+            _linkGeneratorMock.Object,
+            _emailSenderMock.Object,
+            NullLogger<UpdateUserInfo.UpdateUserInfoHandler>.Instance);
+    }
+
+    [Fact]
+    public async Task ReturnsClaimsNotFound_WhenEmailClaimMissing()
+    {
+        // Arrange - principal with no email claim
+        var principal = new ClaimsPrincipal(new ClaimsIdentity([
+            new Claim(ClaimTypes.Name, "testuser")
+        ], "Bearer"));
+
+        var request = new UpdateUserInfo.UpdateUserInfoRequest(NewUsername: "newname");
+
+        // Act
+        var result = await _handler.HandleAsync(request, principal);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.ClaimsNotFound", result.FirstError.Code);
+        Assert.Equal(ErrorType.Validation, result.FirstError.Type);
+    }
+
+    [Fact]
+    public async Task ReturnsInactive_WhenUserIsInactive()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("inactive@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "inactive",
+            Email = "inactive@test.com",
+            TenantId = "tenant-1",
+            IsActive = false
+        };
+        _userManagerMock.Setup(x => x.FindByEmailAsync("inactive@test.com")).ReturnsAsync(user);
+
+        var request = new UpdateUserInfo.UpdateUserInfoRequest(NewUsername: "newname");
+
+        // Act
+        var result = await _handler.HandleAsync(request, principal);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.Inactive", result.FirstError.Code);
+        Assert.Equal(ErrorType.Forbidden, result.FirstError.Type);
+    }
+
+    [Fact]
+    public async Task SkipsUpdate_WhenNoFieldsChanged()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("user@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "currentname",
+            Email = "user@test.com",
+            TenantId = "tenant-1",
+            IsActive = true
+        };
+        _userManagerMock.Setup(x => x.FindByEmailAsync("user@test.com")).ReturnsAsync(user);
+
+        // Request with no changes (all null)
+        var request = new UpdateUserInfo.UpdateUserInfoRequest();
+
+        // Act
+        var result = await _handler.HandleAsync(request, principal);
+
+        // Assert
+        Assert.False(result.IsError);
+        _userManagerMock.Verify(x => x.UpdateAsync(It.IsAny<IdmtUser>()), Times.Never);
+    }
+
+    /// <summary>
+    /// Verifies the critical fix: after a successful email change, a confirmation email is sent
+    /// to the new address so the user has a recovery path and is not permanently locked out.
+    /// </summary>
+    [Fact]
+    public async Task SendsConfirmationEmail_WhenEmailChanged()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("old@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "testuser",
+            Email = "old@test.com",
+            TenantId = "tenant-1",
+            IsActive = true,
+            EmailConfirmed = true
+        };
+        _userManagerMock.Setup(x => x.FindByEmailAsync("old@test.com")).ReturnsAsync(user);
+        _userManagerMock.Setup(x => x.GenerateChangeEmailTokenAsync(user, "new@test.com"))
+            .ReturnsAsync("change-token");
+        _userManagerMock.Setup(x => x.ChangeEmailAsync(user, "new@test.com", "change-token"))
+            .ReturnsAsync(IdentityResult.Success);
+        _userManagerMock.Setup(x => x.GenerateEmailConfirmationTokenAsync(user))
+            .ReturnsAsync("confirm-token");
+        _linkGeneratorMock
+            .Setup(x => x.GenerateConfirmEmailLink("new@test.com", "confirm-token"))
+            .Returns("https://example.com/confirm?token=confirm-token");
+
+        var request = new UpdateUserInfo.UpdateUserInfoRequest(NewEmail: "new@test.com");
+
+        // Act
+        var result = await _handler.HandleAsync(request, principal);
+
+        // Assert
+        Assert.False(result.IsError);
+
+        // The link generator must be called with the NEW email address and the fresh confirm token
+        _linkGeneratorMock.Verify(
+            x => x.GenerateConfirmEmailLink("new@test.com", "confirm-token"),
+            Times.Once);
+
+        // The email sender must be called with the NEW email address and the generated link
+        _emailSenderMock.Verify(
+            x => x.SendConfirmationLinkAsync(
+                user,
+                "new@test.com",
+                "https://example.com/confirm?token=confirm-token"),
+            Times.Once);
+    }
+
+    /// <summary>
+    /// Verifies the critical fix: when only the email changes, UpdateAsync must NOT be called.
+    /// ChangeEmailAsync already persists the change; a second UpdateAsync would write with a
+    /// stale concurrency stamp and could silently corrupt the user record.
+    /// </summary>
+    [Fact]
+    public async Task DoesNotCallUpdateAsync_WhenOnlyEmailChanged()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("old@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "testuser",
+            Email = "old@test.com",
+            TenantId = "tenant-1",
+            IsActive = true,
+            EmailConfirmed = true
+        };
+        _userManagerMock.Setup(x => x.FindByEmailAsync("old@test.com")).ReturnsAsync(user);
+        _userManagerMock.Setup(x => x.GenerateChangeEmailTokenAsync(user, "new@test.com"))
+            .ReturnsAsync("change-token");
+        _userManagerMock.Setup(x => x.ChangeEmailAsync(user, "new@test.com", "change-token"))
+            .ReturnsAsync(IdentityResult.Success);
+        _userManagerMock.Setup(x => x.GenerateEmailConfirmationTokenAsync(user))
+            .ReturnsAsync("confirm-token");
+        _linkGeneratorMock
+            .Setup(x => x.GenerateConfirmEmailLink("new@test.com", "confirm-token"))
+            .Returns("https://example.com/confirm?token=confirm-token");
+
+        var request = new UpdateUserInfo.UpdateUserInfoRequest(NewEmail: "new@test.com");
+
+        // Act
+        var result = await _handler.HandleAsync(request, principal);
+
+        // Assert
+        Assert.False(result.IsError);
+
+        // UpdateAsync must NOT be called — ChangeEmailAsync already saved the email change
+        _userManagerMock.Verify(x => x.UpdateAsync(It.IsAny<IdmtUser>()), Times.Never);
+    }
+
+    /// <summary>
+    /// Verifies that when both username and email change in the same request, UpdateAsync is
+    /// still called exactly once for the username change (ChangeEmailAsync handles the email).
+    /// </summary>
+    [Fact]
+    public async Task CallsUpdateAsync_WhenUsernameAndEmailBothChanged()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("old@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "oldname",
+            Email = "old@test.com",
+            TenantId = "tenant-1",
+            IsActive = true,
+            EmailConfirmed = true
+        };
+        _userManagerMock.Setup(x => x.FindByEmailAsync("old@test.com")).ReturnsAsync(user);
+        _userManagerMock.Setup(x => x.SetUserNameAsync(user, "newname"))
+            .ReturnsAsync(IdentityResult.Success);
+        _userManagerMock.Setup(x => x.GenerateChangeEmailTokenAsync(user, "new@test.com"))
+            .ReturnsAsync("change-token");
+        _userManagerMock.Setup(x => x.ChangeEmailAsync(user, "new@test.com", "change-token"))
+            .ReturnsAsync(IdentityResult.Success);
+        _userManagerMock.Setup(x => x.GenerateEmailConfirmationTokenAsync(user))
+            .ReturnsAsync("confirm-token");
+        _linkGeneratorMock
+            .Setup(x => x.GenerateConfirmEmailLink("new@test.com", "confirm-token"))
+            .Returns("https://example.com/confirm?token=confirm-token");
+        _userManagerMock.Setup(x => x.UpdateAsync(user)).ReturnsAsync(IdentityResult.Success);
+
+        var request = new UpdateUserInfo.UpdateUserInfoRequest(NewUsername: "newname", NewEmail: "new@test.com");
+
+        // Act
+        var result = await _handler.HandleAsync(request, principal);
+
+        // Assert
+        Assert.False(result.IsError);
+
+        // UpdateAsync must be called exactly once for the username change
+        _userManagerMock.Verify(x => x.UpdateAsync(user), Times.Once);
+
+        // Confirmation email must still be sent for the email change
+        _emailSenderMock.Verify(
+            x => x.SendConfirmationLinkAsync(user, "new@test.com", It.IsAny<string>()),
+            Times.Once);
+    }
+
+    [Fact]
+    public async Task DoesNotChangeEmail_WhenNewEmailSameAsCurrent()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("same@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "testuser",
+            Email = "same@test.com",
+            TenantId = "tenant-1",
+            IsActive = true,
+            EmailConfirmed = true
+        };
+        _userManagerMock.Setup(x => x.FindByEmailAsync("same@test.com")).ReturnsAsync(user);
+
+        // Request with same email as current
+        var request = new UpdateUserInfo.UpdateUserInfoRequest(NewEmail: "same@test.com");
+
+        // Act
+        var result = await _handler.HandleAsync(request, principal);
+
+        // Assert
+        Assert.False(result.IsError);
+        _userManagerMock.Verify(x => x.ChangeEmailAsync(It.IsAny<IdmtUser>(), It.IsAny<string>(), It.IsAny<string>()), Times.Never);
+        _userManagerMock.Verify(x => x.UpdateAsync(It.IsAny<IdmtUser>()), Times.Never);
+        _emailSenderMock.Verify(x => x.SendConfirmationLinkAsync(It.IsAny<IdmtUser>(), It.IsAny<string>(), It.IsAny<string>()), Times.Never);
+    }
+
+    [Fact]
+    public async Task DoesNotChangeUsername_WhenNewUsernameSameAsCurrent()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("user@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "currentname",
+            Email = "user@test.com",
+            TenantId = "tenant-1",
+            IsActive = true
+        };
+        _userManagerMock.Setup(x => x.FindByEmailAsync("user@test.com")).ReturnsAsync(user);
+
+        // Request with same username as current
+        var request = new UpdateUserInfo.UpdateUserInfoRequest(NewUsername: "currentname");
+
+        // Act
+        var result = await _handler.HandleAsync(request, principal);
+
+        // Assert
+        Assert.False(result.IsError);
+        _userManagerMock.Verify(x => x.SetUserNameAsync(It.IsAny<IdmtUser>(), It.IsAny<string>()), Times.Never);
+        _userManagerMock.Verify(x => x.UpdateAsync(It.IsAny<IdmtUser>()), Times.Never);
+    }
+
+    /// <summary>
+    /// Verifies that a failed ChangeEmailAsync rolls back the transaction and returns an error
+    /// without attempting to send a confirmation email.
+    /// </summary>
+    [Fact]
+    public async Task ReturnsUpdateFailed_WhenChangeEmailFails()
+    {
+        // Arrange
+        var principal = CreatePrincipalWithEmail("old@test.com");
+        var user = new IdmtUser
+        {
+            UserName = "testuser",
+            Email = "old@test.com",
+            TenantId = "tenant-1",
+            IsActive = true,
+            EmailConfirmed = true
+        };
+        _userManagerMock.Setup(x => x.FindByEmailAsync("old@test.com")).ReturnsAsync(user);
+        _userManagerMock.Setup(x => x.GenerateChangeEmailTokenAsync(user, "new@test.com"))
+            .ReturnsAsync("change-token");
+        _userManagerMock.Setup(x => x.ChangeEmailAsync(user, "new@test.com", "change-token"))
+            .ReturnsAsync(IdentityResult.Failed(new IdentityError { Code = "Error", Description = "Change failed" }));
+
+        var request = new UpdateUserInfo.UpdateUserInfoRequest(NewEmail: "new@test.com");
+
+        // Act
+        var result = await _handler.HandleAsync(request, principal);
+
+        // Assert
+        Assert.True(result.IsError);
+        Assert.Equal("User.UpdateFailed", result.FirstError.Code);
+
+        // No confirmation email should be sent when the change itself failed
+        _emailSenderMock.Verify(
+            x => x.SendConfirmationLinkAsync(It.IsAny<IdmtUser>(), It.IsAny<string>(), It.IsAny<string>()),
+            Times.Never);
+    }
+
+    private static ClaimsPrincipal CreatePrincipalWithEmail(string email)
+    {
+        return new ClaimsPrincipal(new ClaimsIdentity([
+            new Claim(ClaimTypes.Email, email),
+            new Claim(ClaimTypes.Name, "testuser")
+        ], "Bearer"));
+    }
+
+    public void Dispose()
+    {
+        _dbContext.Dispose();
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Idmt.UnitTests.csproj b/src/tests/Idmt.UnitTests/Idmt.UnitTests.csproj
index 0b08e5e..50b1656 100644
--- a/src/tests/Idmt.UnitTests/Idmt.UnitTests.csproj
+++ b/src/tests/Idmt.UnitTests/Idmt.UnitTests.csproj
@@ -8,9 +8,11 @@
   </PropertyGroup>
 
   <ItemGroup>
-    <PackageReference Include="coverlet.collector" Version="6.0.4" />
-    <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="10.0.1" />
-    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.0.1" />
+    <PackageReference Include="coverlet.collector" Version="8.0.0" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.InMemory" Version="10.0.3" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.3" />
+    <PackageReference Include="Microsoft.Extensions.TimeProvider.Testing" Version="10.0.0" />
+    <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.3.0" />
     <PackageReference Include="Moq" Version="4.20.72" />
     <PackageReference Include="xunit" Version="2.9.3" />
     <PackageReference Include="xunit.runner.visualstudio" Version="3.1.5" />
diff --git a/src/tests/Idmt.UnitTests/Middleware/CurrentUserMiddlewareTests.cs b/src/tests/Idmt.UnitTests/Middleware/CurrentUserMiddlewareTests.cs
new file mode 100644
index 0000000..c72c39d
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Middleware/CurrentUserMiddlewareTests.cs
@@ -0,0 +1,109 @@
+using System.Net;
+using System.Security.Claims;
+using Idmt.Plugin.Middleware;
+using Idmt.Plugin.Services;
+using Microsoft.AspNetCore.Http;
+using Moq;
+
+namespace Idmt.UnitTests.Middleware;
+
+public class CurrentUserMiddlewareTests
+{
+    private readonly Mock<ICurrentUserService> _currentUserServiceMock;
+    private readonly CurrentUserMiddleware _middleware;
+
+    public CurrentUserMiddlewareTests()
+    {
+        _currentUserServiceMock = new Mock<ICurrentUserService>();
+        _middleware = new CurrentUserMiddleware(_currentUserServiceMock.Object);
+    }
+
+    [Fact]
+    public async Task SetsCurrentUser_FromAuthenticatedRequest()
+    {
+        // Arrange
+        var context = new DefaultHttpContext();
+        var identity = new ClaimsIdentity(
+            [new Claim(ClaimTypes.Name, "testuser"), new Claim(ClaimTypes.Email, "test@example.com")],
+            "TestScheme");
+        context.User = new ClaimsPrincipal(identity);
+        context.Connection.RemoteIpAddress = IPAddress.Parse("192.168.1.100");
+        context.Request.Headers["User-Agent"] = "TestAgent/1.0";
+
+        // Act
+        await _middleware.InvokeAsync(context, _ => Task.CompletedTask);
+
+        // Assert
+        _currentUserServiceMock.Verify(
+            s => s.SetCurrentUser(
+                It.Is<ClaimsPrincipal>(u => u.Identity != null && u.Identity.Name == "testuser"),
+                "192.168.1.100",
+                "TestAgent/1.0"),
+            Times.Once);
+    }
+
+    [Fact]
+    public async Task AlwaysCallsNext_WhenAuthenticated()
+    {
+        // Arrange
+        var context = new DefaultHttpContext();
+        var identity = new ClaimsIdentity(
+            [new Claim(ClaimTypes.Name, "testuser")],
+            "TestScheme");
+        context.User = new ClaimsPrincipal(identity);
+        context.Connection.RemoteIpAddress = IPAddress.Loopback;
+        var nextCalled = false;
+
+        // Act
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        // Assert
+        Assert.True(nextCalled);
+    }
+
+    [Fact]
+    public async Task AlwaysCallsNext_WhenUnauthenticated()
+    {
+        // Arrange
+        var context = new DefaultHttpContext(); // No user set, defaults to unauthenticated
+        var nextCalled = false;
+
+        // Act
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        // Assert
+        Assert.True(nextCalled);
+        _currentUserServiceMock.Verify(
+            s => s.SetCurrentUser(It.IsAny<ClaimsPrincipal>(), It.IsAny<string?>(), It.IsAny<string?>()),
+            Times.Once);
+    }
+
+    [Fact]
+    public async Task PassesNullIp_WhenRemoteIpAddressIsNull()
+    {
+        // Arrange
+        var context = new DefaultHttpContext();
+        // RemoteIpAddress is null by default on DefaultHttpContext
+        Assert.Null(context.Connection.RemoteIpAddress);
+        context.Request.Headers["User-Agent"] = "SomeAgent";
+
+        // Act
+        await _middleware.InvokeAsync(context, _ => Task.CompletedTask);
+
+        // Assert - should not throw and should pass null for IP
+        _currentUserServiceMock.Verify(
+            s => s.SetCurrentUser(
+                It.IsAny<ClaimsPrincipal>(),
+                null,
+                "SomeAgent"),
+            Times.Once);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Middleware/ValidateBearerTokenTenantMiddlewareTests.cs b/src/tests/Idmt.UnitTests/Middleware/ValidateBearerTokenTenantMiddlewareTests.cs
new file mode 100644
index 0000000..747654f
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Middleware/ValidateBearerTokenTenantMiddlewareTests.cs
@@ -0,0 +1,312 @@
+using System.Security.Claims;
+using System.Text.Json;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Middleware;
+using Idmt.Plugin.Models;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Moq;
+
+namespace Idmt.UnitTests.Middleware;
+
+public class ValidateBearerTokenTenantMiddlewareTests
+{
+    private readonly Mock<IMultiTenantContextAccessor> _tenantAccessorMock;
+    private readonly Mock<IOptions<IdmtOptions>> _optionsMock;
+    private readonly Mock<ILogger<ValidateBearerTokenTenantMiddleware>> _loggerMock;
+    private readonly ValidateBearerTokenTenantMiddleware _middleware;
+    private readonly IdmtOptions _options;
+
+    public ValidateBearerTokenTenantMiddlewareTests()
+    {
+        _tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        _optionsMock = new Mock<IOptions<IdmtOptions>>();
+        _loggerMock = new Mock<ILogger<ValidateBearerTokenTenantMiddleware>>();
+        _options = new IdmtOptions();
+        _optionsMock.Setup(x => x.Value).Returns(_options);
+
+        _middleware = new ValidateBearerTokenTenantMiddleware(
+            _tenantAccessorMock.Object,
+            _optionsMock.Object,
+            _loggerMock.Object);
+    }
+
+    [Fact]
+    public async Task InvokeAsync_UnauthenticatedRequest_PassesThrough()
+    {
+        var context = new DefaultHttpContext();
+        var nextCalled = false;
+
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        Assert.True(nextCalled);
+    }
+
+    [Fact]
+    public async Task InvokeAsync_CookieAuthRequest_PassesThrough()
+    {
+        var context = new DefaultHttpContext();
+        var identity = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, "user") }, "Cookie");
+        context.User = new ClaimsPrincipal(identity);
+        // No Bearer header
+        var nextCalled = false;
+
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        Assert.True(nextCalled);
+    }
+
+    [Fact]
+    public async Task InvokeAsync_MissingTenantClaim_Returns401WithProblemDetails()
+    {
+        var context = CreateBearerContext(tenantClaimValue: null);
+        SetupTenantContext("test-tenant");
+
+        var nextCalled = false;
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        Assert.False(nextCalled);
+        Assert.Equal(StatusCodes.Status401Unauthorized, context.Response.StatusCode);
+        AssertProblemDetailsResponse(context, StatusCodes.Status401Unauthorized, "Unauthorized");
+    }
+
+    [Fact]
+    public async Task InvokeAsync_MismatchedTenantClaim_Returns403WithProblemDetails()
+    {
+        var context = CreateBearerContext(tenantClaimValue: "tenant-a");
+        SetupTenantContext("tenant-b");
+
+        var nextCalled = false;
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        Assert.False(nextCalled);
+        Assert.Equal(StatusCodes.Status403Forbidden, context.Response.StatusCode);
+        AssertProblemDetailsResponse(context, StatusCodes.Status403Forbidden, "Forbidden");
+    }
+
+    [Fact]
+    public async Task InvokeAsync_MatchingTenantClaim_PassesThrough()
+    {
+        var context = CreateBearerContext(tenantClaimValue: "test-tenant");
+        SetupTenantContext("test-tenant");
+
+        var nextCalled = false;
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        Assert.True(nextCalled);
+    }
+
+    [Fact]
+    public async Task InvokeAsync_ExceptionInValidation_Returns401WithProblemDetails()
+    {
+        var context = CreateBearerContext(tenantClaimValue: "test-tenant");
+        // Setup accessor to throw
+        _tenantAccessorMock.SetupGet(x => x.MultiTenantContext)
+            .Throws(new InvalidOperationException("test exception"));
+
+        var nextCalled = false;
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        Assert.False(nextCalled);
+        Assert.Equal(StatusCodes.Status401Unauthorized, context.Response.StatusCode);
+        AssertProblemDetailsResponse(context, StatusCodes.Status401Unauthorized, "Unauthorized");
+    }
+
+    [Fact]
+    public async Task InvokeAsync_EmptyStringTenantClaim_Returns401WithProblemDetails()
+    {
+        // Empty string tenant claim should be treated the same as missing
+        var context = CreateBearerContext(tenantClaimValue: "", claimKey: null);
+        SetupTenantContext("test-tenant");
+
+        var nextCalled = false;
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        Assert.False(nextCalled);
+        Assert.Equal(StatusCodes.Status401Unauthorized, context.Response.StatusCode);
+        AssertProblemDetailsResponse(context, StatusCodes.Status401Unauthorized, "Unauthorized");
+    }
+
+    [Fact]
+    public async Task InvokeAsync_UsesCustomClaimType_WhenConfigured()
+    {
+        // Configure a custom claim type
+        const string customClaimType = "custom_tenant_claim";
+        _options.MultiTenant.StrategyOptions[IdmtMultiTenantStrategy.Claim] = customClaimType;
+
+        var context = CreateBearerContext(tenantClaimValue: "test-tenant", claimKey: customClaimType);
+        SetupTenantContext("test-tenant");
+
+        var nextCalled = false;
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        Assert.True(nextCalled);
+    }
+
+    [Fact]
+    public async Task InvokeAsync_Returns403_WhenTenantClaimCaseDiffers()
+    {
+        // Ordinal comparison means different casing should fail
+        var context = CreateBearerContext(tenantClaimValue: "Test-Tenant");
+        SetupTenantContext("test-tenant");
+
+        var nextCalled = false;
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        Assert.False(nextCalled);
+        Assert.Equal(StatusCodes.Status403Forbidden, context.Response.StatusCode);
+        AssertProblemDetailsResponse(context, StatusCodes.Status403Forbidden, "Forbidden");
+    }
+
+    [Fact]
+    public async Task InvokeAsync_NullTenantContext_Returns401WithProblemDetails()
+    {
+        // No tenant context set at all (accessor returns null MultiTenantContext)
+        var context = CreateBearerContext(tenantClaimValue: "test-tenant");
+        _tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(default(IMultiTenantContext)!);
+
+        var nextCalled = false;
+        await _middleware.InvokeAsync(context, _ =>
+        {
+            nextCalled = true;
+            return Task.CompletedTask;
+        });
+
+        Assert.False(nextCalled);
+        Assert.Equal(StatusCodes.Status401Unauthorized, context.Response.StatusCode);
+        AssertProblemDetailsResponse(context, StatusCodes.Status401Unauthorized, "Unauthorized");
+    }
+
+    [Fact]
+    public async Task InvokeAsync_ErrorResponse_HasProblemJsonContentType()
+    {
+        var context = CreateBearerContext(tenantClaimValue: "tenant-a");
+        SetupTenantContext("tenant-b");
+
+        await _middleware.InvokeAsync(context, _ => Task.CompletedTask);
+
+        Assert.Contains("application/problem+json", context.Response.ContentType);
+    }
+
+    [Fact]
+    public async Task InvokeAsync_ErrorResponse_BodyContainsNonNullDetail()
+    {
+        var context = CreateBearerContext(tenantClaimValue: "tenant-a");
+        SetupTenantContext("tenant-b");
+
+        await _middleware.InvokeAsync(context, _ => Task.CompletedTask);
+
+        var problem = ReadProblemDetails(context);
+        Assert.NotNull(problem);
+        Assert.False(string.IsNullOrWhiteSpace(problem.Detail));
+    }
+
+    // -------------------------------------------------------------------------
+    // Helpers
+    // -------------------------------------------------------------------------
+
+    private DefaultHttpContext CreateBearerContext(string? tenantClaimValue, string? claimKey = null)
+    {
+        // Use a real MemoryStream so WriteAsJsonAsync can write to the body
+        var context = new DefaultHttpContext();
+        context.Response.Body = new MemoryStream();
+        context.Request.Headers.Authorization = "Bearer test-token";
+
+        var resolvedClaimKey = claimKey ?? _options.MultiTenant.StrategyOptions.GetValueOrDefault(
+            IdmtMultiTenantStrategy.Claim, IdmtMultiTenantStrategy.DefaultClaim);
+
+        var claims = new List<Claim> { new(ClaimTypes.Name, "user") };
+        if (tenantClaimValue != null)
+        {
+            claims.Add(new Claim(resolvedClaimKey, tenantClaimValue));
+        }
+
+        var identity = new ClaimsIdentity(claims, "Bearer");
+        context.User = new ClaimsPrincipal(identity);
+        return context;
+    }
+
+    private void SetupTenantContext(string identifier)
+    {
+        var tenant = new IdmtTenantInfo("id", identifier, "Test");
+        var multiTenantContext = new MultiTenantContext<IdmtTenantInfo>(tenant);
+        _tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(multiTenantContext);
+    }
+
+    /// <summary>
+    /// Rewinds the response body stream and deserializes the ProblemDetails payload.
+    /// Returns null when the body is empty.
+    /// </summary>
+    private static ProblemDetails? ReadProblemDetails(DefaultHttpContext context)
+    {
+        context.Response.Body.Seek(0, SeekOrigin.Begin);
+        var json = new StreamReader(context.Response.Body).ReadToEnd();
+        if (string.IsNullOrWhiteSpace(json))
+        {
+            return null;
+        }
+
+        return JsonSerializer.Deserialize<ProblemDetails>(json, new JsonSerializerOptions
+        {
+            PropertyNameCaseInsensitive = true
+        });
+    }
+
+    /// <summary>
+    /// Asserts that the response body contains a valid ProblemDetails document with the
+    /// expected status code and title, and that the Content-Type is application/problem+json.
+    /// </summary>
+    private static void AssertProblemDetailsResponse(
+        DefaultHttpContext context,
+        int expectedStatus,
+        string expectedTitle)
+    {
+        Assert.Contains("application/problem+json", context.Response.ContentType);
+
+        var problem = ReadProblemDetails(context);
+        Assert.NotNull(problem);
+        Assert.Equal(expectedStatus, problem.Status);
+        Assert.Equal(expectedTitle, problem.Title);
+        Assert.False(string.IsNullOrWhiteSpace(problem.Detail),
+            "ProblemDetails.Detail must not be empty so API clients can diagnose the failure.");
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Models/IdmtTenantInfoTests.cs b/src/tests/Idmt.UnitTests/Models/IdmtTenantInfoTests.cs
new file mode 100644
index 0000000..3b4cc4f
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Models/IdmtTenantInfoTests.cs
@@ -0,0 +1,90 @@
+using Idmt.Plugin.Models;
+
+namespace Idmt.UnitTests.Models;
+
+public class IdmtTenantInfoTests
+{
+    [Fact]
+    public void ThrowsArgumentException_WhenIdentifierIsTooShort()
+    {
+        // Arrange & Act & Assert
+        var ex = Assert.Throws<ArgumentException>(
+            () => new IdmtTenantInfo("some-id", "ab", "Test Tenant"));
+
+        Assert.Equal("identifier", ex.ParamName);
+        Assert.Contains("at least 3 characters", ex.Message);
+    }
+
+    [Theory]
+    [InlineData("a")]
+    [InlineData("xy")]
+    public void ThrowsArgumentException_WhenIdentifierLengthIsLessThanThree(string shortIdentifier)
+    {
+        Assert.Throws<ArgumentException>(
+            () => new IdmtTenantInfo("some-id", shortIdentifier, "Test Tenant"));
+    }
+
+    [Theory]
+    [InlineData(null, "valid-id", "Valid Name")]   // null id
+    [InlineData("", "valid-id", "Valid Name")]     // empty id
+    [InlineData("some-id", null, "Valid Name")]    // null identifier
+    [InlineData("some-id", "", "Valid Name")]      // empty identifier
+    [InlineData("some-id", "valid-id", null)]      // null name
+    [InlineData("some-id", "valid-id", "")]        // empty name
+    public void ThrowsArgumentException_ForNullOrEmptyRequiredFields(
+        string? id, string? identifier, string? name)
+    {
+        Assert.ThrowsAny<ArgumentException>(
+            () => new IdmtTenantInfo(id!, identifier!, name!));
+    }
+
+    [Fact]
+    public void CreatesSuccessfully_WithValidParameters()
+    {
+        // Arrange & Act
+        var tenant = new IdmtTenantInfo("tenant-id-1", "my-tenant", "My Tenant");
+
+        // Assert
+        Assert.Equal("tenant-id-1", tenant.Id);
+        Assert.Equal("my-tenant", tenant.Identifier);
+        Assert.Equal("My Tenant", tenant.Name);
+        Assert.True(tenant.IsActive);
+        Assert.Equal("/login", tenant.LoginPath);
+        Assert.Equal("/logout", tenant.LogoutPath);
+        Assert.Equal("/access-denied", tenant.AccessDeniedPath);
+    }
+
+    [Fact]
+    public void CreatesSuccessfully_WithTwoParameterConstructor()
+    {
+        // Arrange & Act
+        var tenant = new IdmtTenantInfo("my-tenant", "My Tenant");
+
+        // Assert
+        Assert.NotNull(tenant.Id);
+        Assert.NotEmpty(tenant.Id);
+        Assert.Equal("my-tenant", tenant.Identifier);
+        Assert.Equal("My Tenant", tenant.Name);
+    }
+
+    [Fact]
+    public void GetId_ReturnsId()
+    {
+        var tenant = new IdmtTenantInfo("tenant-id", "identifier", "name");
+        Assert.Equal("tenant-id", tenant.GetId());
+    }
+
+    [Fact]
+    public void GetName_ReturnsName()
+    {
+        var tenant = new IdmtTenantInfo("tenant-id", "identifier", "My Name");
+        Assert.Equal("My Name", tenant.GetName());
+    }
+
+    [Fact]
+    public void GetTenantId_ReturnsId()
+    {
+        var tenant = new IdmtTenantInfo("tenant-id", "identifier", "name");
+        Assert.Equal("tenant-id", tenant.GetTenantId());
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Services/CoreServicesTests.cs b/src/tests/Idmt.UnitTests/Services/CoreServicesTests.cs
index a4bec0f..a20d6ea 100644
--- a/src/tests/Idmt.UnitTests/Services/CoreServicesTests.cs
+++ b/src/tests/Idmt.UnitTests/Services/CoreServicesTests.cs
@@ -1,12 +1,10 @@
 using Finbuckle.MultiTenant.Abstractions;
 using Idmt.Plugin.Configuration;
 using Idmt.Plugin.Models;
-using Idmt.Plugin.Persistence;
 using Idmt.Plugin.Services;
 using Microsoft.AspNetCore.Http;
 using Microsoft.AspNetCore.Routing;
 using Microsoft.AspNetCore.WebUtilities;
-using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using Moq;
@@ -51,7 +49,7 @@ public void UserId_ReturnsCurrentUserId_WhenUserExists()
     }
 
     [Fact]
-    public void UserId_ReturnsEmptyGuid_WhenUserDoesNotExist()
+    public void UserId_ReturnsNull_WhenUserDoesNotExist()
     {
         var user = new System.Security.Claims.ClaimsPrincipal(
             new System.Security.Claims.ClaimsIdentity());
@@ -60,8 +58,7 @@ public void UserId_ReturnsEmptyGuid_WhenUserDoesNotExist()
 
         var result = _service.UserId;
 
-        Assert.NotNull(result);
-        Assert.Equal(Guid.Empty, result);
+        Assert.Null(result);
     }
 
     [Fact]
@@ -242,170 +239,6 @@ public void IsActive_ReturnsFalse_WhenUserNotSet()
     }
 }
 
-/// <summary>
-/// Extended unit tests for TenantAccessService covering additional scenarios.
-/// </summary>
-public class TenantAccessServiceExtendedTests
-{
-    private readonly Mock<IMultiTenantContextAccessor> _tenantAccessorMock;
-    private readonly Mock<ICurrentUserService> _currentUserServiceMock;
-    private readonly IdmtDbContext _dbContext;
-    private readonly TenantAccessService _service;
-
-    public TenantAccessServiceExtendedTests()
-    {
-        _tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
-        _currentUserServiceMock = new Mock<ICurrentUserService>();
-
-        var dummyTenant = new IdmtTenantInfo("system-test-tenant", "system-test", "System Test Tenant");
-        var dummyContext = new MultiTenantContext<IdmtTenantInfo>(dummyTenant);
-        _tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(dummyContext);
-
-        var options = new DbContextOptionsBuilder<IdmtDbContext>()
-            .UseInMemoryDatabase(databaseName: Guid.NewGuid().ToString())
-            .Options;
-
-        _dbContext = new IdmtDbContext(
-            _tenantAccessorMock.Object,
-            options,
-            _currentUserServiceMock.Object);
-
-        _service = new TenantAccessService(_dbContext, _currentUserServiceMock.Object);
-    }
-
-    [Fact]
-    public async Task CanAccessTenantAsync_ReturnsTrue_WhenAccessExistsAndIsActive()
-    {
-        var userId = Guid.NewGuid();
-        var tenantId = "tenant1";
-
-        _dbContext.TenantAccess.Add(
-            new TenantAccess { UserId = userId, TenantId = tenantId, IsActive = true }
-        );
-        await _dbContext.SaveChangesAsync();
-
-        var result = await _service.CanAccessTenantAsync(userId, tenantId);
-
-        Assert.True(result);
-    }
-
-    [Fact]
-    public async Task CanAccessTenantAsync_ReturnsFalse_WhenAccessIsInactive()
-    {
-        var userId = Guid.NewGuid();
-        var tenantId = "tenant1";
-
-        _dbContext.TenantAccess.Add(
-            new TenantAccess { UserId = userId, TenantId = tenantId, IsActive = false }
-        );
-        await _dbContext.SaveChangesAsync();
-
-        var result = await _service.CanAccessTenantAsync(userId, tenantId);
-
-        Assert.False(result);
-    }
-
-    [Fact]
-    public async Task CanAccessTenantAsync_ReturnsFalse_WhenAccessExpired()
-    {
-        var userId = Guid.NewGuid();
-        var tenantId = "tenant1";
-
-        _dbContext.TenantAccess.Add(
-            new TenantAccess { UserId = userId, TenantId = tenantId, IsActive = true, ExpiresAt = DateTime.UtcNow.AddDays(-1) }
-        );
-        await _dbContext.SaveChangesAsync();
-
-        var result = await _service.CanAccessTenantAsync(userId, tenantId);
-
-        Assert.False(result);
-    }
-
-    [Fact]
-    public async Task CanAccessTenantAsync_ReturnsTrue_WhenAccessExpiringInFuture()
-    {
-        var userId = Guid.NewGuid();
-        var tenantId = "tenant1";
-
-        _dbContext.TenantAccess.Add(
-            new TenantAccess { UserId = userId, TenantId = tenantId, IsActive = true, ExpiresAt = DateTime.UtcNow.AddDays(1) }
-        );
-        await _dbContext.SaveChangesAsync();
-
-        var result = await _service.CanAccessTenantAsync(userId, tenantId);
-
-        Assert.True(result);
-    }
-
-    [Fact]
-    public async Task CanAccessTenantAsync_ReturnsFalse_WhenNoAccessRecord()
-    {
-        var userId = Guid.NewGuid();
-        var tenantId = "tenant1";
-
-        var result = await _service.CanAccessTenantAsync(userId, tenantId);
-
-        Assert.False(result);
-    }
-
-    [Theory]
-    [InlineData(IdmtDefaultRoleTypes.SysSupport, IdmtDefaultRoleTypes.SysAdmin, false)]
-    [InlineData(IdmtDefaultRoleTypes.SysSupport, IdmtDefaultRoleTypes.TenantAdmin, true)]
-    [InlineData(IdmtDefaultRoleTypes.TenantAdmin, IdmtDefaultRoleTypes.SysAdmin, false)]
-    [InlineData(IdmtDefaultRoleTypes.TenantAdmin, IdmtDefaultRoleTypes.SysSupport, false)]
-    [InlineData(IdmtDefaultRoleTypes.TenantAdmin, "TenantUser", true)]
-    [InlineData("TenantUser", IdmtDefaultRoleTypes.SysAdmin, false)]
-    public void CanAssignRole_ValidatesRoleHierarchy(string currentUserRole, string targetRole, bool expected)
-    {
-        _currentUserServiceMock.Reset();
-        _currentUserServiceMock.Setup(x => x.IsInRole(currentUserRole)).Returns(true);
-
-        var result = _service.CanAssignRole(targetRole);
-
-        Assert.Equal(expected, result);
-    }
-
-    [Fact]
-    public void CanManageUser_ReturnsFalse_WhenSysSupportManagesSysAdmin()
-    {
-        _currentUserServiceMock.Setup(x => x.IsInRole(IdmtDefaultRoleTypes.SysSupport)).Returns(true);
-
-        var result = _service.CanManageUser([IdmtDefaultRoleTypes.SysAdmin]);
-
-        Assert.False(result);
-    }
-
-    [Fact]
-    public void CanManageUser_ReturnsTrue_WhenSysSupportManagesTenantAdmin()
-    {
-        _currentUserServiceMock.Setup(x => x.IsInRole(IdmtDefaultRoleTypes.SysSupport)).Returns(true);
-
-        var result = _service.CanManageUser([IdmtDefaultRoleTypes.TenantAdmin]);
-
-        Assert.True(result);
-    }
-
-    [Fact]
-    public void CanManageUser_ReturnsFalse_WhenTenantAdminManagesSysUser()
-    {
-        _currentUserServiceMock.Setup(x => x.IsInRole(IdmtDefaultRoleTypes.TenantAdmin)).Returns(true);
-
-        var result = _service.CanManageUser([IdmtDefaultRoleTypes.SysSupport]);
-
-        Assert.False(result);
-    }
-
-    [Fact]
-    public void CanManageUser_ReturnsTrue_WhenTenantAdminManagesTenantUser()
-    {
-        _currentUserServiceMock.Setup(x => x.IsInRole(IdmtDefaultRoleTypes.TenantAdmin)).Returns(true);
-
-        var result = _service.CanManageUser(["CustomRole"]);
-
-        Assert.True(result);
-    }
-}
-
 /// <summary>
 /// Extended unit tests for IdmtLinkGenerator covering additional scenarios.
 /// </summary>
@@ -450,58 +283,62 @@ public IdmtLinkGeneratorExtendedTests()
     }
 
     [Fact]
-    public void GenerateConfirmEmailFormLink_IncludesAllQueryParameters()
+    public void GenerateConfirmEmailLink_ClientForm_IncludesAllQueryParameters()
     {
         const string email = "user@example.com";
         const string token = "confirm-token";
+        _options.Application.EmailConfirmationMode = EmailConfirmationMode.ClientForm;
         _options.Application.ClientUrl = "https://client.example";
         _options.Application.ConfirmEmailFormPath = "/confirm-email";
 
-        var result = _service.GenerateConfirmEmailFormLink(email, token);
+        var result = _service.GenerateConfirmEmailLink(email, token);
         var uri = new Uri(result);
         var query = QueryHelpers.ParseQuery(uri.Query);
 
         Assert.Equal(_tenantInfo.Identifier, query["tenantIdentifier"].ToString());
         Assert.Equal(email, query["email"].ToString());
-        Assert.Equal(token, query["token"].ToString());
+        // Token is Base64URL-encoded
+        Assert.NotEmpty(query["token"].ToString());
     }
 
     [Fact]
-    public void GeneratePasswordResetFormLink_IncludesAllQueryParameters()
+    public void GeneratePasswordResetLink_IncludesAllQueryParameters()
     {
         const string email = "user@example.com";
         const string token = "reset-token";
         _options.Application.ClientUrl = "https://client.example";
         _options.Application.ResetPasswordFormPath = "/reset-password";
 
-        var result = _service.GeneratePasswordResetFormLink(email, token);
+        var result = _service.GeneratePasswordResetLink(email, token);
         var uri = new Uri(result);
         var query = QueryHelpers.ParseQuery(uri.Query);
 
         Assert.Equal(_tenantInfo.Identifier, query["tenantIdentifier"].ToString());
         Assert.Equal(email, query["email"].ToString());
-        Assert.Equal(token, query["token"].ToString());
+        // Token is Base64URL-encoded
+        Assert.NotEmpty(query["token"].ToString());
     }
 
     [Fact]
-    public void GenerateConfirmEmailFormLink_HandlesClientUrlWithTrailingSlash()
+    public void GenerateConfirmEmailLink_ClientForm_HandlesClientUrlWithTrailingSlash()
     {
+        _options.Application.EmailConfirmationMode = EmailConfirmationMode.ClientForm;
         _options.Application.ClientUrl = "https://client.example/";
         _options.Application.ConfirmEmailFormPath = "/confirm-email";
 
-        var result = _service.GenerateConfirmEmailFormLink("user@example.com", "token");
-        var uri = new Uri(result);
+        var result = _service.GenerateConfirmEmailLink("user@example.com", "token");
 
         Assert.StartsWith("https://client.example/confirm-email", result);
     }
 
     [Fact]
-    public void GenerateConfirmEmailFormLink_HandlePathWithoutLeadingSlash()
+    public void GenerateConfirmEmailLink_ClientForm_HandlePathWithoutLeadingSlash()
     {
+        _options.Application.EmailConfirmationMode = EmailConfirmationMode.ClientForm;
         _options.Application.ClientUrl = "https://client.example";
         _options.Application.ConfirmEmailFormPath = "confirm-email";
 
-        var result = _service.GenerateConfirmEmailFormLink("user@example.com", "token");
+        var result = _service.GenerateConfirmEmailLink("user@example.com", "token");
 
         Assert.Contains("/confirm-email", result);
     }
diff --git a/src/tests/Idmt.UnitTests/Services/IdmtLinkGeneratorTests.cs b/src/tests/Idmt.UnitTests/Services/IdmtLinkGeneratorTests.cs
index 1bff3de..3102d42 100644
--- a/src/tests/Idmt.UnitTests/Services/IdmtLinkGeneratorTests.cs
+++ b/src/tests/Idmt.UnitTests/Services/IdmtLinkGeneratorTests.cs
@@ -1,3 +1,4 @@
+using System.Text;
 using Finbuckle.MultiTenant.Abstractions;
 using Idmt.Plugin.Configuration;
 using Idmt.Plugin.Models;
@@ -52,53 +53,19 @@ public IdmtLinkGeneratorTests()
     }
 
     [Fact]
-    public void Constructor_ShouldInitialize()
-    {
-        Assert.NotNull(_service);
-    }
-
-    [Fact]
-    public void GenerateConfirmEmailApiLink_UsesLinkGenerator()
+    public void GenerateConfirmEmailLink_ServerConfirm_UsesLinkGenerator()
     {
         const string email = "user@example.com";
         const string token = "confirm-token";
         const string expectedUrl = "https://demo.example/confirm-email";
+        _options.Application.EmailConfirmationMode = EmailConfirmationMode.ServerConfirm;
 
-        RouteValueDictionary? capturedRouteValues = null;
-        _linkGeneratorMock.Setup(x => x.GetUriByAddress<string>(
-                _httpContext,
-                ApplicationOptions.ConfirmEmailEndpointName,
-                It.IsAny<RouteValueDictionary>(),
-                It.IsAny<RouteValueDictionary?>(),
-                It.IsAny<string?>(),
-                It.IsAny<HostString?>(),
-                It.IsAny<PathString?>(),
-                It.IsAny<FragmentString>(),
-                It.IsAny<LinkOptions?>()))
-            .Callback<HttpContext, string, RouteValueDictionary, RouteValueDictionary?, string?, HostString?, PathString?, FragmentString, LinkOptions?>((context, name, values, ambientValues, scheme, host, pathBase, fragment, options) =>
-            {
-                capturedRouteValues = values;
-            })
-            .Returns(expectedUrl);
-
-        var result = _service.GenerateConfirmEmailApiLink(email, token);
-
-        Assert.Equal(expectedUrl, result);
-        Assert.NotNull(capturedRouteValues);
-        Assert.True(HasExpectedRouteValues(capturedRouteValues!, _tenantInfo.Identifier ?? string.Empty, email, token));
-    }
-
-    [Fact]
-    public void GeneratePasswordResetApiLink_UsesLinkGenerator()
-    {
-        const string email = "user@example.com";
-        const string token = "reset-token";
-        const string expectedUrl = "https://demo.example/password-reset";
+        var expectedEncodedToken = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(token));
 
         RouteValueDictionary? capturedRouteValues = null;
         _linkGeneratorMock.Setup(x => x.GetUriByAddress<string>(
                 _httpContext,
-                ApplicationOptions.PasswordResetEndpointName,
+                IdmtEndpointNames.ConfirmEmailDirect,
                 It.IsAny<RouteValueDictionary>(),
                 It.IsAny<RouteValueDictionary?>(),
                 It.IsAny<string?>(),
@@ -112,22 +79,25 @@ public void GeneratePasswordResetApiLink_UsesLinkGenerator()
             })
             .Returns(expectedUrl);
 
-        var result = _service.GeneratePasswordResetApiLink(email, token);
+        var result = _service.GenerateConfirmEmailLink(email, token);
 
         Assert.Equal(expectedUrl, result);
         Assert.NotNull(capturedRouteValues);
-        Assert.True(HasExpectedRouteValues(capturedRouteValues!, _tenantInfo.Identifier ?? string.Empty, email, token));
+        Assert.Equal(email, capturedRouteValues!["email"]?.ToString());
+        Assert.Equal(expectedEncodedToken, capturedRouteValues["token"]?.ToString());
+        Assert.Equal(_tenantInfo.Identifier, capturedRouteValues["tenantIdentifier"]?.ToString());
     }
 
     [Fact]
-    public void GenerateConfirmEmailFormLink_ReturnsClientUri()
+    public void GenerateConfirmEmailLink_ClientForm_ReturnsClientUri()
     {
         const string email = "user@example.com";
         const string token = "confirm-token";
+        _options.Application.EmailConfirmationMode = EmailConfirmationMode.ClientForm;
         _options.Application.ClientUrl = "https://client.example";
         _options.Application.ConfirmEmailFormPath = "/confirm-email";
 
-        var result = _service.GenerateConfirmEmailFormLink(email, token);
+        var result = _service.GenerateConfirmEmailLink(email, token);
         var uri = new Uri(result);
 
         var expectedBase = $"{_options.Application.ClientUrl!.TrimEnd('/')}/{_options.Application.ConfirmEmailFormPath!.TrimStart('/')}";
@@ -136,18 +106,22 @@ public void GenerateConfirmEmailFormLink_ReturnsClientUri()
         var query = QueryHelpers.ParseQuery(uri.Query);
         Assert.Equal(_tenantInfo.Identifier, query["tenantIdentifier"].ToString());
         Assert.Equal(email, query["email"].ToString());
-        Assert.Equal(token, query["token"].ToString());
+
+        // Token should be Base64URL-encoded
+        var encodedToken = query["token"].ToString();
+        var decodedToken = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(encodedToken));
+        Assert.Equal(token, decodedToken);
     }
 
     [Fact]
-    public void GeneratePasswordResetFormLink_ReturnsClientUri()
+    public void GeneratePasswordResetLink_ReturnsClientUri()
     {
         const string email = "user@example.com";
         const string token = "reset-token";
         _options.Application.ClientUrl = "https://client.example";
         _options.Application.ResetPasswordFormPath = "/reset-password";
 
-        var result = _service.GeneratePasswordResetFormLink(email, token);
+        var result = _service.GeneratePasswordResetLink(email, token);
         var uri = new Uri(result);
 
         var expectedBase = $"{_options.Application.ClientUrl!.TrimEnd('/')}/{_options.Application.ResetPasswordFormPath!.TrimStart('/')}";
@@ -156,56 +130,43 @@ public void GeneratePasswordResetFormLink_ReturnsClientUri()
         var query = QueryHelpers.ParseQuery(uri.Query);
         Assert.Equal(_tenantInfo.Identifier, query["tenantIdentifier"].ToString());
         Assert.Equal(email, query["email"].ToString());
-        Assert.Equal(token, query["token"].ToString());
+
+        // Token should be Base64URL-encoded
+        var encodedToken = query["token"].ToString();
+        var decodedToken = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(encodedToken));
+        Assert.Equal(token, decodedToken);
     }
 
     [Fact]
-    public void GenerateConfirmEmailApiLink_ThrowsWhenHttpContextMissing()
+    public void GenerateConfirmEmailLink_ThrowsWhenHttpContextMissing()
     {
         _httpContextAccessorMock.Setup(x => x.HttpContext).Returns((HttpContext?)null);
 
         var exception = Assert.Throws<InvalidOperationException>(() =>
-            _service.GenerateConfirmEmailApiLink("user@example.com", "token"));
+            _service.GenerateConfirmEmailLink("user@example.com", "token"));
 
         Assert.Equal("No HTTP context was found.", exception.Message);
     }
 
     [Fact]
-    public void GenerateConfirmEmailFormLink_ThrowsWhenClientUrlMissing()
+    public void GenerateConfirmEmailLink_ClientForm_ThrowsWhenClientUrlMissing()
     {
+        _options.Application.EmailConfirmationMode = EmailConfirmationMode.ClientForm;
+
         var exception = Assert.Throws<InvalidOperationException>(() =>
-            _service.GenerateConfirmEmailFormLink("user@example.com", "token"));
+            _service.GenerateConfirmEmailLink("user@example.com", "token"));
 
         Assert.Equal("Client URL is not configured.", exception.Message);
     }
 
     [Fact]
-    public void GenerateConfirmEmailApiLink_ThrowsWhenEndpointNotFound()
+    public void GenerateConfirmEmailLink_ServerConfirm_ThrowsWhenEndpointNotFound()
     {
-        _linkGeneratorMock.Setup(x => x.GetUriByAddress<string>(
-                _httpContext,
-                ApplicationOptions.ConfirmEmailEndpointName,
-                It.IsAny<RouteValueDictionary>(),
-                It.IsAny<RouteValueDictionary?>(),
-                It.IsAny<string?>(),
-                It.IsAny<HostString?>(),
-                It.IsAny<PathString?>(),
-                It.IsAny<FragmentString>(),
-                It.IsAny<LinkOptions?>()))
-            .Returns((string?)null);
+        _options.Application.EmailConfirmationMode = EmailConfirmationMode.ServerConfirm;
 
-        var exception = Assert.Throws<NotSupportedException>(() =>
-            _service.GenerateConfirmEmailApiLink("user@example.com", "token"));
-
-        Assert.Contains(ApplicationOptions.ConfirmEmailEndpointName, exception.Message);
-    }
-
-    [Fact]
-    public void GeneratePasswordResetApiLink_ThrowsWhenEndpointNotFound()
-    {
         _linkGeneratorMock.Setup(x => x.GetUriByAddress<string>(
                 _httpContext,
-                ApplicationOptions.PasswordResetEndpointName,
+                IdmtEndpointNames.ConfirmEmailDirect,
                 It.IsAny<RouteValueDictionary>(),
                 It.IsAny<RouteValueDictionary?>(),
                 It.IsAny<string?>(),
@@ -216,38 +177,51 @@ public void GeneratePasswordResetApiLink_ThrowsWhenEndpointNotFound()
             .Returns((string?)null);
 
         var exception = Assert.Throws<NotSupportedException>(() =>
-            _service.GeneratePasswordResetApiLink("user@example.com", "token"));
+            _service.GenerateConfirmEmailLink("user@example.com", "token"));
 
-        Assert.Contains(ApplicationOptions.PasswordResetEndpointName, exception.Message);
+        Assert.Contains(IdmtEndpointNames.ConfirmEmailDirect, exception.Message);
     }
 
     [Fact]
-    public void GeneratePasswordResetApiLink_ThrowsWhenHttpContextMissing()
+    public void GeneratePasswordResetLink_ThrowsWhenHttpContextMissing()
     {
         _httpContextAccessorMock.Setup(x => x.HttpContext).Returns((HttpContext?)null);
 
         var exception = Assert.Throws<InvalidOperationException>(() =>
-            _service.GeneratePasswordResetApiLink("user@example.com", "token"));
+            _service.GeneratePasswordResetLink("user@example.com", "token"));
 
         Assert.Equal("No HTTP context was found.", exception.Message);
     }
 
     [Fact]
-    public void GeneratePasswordResetFormLink_ThrowsWhenClientUrlMissing()
+    public void GeneratePasswordResetLink_ThrowsWhenClientUrlMissing()
     {
         var exception = Assert.Throws<InvalidOperationException>(() =>
-            _service.GeneratePasswordResetFormLink("user@example.com", "token"));
+            _service.GeneratePasswordResetLink("user@example.com", "token"));
 
         Assert.Equal("Client URL is not configured.", exception.Message);
     }
 
-    private static bool HasExpectedRouteValues(RouteValueDictionary routeValues, string tenantIdentifier, string email, string token)
+    [Fact]
+    public void GenerateConfirmEmailLink_Base64UrlEncodesSpecialCharacterTokens()
     {
-        return routeValues.TryGetValue("tenantIdentifier", out var tenantValue)
-            && routeValues.TryGetValue("email", out var emailValue)
-            && routeValues.TryGetValue("token", out var tokenValue)
-            && string.Equals(tenantValue?.ToString(), tenantIdentifier, StringComparison.Ordinal)
-            && string.Equals(emailValue?.ToString(), email, StringComparison.Ordinal)
-            && string.Equals(tokenValue?.ToString(), token, StringComparison.Ordinal);
+        // Tokens from Identity often contain +, /, = which need Base64URL encoding
+        const string token = "CfDJ8N+test/token=value==";
+        _options.Application.EmailConfirmationMode = EmailConfirmationMode.ClientForm;
+        _options.Application.ClientUrl = "https://client.example";
+        _options.Application.ConfirmEmailFormPath = "/confirm-email";
+
+        var result = _service.GenerateConfirmEmailLink("user@example.com", token);
+        var uri = new Uri(result);
+        var query = QueryHelpers.ParseQuery(uri.Query);
+
+        var encodedToken = query["token"].ToString();
+        // Should not contain raw +, /, = (Base64URL uses -, _, no padding)
+        Assert.DoesNotContain("+", encodedToken);
+        Assert.DoesNotContain("/", encodedToken);
+
+        // Decoding should return the original token
+        var decodedToken = Encoding.UTF8.GetString(WebEncoders.Base64UrlDecode(encodedToken));
+        Assert.Equal(token, decodedToken);
     }
 }
diff --git a/src/tests/Idmt.UnitTests/Services/IdmtUserClaimsPrincipalFactoryTests.cs b/src/tests/Idmt.UnitTests/Services/IdmtUserClaimsPrincipalFactoryTests.cs
index 89376e8..de2b931 100644
--- a/src/tests/Idmt.UnitTests/Services/IdmtUserClaimsPrincipalFactoryTests.cs
+++ b/src/tests/Idmt.UnitTests/Services/IdmtUserClaimsPrincipalFactoryTests.cs
@@ -75,7 +75,8 @@ public IdmtUserClaimsPrincipalFactoryTests()
             _roleManagerMock.Object,
             _identityOptionsMock.Object,
             _tenantStoreMock.Object,
-            _idmtOptionsMock.Object);
+            _idmtOptionsMock.Object,
+            Microsoft.Extensions.Logging.Abstractions.NullLogger<IdmtUserClaimsPrincipalFactory>.Instance);
     }
 
     private async Task<ClaimsIdentity> CallGenerateClaimsAsync(IdmtUser user)
@@ -213,7 +214,8 @@ public async Task CreateAsync_AddsTenantClaim_WithCustomClaimType()
             _roleManagerMock.Object,
             _identityOptionsMock.Object,
             customTenantStoreMock.Object,
-            customOptionsMock.Object);
+            customOptionsMock.Object,
+            Microsoft.Extensions.Logging.Abstractions.NullLogger<IdmtUserClaimsPrincipalFactory>.Instance);
 
         var user = new IdmtUser
         {
diff --git a/src/tests/Idmt.UnitTests/Services/TenantAccessServiceTests.cs b/src/tests/Idmt.UnitTests/Services/TenantAccessServiceTests.cs
index 448b0e5..f686008 100644
--- a/src/tests/Idmt.UnitTests/Services/TenantAccessServiceTests.cs
+++ b/src/tests/Idmt.UnitTests/Services/TenantAccessServiceTests.cs
@@ -3,6 +3,7 @@
 using Idmt.Plugin.Persistence;
 using Idmt.Plugin.Services;
 using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging.Abstractions;
 using Moq;
 
 namespace Idmt.UnitTests.Services;
@@ -31,11 +32,14 @@ public TenantAccessServiceTests()
         _dbContext = new IdmtDbContext(
             _tenantAccessorMock.Object,
             options,
-            _currentUserServiceMock.Object);
+            _currentUserServiceMock.Object,
+            TimeProvider.System,
+            NullLogger<IdmtDbContext>.Instance);
 
         _service = new TenantAccessService(
             _dbContext,
-            _currentUserServiceMock.Object);
+            _currentUserServiceMock.Object,
+            TimeProvider.System);
     }
 
     [Fact]
@@ -87,6 +91,7 @@ public async Task CanAccessTenantAsync_ReturnsFalse_WhenAccessExpired()
     }
 
     [Theory]
+    [InlineData(IdmtDefaultRoleTypes.SysAdmin, "AnyRole", true)]
     [InlineData(IdmtDefaultRoleTypes.SysSupport, IdmtDefaultRoleTypes.SysAdmin, false)]
     [InlineData(IdmtDefaultRoleTypes.SysSupport, IdmtDefaultRoleTypes.TenantAdmin, true)]
     [InlineData(IdmtDefaultRoleTypes.TenantAdmin, IdmtDefaultRoleTypes.SysAdmin, false)]
@@ -106,6 +111,17 @@ public void CanAssignRole_ValidatesRoleHierarchy(string currentUserRole, string
         Assert.Equal(expected, result);
     }
 
+    [Fact]
+    public void CanManageUser_ReturnsTrue_WhenSysAdminManagesAnyUser()
+    {
+        _currentUserServiceMock.Reset();
+        _currentUserServiceMock.Setup(x => x.IsInRole(IdmtDefaultRoleTypes.SysAdmin)).Returns(true);
+
+        var result = _service.CanManageUser([IdmtDefaultRoleTypes.SysAdmin]);
+
+        Assert.True(result);
+    }
+
     [Fact]
     public void CanManageUser_ReturnsFalse_WhenSysSupportManagesSysAdmin()
     {
@@ -135,4 +151,51 @@ public void CanManageUser_ReturnsTrue_WhenSysSupportManagesTenantAdmin()
 
         Assert.True(result);
     }
+
+    [Fact]
+    public async Task CanAccessTenantAsync_ReturnsTrue_WhenAccessExpiringInFuture()
+    {
+        var userId = Guid.NewGuid();
+        var tenantId = "tenant1";
+
+        _dbContext.TenantAccess.Add(
+            new TenantAccess { UserId = userId, TenantId = tenantId, IsActive = true, ExpiresAt = DateTime.UtcNow.AddDays(1) }
+        );
+        await _dbContext.SaveChangesAsync();
+
+        var result = await _service.CanAccessTenantAsync(userId, tenantId);
+
+        Assert.True(result);
+    }
+
+    [Fact]
+    public async Task CanAccessTenantAsync_ReturnsFalse_WhenNoAccessRecord()
+    {
+        var userId = Guid.NewGuid();
+        var tenantId = "tenant1";
+
+        var result = await _service.CanAccessTenantAsync(userId, tenantId);
+
+        Assert.False(result);
+    }
+
+    [Fact]
+    public void CanManageUser_ReturnsFalse_WhenTenantAdminManagesSysUser()
+    {
+        _currentUserServiceMock.Setup(x => x.IsInRole(IdmtDefaultRoleTypes.TenantAdmin)).Returns(true);
+
+        var result = _service.CanManageUser([IdmtDefaultRoleTypes.SysSupport]);
+
+        Assert.False(result);
+    }
+
+    [Fact]
+    public void CanManageUser_ReturnsTrue_WhenTenantAdminManagesTenantUser()
+    {
+        _currentUserServiceMock.Setup(x => x.IsInRole(IdmtDefaultRoleTypes.TenantAdmin)).Returns(true);
+
+        var result = _service.CanManageUser(["CustomRole"]);
+
+        Assert.True(result);
+    }
 }
diff --git a/src/tests/Idmt.UnitTests/Services/TenantOperationServiceTests.cs b/src/tests/Idmt.UnitTests/Services/TenantOperationServiceTests.cs
new file mode 100644
index 0000000..1acc661
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Services/TenantOperationServiceTests.cs
@@ -0,0 +1,89 @@
+using ErrorOr;
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Services;
+using Microsoft.Extensions.DependencyInjection;
+using Moq;
+
+namespace Idmt.UnitTests.Services;
+
+public class TenantOperationServiceTests
+{
+    private readonly Mock<IMultiTenantStore<IdmtTenantInfo>> _tenantStoreMock;
+    private readonly Mock<IMultiTenantContextSetter> _tenantContextSetterMock;
+    private readonly TenantOperationService _service;
+
+    public TenantOperationServiceTests()
+    {
+        _tenantStoreMock = new Mock<IMultiTenantStore<IdmtTenantInfo>>();
+        _tenantContextSetterMock = new Mock<IMultiTenantContextSetter>();
+
+        var services = new ServiceCollection();
+        services.AddSingleton(_tenantStoreMock.Object);
+        services.AddSingleton(_tenantContextSetterMock.Object);
+        var serviceProvider = services.BuildServiceProvider();
+
+        _service = new TenantOperationService(serviceProvider);
+    }
+
+    [Fact]
+    public async Task ExecuteInTenantScopeAsync_ReturnsTenantNotFound_WhenTenantDoesNotExist()
+    {
+        _tenantStoreMock.Setup(x => x.GetByIdentifierAsync("nonexistent"))
+            .ReturnsAsync((IdmtTenantInfo?)null);
+
+        var result = await _service.ExecuteInTenantScopeAsync("nonexistent",
+            _ => Task.FromResult<ErrorOr<Success>>(Result.Success));
+
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.NotFound", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ExecuteInTenantScopeAsync_ReturnsTenantInactive_WhenRequireActiveAndTenantInactive()
+    {
+        var tenant = new IdmtTenantInfo("inactive-tenant", "inactive-tenant", "Inactive") { IsActive = false };
+        _tenantStoreMock.Setup(x => x.GetByIdentifierAsync("inactive-tenant"))
+            .ReturnsAsync(tenant);
+
+        var result = await _service.ExecuteInTenantScopeAsync("inactive-tenant",
+            _ => Task.FromResult<ErrorOr<Success>>(Result.Success),
+            requireActive: true);
+
+        Assert.True(result.IsError);
+        Assert.Equal("Tenant.Inactive", result.FirstError.Code);
+    }
+
+    [Fact]
+    public async Task ExecuteInTenantScopeAsync_AllowsExecution_WhenRequireActiveFalseAndTenantInactive()
+    {
+        var tenant = new IdmtTenantInfo("inactive-tenant", "inactive-tenant", "Inactive") { IsActive = false };
+        _tenantStoreMock.Setup(x => x.GetByIdentifierAsync("inactive-tenant"))
+            .ReturnsAsync(tenant);
+
+        var result = await _service.ExecuteInTenantScopeAsync("inactive-tenant",
+            _ => Task.FromResult<ErrorOr<Success>>(Result.Success),
+            requireActive: false);
+
+        Assert.False(result.IsError);
+    }
+
+    [Fact]
+    public async Task ExecuteInTenantScopeAsync_SetsTenantContext_BeforeCallingOperation()
+    {
+        var tenant = new IdmtTenantInfo("test-tenant", "test-tenant", "Test") { IsActive = true };
+        _tenantStoreMock.Setup(x => x.GetByIdentifierAsync("test-tenant"))
+            .ReturnsAsync(tenant);
+
+        IMultiTenantContext? capturedContext = null;
+        _tenantContextSetterMock.SetupSet(x => x.MultiTenantContext = It.IsAny<IMultiTenantContext>())
+            .Callback<IMultiTenantContext>(ctx => capturedContext = ctx);
+
+        var result = await _service.ExecuteInTenantScopeAsync("test-tenant",
+            _ => Task.FromResult<ErrorOr<Success>>(Result.Success));
+
+        Assert.False(result.IsError);
+        Assert.NotNull(capturedContext);
+        Assert.Equal("test-tenant", capturedContext!.TenantInfo?.Identifier);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Services/TokenRevocationCleanupServiceTests.cs b/src/tests/Idmt.UnitTests/Services/TokenRevocationCleanupServiceTests.cs
new file mode 100644
index 0000000..3a9bc82
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Services/TokenRevocationCleanupServiceTests.cs
@@ -0,0 +1,161 @@
+using Idmt.Plugin.Services;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Logging.Abstractions;
+using Moq;
+
+namespace Idmt.UnitTests.Services;
+
+public class TokenRevocationCleanupServiceTests
+{
+    // A very short interval lets the tests run without real wall-clock waiting.
+    private static readonly TimeSpan TestInterval = TimeSpan.FromMilliseconds(50);
+
+    // ---------------------------------------------------------------------------
+    // Helper: build the service under test wired to the given scope factory.
+    // ---------------------------------------------------------------------------
+    private static TokenRevocationCleanupService BuildSut(IServiceScopeFactory scopeFactory) =>
+        new(scopeFactory, NullLogger<TokenRevocationCleanupService>.Instance, TestInterval);
+
+    // ---------------------------------------------------------------------------
+    // Helper: create a scope factory whose scopes resolve the given revocation mock.
+    // ---------------------------------------------------------------------------
+    private static IServiceScopeFactory BuildScopeFactory(ITokenRevocationService revocationService)
+    {
+        var serviceProvider = new Mock<IServiceProvider>();
+        serviceProvider
+            .Setup(sp => sp.GetService(typeof(ITokenRevocationService)))
+            .Returns(revocationService);
+
+        var scope = new Mock<IServiceScope>();
+        scope.SetupGet(s => s.ServiceProvider).Returns(serviceProvider.Object);
+
+        var scopeFactory = new Mock<IServiceScopeFactory>();
+        scopeFactory.Setup(f => f.CreateScope()).Returns(scope.Object);
+
+        return scopeFactory.Object;
+    }
+
+    // ---------------------------------------------------------------------------
+    // Test 1: CleanupExpiredAsync is called after the interval elapses.
+    // ---------------------------------------------------------------------------
+    [Fact]
+    public async Task ExecuteAsync_CallsCleanupExpiredAsync_AfterInterval()
+    {
+        // Arrange
+        var revocationMock = new Mock<ITokenRevocationService>();
+
+        // Block after the first cleanup so the loop does not spin again during
+        // the assertion window — the second delay will wait on the token.
+        var firstCallCompleted = new TaskCompletionSource(TaskCreationOptions.RunContinuationsAsynchronously);
+        revocationMock
+            .Setup(s => s.CleanupExpiredAsync(It.IsAny<CancellationToken>()))
+            .Callback(() => firstCallCompleted.TrySetResult())
+            .Returns(Task.CompletedTask);
+
+        using var cts = new CancellationTokenSource();
+        var sut = BuildSut(BuildScopeFactory(revocationMock.Object));
+
+        // Act: start the background service and wait for the first cleanup to fire.
+        var backgroundTask = sut.StartAsync(cts.Token);
+
+        var completedInTime = await Task.WhenAny(
+            firstCallCompleted.Task,
+            Task.Delay(TimeSpan.FromSeconds(5)));
+
+        // Cancel so the service shuts down cleanly.
+        await cts.CancelAsync();
+        await sut.StopAsync(CancellationToken.None);
+        await backgroundTask;
+
+        // Assert
+        Assert.True(completedInTime == firstCallCompleted.Task,
+            "CleanupExpiredAsync was not called within the timeout.");
+
+        revocationMock.Verify(
+            s => s.CleanupExpiredAsync(It.IsAny<CancellationToken>()),
+            Times.AtLeastOnce);
+    }
+
+    // ---------------------------------------------------------------------------
+    // Test 2: An exception thrown by CleanupExpiredAsync does not crash the loop;
+    //         the service continues and calls cleanup again on the next iteration.
+    // ---------------------------------------------------------------------------
+    [Fact]
+    public async Task ExecuteAsync_ContinuesRunning_AfterCleanupThrows()
+    {
+        // Arrange
+        var revocationMock = new Mock<ITokenRevocationService>();
+        var secondCallCompleted = new TaskCompletionSource(TaskCreationOptions.RunContinuationsAsynchronously);
+
+        var callCount = 0;
+        revocationMock
+            .Setup(s => s.CleanupExpiredAsync(It.IsAny<CancellationToken>()))
+            .Returns(() =>
+            {
+                callCount++;
+                if (callCount == 1)
+                {
+                    // First call: simulate a transient database error.
+                    throw new InvalidOperationException("Simulated DB failure");
+                }
+
+                // Second call: succeed and signal the test.
+                secondCallCompleted.TrySetResult();
+                return Task.CompletedTask;
+            });
+
+        using var cts = new CancellationTokenSource();
+        var sut = BuildSut(BuildScopeFactory(revocationMock.Object));
+
+        // Act
+        var backgroundTask = sut.StartAsync(cts.Token);
+
+        var completedInTime = await Task.WhenAny(
+            secondCallCompleted.Task,
+            Task.Delay(TimeSpan.FromSeconds(5)));
+
+        await cts.CancelAsync();
+        await sut.StopAsync(CancellationToken.None);
+        await backgroundTask;
+
+        // Assert: the service recovered from the exception and ran a second cleanup.
+        Assert.True(completedInTime == secondCallCompleted.Task,
+            "Service did not recover and call CleanupExpiredAsync a second time after an exception.");
+
+        revocationMock.Verify(
+            s => s.CleanupExpiredAsync(It.IsAny<CancellationToken>()),
+            Times.AtLeast(2));
+    }
+
+    // ---------------------------------------------------------------------------
+    // Test 3: Cancellation during Task.Delay causes a clean shutdown without
+    //         calling CleanupExpiredAsync at all.
+    // ---------------------------------------------------------------------------
+    [Fact]
+    public async Task ExecuteAsync_StopsCleanly_WhenCancelledDuringDelay()
+    {
+        // Arrange: use a very long interval so cancellation fires while waiting.
+        var revocationMock = new Mock<ITokenRevocationService>();
+
+        var scopeFactory = BuildScopeFactory(revocationMock.Object);
+        var sut = new TokenRevocationCleanupService(
+            scopeFactory,
+            NullLogger<TokenRevocationCleanupService>.Instance,
+            interval: TimeSpan.FromHours(1)); // long interval — cancellation fires first
+
+        using var cts = new CancellationTokenSource();
+
+        // Act
+        var backgroundTask = sut.StartAsync(cts.Token);
+
+        // Cancel almost immediately — the service is inside Task.Delay(1h).
+        await cts.CancelAsync();
+        await sut.StopAsync(CancellationToken.None);
+        await backgroundTask;
+
+        // Assert: cleanup was never reached because cancellation fired during the delay.
+        revocationMock.Verify(
+            s => s.CleanupExpiredAsync(It.IsAny<CancellationToken>()),
+            Times.Never);
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Services/TokenRevocationServiceTests.cs b/src/tests/Idmt.UnitTests/Services/TokenRevocationServiceTests.cs
new file mode 100644
index 0000000..de60be0
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Services/TokenRevocationServiceTests.cs
@@ -0,0 +1,323 @@
+using Finbuckle.MultiTenant.Abstractions;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Models;
+using Idmt.Plugin.Persistence;
+using Idmt.Plugin.Services;
+using Microsoft.Data.Sqlite;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using Microsoft.Extensions.Time.Testing;
+using Moq;
+
+namespace Idmt.UnitTests.Services;
+
+public class TokenRevocationServiceTests : IDisposable
+{
+    private readonly SqliteConnection _connection;
+    private readonly IdmtDbContext _dbContext;
+    private readonly FakeTimeProvider _timeProvider;
+    private readonly TokenRevocationService _sut;
+
+    private static readonly Guid UserId = Guid.NewGuid();
+    private const string TenantId = "test-tenant";
+
+    public TokenRevocationServiceTests()
+    {
+        // Use SQLite in-memory so ExecuteDeleteAsync is supported
+        _connection = new SqliteConnection("DataSource=:memory:");
+        _connection.Open();
+
+        var tenantAccessorMock = new Mock<IMultiTenantContextAccessor>();
+        var currentUserServiceMock = new Mock<ICurrentUserService>();
+
+        var dummyTenant = new IdmtTenantInfo("sys-id", "system-test", "System Test");
+        var dummyContext = new MultiTenantContext<IdmtTenantInfo>(dummyTenant);
+        tenantAccessorMock.SetupGet(x => x.MultiTenantContext).Returns(dummyContext);
+
+        var options = new DbContextOptionsBuilder<IdmtDbContext>()
+            .UseSqlite(_connection)
+            .Options;
+
+        _dbContext = new IdmtDbContext(
+            tenantAccessorMock.Object,
+            options,
+            currentUserServiceMock.Object,
+            TimeProvider.System,
+            NullLogger<IdmtDbContext>.Instance);
+
+        _dbContext.Database.EnsureCreated();
+
+        _timeProvider = new FakeTimeProvider(new DateTimeOffset(2026, 3, 4, 12, 0, 0, TimeSpan.Zero));
+
+        var idmtOptions = Options.Create(new IdmtOptions());
+
+        _sut = new TokenRevocationService(
+            _dbContext,
+            _timeProvider,
+            idmtOptions,
+            NullLogger<TokenRevocationService>.Instance);
+    }
+
+    [Fact]
+    public async Task IsTokenRevokedAsync_ReturnsTrue_WhenTokenIssuedBeforeRevocation()
+    {
+        // Arrange: revoke at T=20, token issued at T=10
+        var revokedAt = new DateTimeOffset(2026, 3, 4, 0, 0, 20, TimeSpan.Zero);
+        var issuedAt = new DateTimeOffset(2026, 3, 4, 0, 0, 10, TimeSpan.Zero);
+
+        _dbContext.RevokedTokens.Add(new RevokedToken
+        {
+            TokenId = $"{UserId}:{TenantId}",
+            RevokedAt = revokedAt,
+            ExpiresAt = revokedAt.AddDays(30)
+        });
+        await _dbContext.SaveChangesAsync();
+
+        // Act
+        var result = await _sut.IsTokenRevokedAsync(UserId, TenantId, issuedAt);
+
+        // Assert
+        Assert.True(result);
+    }
+
+    [Fact]
+    public async Task IsTokenRevokedAsync_ReturnsFalse_WhenTokenIssuedAfterRevocation()
+    {
+        // Arrange: revoke at T=20, token issued at T=30
+        var revokedAt = new DateTimeOffset(2026, 3, 4, 0, 0, 20, TimeSpan.Zero);
+        var issuedAt = new DateTimeOffset(2026, 3, 4, 0, 0, 30, TimeSpan.Zero);
+
+        _dbContext.RevokedTokens.Add(new RevokedToken
+        {
+            TokenId = $"{UserId}:{TenantId}",
+            RevokedAt = revokedAt,
+            ExpiresAt = revokedAt.AddDays(30)
+        });
+        await _dbContext.SaveChangesAsync();
+
+        // Act
+        var result = await _sut.IsTokenRevokedAsync(UserId, TenantId, issuedAt);
+
+        // Assert
+        Assert.False(result);
+    }
+
+    [Fact]
+    public async Task IsTokenRevokedAsync_ReturnsFalse_WhenTokenIssuedAtExactRevocationTime()
+    {
+        // Arrange: revoke at T=20, token issued at T=20 (boundary: strict < means NOT revoked)
+        var revokedAt = new DateTimeOffset(2026, 3, 4, 0, 0, 20, TimeSpan.Zero);
+        var issuedAt = new DateTimeOffset(2026, 3, 4, 0, 0, 20, TimeSpan.Zero);
+
+        _dbContext.RevokedTokens.Add(new RevokedToken
+        {
+            TokenId = $"{UserId}:{TenantId}",
+            RevokedAt = revokedAt,
+            ExpiresAt = revokedAt.AddDays(30)
+        });
+        await _dbContext.SaveChangesAsync();
+
+        // Act
+        var result = await _sut.IsTokenRevokedAsync(UserId, TenantId, issuedAt);
+
+        // Assert: strict less-than means exact match is NOT revoked
+        Assert.False(result);
+    }
+
+    [Fact]
+    public async Task IsTokenRevokedAsync_ReturnsFalse_WhenNoRevocationExists()
+    {
+        // Arrange: no revocation record in the database
+        var issuedAt = new DateTimeOffset(2026, 3, 4, 0, 0, 10, TimeSpan.Zero);
+
+        // Act
+        var result = await _sut.IsTokenRevokedAsync(UserId, TenantId, issuedAt);
+
+        // Assert
+        Assert.False(result);
+    }
+
+    [Fact]
+    public async Task RevokeUserTokensAsync_CreatesNewRecord_WhenNoneExists()
+    {
+        // Arrange
+        var now = _timeProvider.GetUtcNow();
+        var expectedTokenId = $"{UserId}:{TenantId}";
+        var expectedExpiration = TimeSpan.FromDays(30); // default RefreshTokenExpiration
+
+        // Act
+        await _sut.RevokeUserTokensAsync(UserId, TenantId);
+
+        // Assert
+        var record = await _dbContext.RevokedTokens.FindAsync(expectedTokenId);
+        Assert.NotNull(record);
+        Assert.Equal(expectedTokenId, record.TokenId);
+        Assert.Equal(now, record.RevokedAt);
+        Assert.Equal(now.Add(expectedExpiration), record.ExpiresAt);
+    }
+
+    [Fact]
+    public async Task RevokeUserTokensAsync_UpdatesExpiresAt_WhenRecordAlreadyExists()
+    {
+        // Arrange: create an initial revocation record
+        var initialTime = new DateTimeOffset(2026, 3, 1, 0, 0, 0, TimeSpan.Zero);
+        var tokenId = $"{UserId}:{TenantId}";
+
+        _dbContext.RevokedTokens.Add(new RevokedToken
+        {
+            TokenId = tokenId,
+            RevokedAt = initialTime,
+            ExpiresAt = initialTime.AddDays(30)
+        });
+        await _dbContext.SaveChangesAsync();
+
+        // Advance time so we can observe the ExpiresAt update
+        _timeProvider.Advance(TimeSpan.FromHours(1));
+        var expectedNow = _timeProvider.GetUtcNow();
+
+        // Act
+        await _sut.RevokeUserTokensAsync(UserId, TenantId);
+
+        // Assert: ExpiresAt slides forward from the new call time
+        var record = await _dbContext.RevokedTokens.FindAsync(tokenId);
+        Assert.NotNull(record);
+        Assert.Equal(expectedNow.AddDays(30), record.ExpiresAt);
+    }
+
+    [Fact]
+    public async Task RevokeUserTokensAsync_DoesNotMoveRevokedAt_WhenRecordAlreadyExists()
+    {
+        // Arrange: seed a record with a known original RevokedAt timestamp
+        var originalRevokedAt = new DateTimeOffset(2026, 3, 1, 0, 0, 0, TimeSpan.Zero);
+        var tokenId = $"{UserId}:{TenantId}";
+
+        _dbContext.RevokedTokens.Add(new RevokedToken
+        {
+            TokenId = tokenId,
+            RevokedAt = originalRevokedAt,
+            ExpiresAt = originalRevokedAt.AddDays(30)
+        });
+        await _dbContext.SaveChangesAsync();
+
+        // Advance the clock so that re-revoking would use a later timestamp
+        _timeProvider.Advance(TimeSpan.FromHours(6));
+        var laterTime = _timeProvider.GetUtcNow();
+
+        // Sanity-check: the later time really is after the original
+        Assert.True(laterTime > originalRevokedAt);
+
+        // Act: revoke again for the same user / tenant
+        await _sut.RevokeUserTokensAsync(UserId, TenantId);
+
+        // Assert: RevokedAt must remain at the original value so that tokens
+        // issued between originalRevokedAt and laterTime stay revoked
+        var record = await _dbContext.RevokedTokens.FindAsync(tokenId);
+        Assert.NotNull(record);
+        Assert.Equal(originalRevokedAt, record.RevokedAt);
+
+        // ExpiresAt must have been extended to the new call time + expiry window
+        Assert.Equal(laterTime.AddDays(30), record.ExpiresAt);
+    }
+
+    [Fact]
+    public async Task CleanupExpiredAsync_DeletesOnlyExpiredRecords()
+    {
+        // Arrange: add two records -- one expired, one still valid
+        var now = _timeProvider.GetUtcNow();
+
+        var expiredRecord = new RevokedToken
+        {
+            TokenId = "expired-user:tenant-a",
+            RevokedAt = now.AddDays(-60),
+            ExpiresAt = now.AddHours(-1) // expired
+        };
+
+        var activeRecord = new RevokedToken
+        {
+            TokenId = "active-user:tenant-b",
+            RevokedAt = now.AddHours(-1),
+            ExpiresAt = now.AddDays(29) // still valid
+        };
+
+        _dbContext.RevokedTokens.AddRange(expiredRecord, activeRecord);
+        await _dbContext.SaveChangesAsync();
+
+        // Act
+        await _sut.CleanupExpiredAsync();
+
+        // Assert
+        var remaining = await _dbContext.RevokedTokens.ToListAsync();
+        Assert.Single(remaining);
+        Assert.Equal("active-user:tenant-b", remaining[0].TokenId);
+    }
+
+    /// <summary>
+    /// Documents the TOCTOU race-condition retry contract for
+    /// <see cref="TokenRevocationService.RevokeUserTokensAsync"/>.
+    ///
+    /// Race scenario:
+    ///   Two concurrent logout requests for the same user+tenant both call
+    ///   RevokeUserTokensAsync at roughly the same time.
+    ///   1. Both see FindAsync return null (no existing record).
+    ///   2. Both queue a new RevokedToken for insert.
+    ///   3. The first SaveChangesAsync succeeds.
+    ///   4. The second hits a unique constraint violation (DbUpdateException).
+    ///   5. The catch block clears the tracker, reloads the winner's record,
+    ///      and updates only ExpiresAt — leaving RevokedAt untouched.
+    ///
+    /// True concurrent DB access cannot be deterministically reproduced with a
+    /// single-connection SQLite in-memory database in a unit test, so this test
+    /// instead verifies the retry path directly: it seeds the winning record
+    /// first, then asserts that a second call (which would follow the update
+    /// branch, not the retry branch) correctly extends ExpiresAt without moving
+    /// RevokedAt. The retry branch itself is covered structurally by the
+    /// try/catch in the production code; a full concurrency integration test
+    /// would require two separate DbContext instances backed by a real database.
+    /// </summary>
+    [Fact]
+    public async Task RevokeUserTokensAsync_ConcurrentInsertRace_RetryUpdatesExpiresAtWithoutMovingRevokedAt()
+    {
+        // Arrange: simulate the state left by the "winning" concurrent insert —
+        // a record already exists in the database before our call begins.
+        var winnerRevokedAt = new DateTimeOffset(2026, 3, 4, 12, 0, 0, TimeSpan.Zero);
+        var tokenId = $"{UserId}:{TenantId}";
+
+        _dbContext.RevokedTokens.Add(new RevokedToken
+        {
+            TokenId = tokenId,
+            RevokedAt = winnerRevokedAt,
+            ExpiresAt = winnerRevokedAt.AddDays(30)
+        });
+        await _dbContext.SaveChangesAsync();
+
+        // Advance the clock slightly so the second caller's ExpiresAt differs
+        // from the winner's — this lets us assert the slide-forward happened.
+        _timeProvider.Advance(TimeSpan.FromSeconds(5));
+        var secondCallerNow = _timeProvider.GetUtcNow();
+
+        // Act: the "losing" caller arrives after the winner has already inserted.
+        // Because FindAsync now returns the existing record, the service takes the
+        // update branch. The important invariant is that RevokedAt is not moved.
+        await _sut.RevokeUserTokensAsync(UserId, TenantId);
+
+        // Assert
+        var record = await _dbContext.RevokedTokens.FindAsync(tokenId);
+        Assert.NotNull(record);
+
+        // RevokedAt must remain at the winner's original timestamp so that every
+        // token issued before that moment stays revoked.
+        Assert.Equal(winnerRevokedAt, record.RevokedAt);
+
+        // ExpiresAt must be extended to the second caller's expiry window so the
+        // revocation record lives long enough to cover both callers' refresh-token
+        // lifetimes.
+        Assert.Equal(secondCallerNow.AddDays(30), record.ExpiresAt);
+    }
+
+    public void Dispose()
+    {
+        _dbContext.Dispose();
+        _connection.Dispose();
+    }
+}
diff --git a/src/tests/Idmt.UnitTests/Validation/FluentValidatorTests.cs b/src/tests/Idmt.UnitTests/Validation/FluentValidatorTests.cs
new file mode 100644
index 0000000..03f2b1c
--- /dev/null
+++ b/src/tests/Idmt.UnitTests/Validation/FluentValidatorTests.cs
@@ -0,0 +1,217 @@
+using FluentValidation.TestHelper;
+using Idmt.Plugin.Configuration;
+using Idmt.Plugin.Features.Admin;
+using Idmt.Plugin.Features.Auth;
+using Idmt.Plugin.Features.Manage;
+using Idmt.Plugin.Validation;
+using Microsoft.Extensions.Options;
+using Moq;
+
+namespace Idmt.UnitTests.Validation;
+
+public class FluentValidatorTests
+{
+    private static IOptions<IdmtOptions> DefaultOptions()
+    {
+        var mock = new Mock<IOptions<IdmtOptions>>();
+        mock.Setup(x => x.Value).Returns(new IdmtOptions());
+        return mock.Object;
+    }
+
+    #region LoginRequestValidator
+
+    [Fact]
+    public void LoginRequestValidator_Fails_WhenNeitherEmailNorUsername()
+    {
+        var validator = new LoginRequestValidator();
+        var request = new Login.LoginRequest { Password = "Test1234!" };
+        var result = validator.TestValidate(request);
+        Assert.False(result.IsValid);
+    }
+
+    [Fact]
+    public void LoginRequestValidator_Passes_WithEmail()
+    {
+        var validator = new LoginRequestValidator();
+        var request = new Login.LoginRequest { Email = "user@example.com", Password = "Test1234!" };
+        var result = validator.TestValidate(request);
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void LoginRequestValidator_Passes_WithUsername()
+    {
+        var validator = new LoginRequestValidator();
+        var request = new Login.LoginRequest { Username = "testuser", Password = "Test1234!" };
+        var result = validator.TestValidate(request);
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void LoginRequestValidator_Fails_WithEmptyPassword()
+    {
+        var validator = new LoginRequestValidator();
+        var request = new Login.LoginRequest { Email = "user@example.com", Password = "" };
+        var result = validator.TestValidate(request);
+        result.ShouldHaveValidationErrorFor(x => x.Password);
+    }
+
+    #endregion
+
+    #region CreateTenantRequestValidator
+
+    [Fact]
+    public void CreateTenantRequestValidator_Fails_WithUppercaseIdentifier()
+    {
+        var validator = new CreateTenantRequestValidator();
+        var request = new CreateTenant.CreateTenantRequest("UPPERCASE", "Name");
+        var result = validator.TestValidate(request);
+        result.ShouldHaveValidationErrorFor(x => x.Identifier);
+    }
+
+    [Fact]
+    public void CreateTenantRequestValidator_Passes_WithValidData()
+    {
+        var validator = new CreateTenantRequestValidator();
+        var request = new CreateTenant.CreateTenantRequest("valid-tenant_1", "Name");
+        var result = validator.TestValidate(request);
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    [Fact]
+    public void CreateTenantRequestValidator_Fails_WithEmptyIdentifier()
+    {
+        var validator = new CreateTenantRequestValidator();
+        var request = new CreateTenant.CreateTenantRequest("", "Name");
+        var result = validator.TestValidate(request);
+        result.ShouldHaveValidationErrorFor(x => x.Identifier);
+    }
+
+    #endregion
+
+    #region RegisterUserRequestValidator
+
+    [Fact]
+    public void RegisterUserRequestValidator_Fails_WithInvalidEmail()
+    {
+        var validator = new RegisterUserRequestValidator(DefaultOptions());
+        var request = new RegisterUser.RegisterUserRequest { Email = "not-an-email", Role = "Admin" };
+        var result = validator.TestValidate(request);
+        result.ShouldHaveValidationErrorFor(x => x.Email);
+    }
+
+    [Fact]
+    public void RegisterUserRequestValidator_Fails_WithDisallowedUsernameChars()
+    {
+        var options = DefaultOptions();
+        var validator = new RegisterUserRequestValidator(options);
+        var request = new RegisterUser.RegisterUserRequest
+        {
+            Email = "user@example.com",
+            Username = "user<script>",
+            Role = "Admin"
+        };
+        var result = validator.TestValidate(request);
+        result.ShouldHaveValidationErrorFor(x => x.Username);
+    }
+
+    [Fact]
+    public void RegisterUserRequestValidator_Passes_WithValidData()
+    {
+        var validator = new RegisterUserRequestValidator(DefaultOptions());
+        var request = new RegisterUser.RegisterUserRequest { Email = "user@example.com", Role = "Admin" };
+        var result = validator.TestValidate(request);
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    #endregion
+
+    #region UpdateUserInfoRequestValidator
+
+    [Fact]
+    public void UpdateUserInfoRequestValidator_Fails_WhenNewPasswordWithoutOldPassword()
+    {
+        var validator = new UpdateUserInfoRequestValidator(DefaultOptions());
+        var request = new UpdateUserInfo.UpdateUserInfoRequest(NewPassword: "NewPass1!");
+        var result = validator.TestValidate(request);
+        result.ShouldHaveValidationErrorFor(x => x.OldPassword);
+    }
+
+    [Fact]
+    public void UpdateUserInfoRequestValidator_Passes_WhenAllFieldsNull()
+    {
+        var validator = new UpdateUserInfoRequestValidator(DefaultOptions());
+        var request = new UpdateUserInfo.UpdateUserInfoRequest();
+        var result = validator.TestValidate(request);
+        result.ShouldNotHaveAnyValidationErrors();
+    }
+
+    #endregion
+
+    #region ConfirmEmailRequestValidator
+
+    [Fact]
+    public void ConfirmEmailRequestValidator_Fails_WithEmptyFields()
+    {
+        var validator = new ConfirmEmailRequestValidator();
+        var request = new ConfirmEmail.ConfirmEmailRequest("", "", "");
+        var result = validator.TestValidate(request);
+        result.ShouldHaveValidationErrorFor(x => x.TenantIdentifier);
+        result.ShouldHaveValidationErrorFor(x => x.Email);
+        result.ShouldHaveValidationErrorFor(x => x.Token);
+    }
+
+    #endregion
+
+    #region ForgotPasswordRequestValidator
+
+    [Fact]
+    public void ForgotPasswordRequestValidator_Fails_WithInvalidEmail()
+    {
+        var validator = new ForgotPasswordRequestValidator();
+        var request = new ForgotPassword.ForgotPasswordRequest("not-an-email");
+        var result = validator.TestValidate(request);
+        result.ShouldHaveValidationErrorFor(x => x.Email);
+    }
+
+    #endregion
+
+    #region RefreshTokenRequestValidator
+
+    [Fact]
+    public void RefreshTokenRequestValidator_Fails_WithEmptyToken()
+    {
+        var validator = new RefreshTokenRequestValidator();
+        var request = new RefreshToken.RefreshTokenRequest("");
+        var result = validator.TestValidate(request);
+        result.ShouldHaveValidationErrorFor(x => x.RefreshToken);
+    }
+
+    #endregion
+
+    #region ResetPasswordRequestValidator
+
+    [Fact]
+    public void ResetPasswordRequestValidator_Fails_WithWeakPassword()
+    {
+        var validator = new ResetPasswordRequestValidator(DefaultOptions());
+        var request = new ResetPassword.ResetPasswordRequest("tenant1", "user@example.com", "valid-token", "weak");
+        var result = validator.TestValidate(request);
+        result.ShouldHaveValidationErrorFor(x => x.NewPassword);
+    }
+
+    #endregion
+
+    #region ResendConfirmationEmailRequestValidator
+
+    [Fact]
+    public void ResendConfirmationEmailRequestValidator_Fails_WithInvalidEmail()
+    {
+        var validator = new ResendConfirmationEmailRequestValidator();
+        var request = new ResendConfirmationEmail.ResendConfirmationEmailRequest("invalid");
+        var result = validator.TestValidate(request);
+        result.ShouldHaveValidationErrorFor(x => x.Email);
+    }
+
+    #endregion
+}
diff --git a/src/tests/Idmt.UnitTests/Validation/ValidatorsTests.cs b/src/tests/Idmt.UnitTests/Validation/ValidatorsTests.cs
index 0aa75d9..9e3c363 100644
--- a/src/tests/Idmt.UnitTests/Validation/ValidatorsTests.cs
+++ b/src/tests/Idmt.UnitTests/Validation/ValidatorsTests.cs
@@ -21,7 +21,7 @@ public void IsValidEmail_ValidatesCorrectly(string? email, bool expected)
     [Fact]
     public void IsValidNewPassword_ReturnsFalse_WhenPasswordIsEmpty()
     {
-        var options = new PasswordOptions();
+        var options = new IdmtPasswordOptions();
         var result = Validators.IsValidNewPassword("", options, out var errors);
 
         Assert.False(result);
@@ -32,7 +32,7 @@ public void IsValidNewPassword_ReturnsFalse_WhenPasswordIsEmpty()
     [Fact]
     public void IsValidNewPassword_ValidatesLength()
     {
-        var options = new PasswordOptions { RequiredLength = 8 };
+        var options = new IdmtPasswordOptions { RequiredLength = 8 };
         var result = Validators.IsValidNewPassword("short", options, out var errors);
 
         Assert.False(result);
@@ -43,7 +43,7 @@ public void IsValidNewPassword_ValidatesLength()
     [Fact]
     public void IsValidNewPassword_ValidatesDigit()
     {
-        var options = new PasswordOptions { RequireDigit = true };
+        var options = new IdmtPasswordOptions { RequireDigit = true };
         var result = Validators.IsValidNewPassword("NoDigit", options, out var errors);
 
         Assert.False(result);
@@ -54,7 +54,7 @@ public void IsValidNewPassword_ValidatesDigit()
     [Fact]
     public void IsValidNewPassword_ValidatesLowercase()
     {
-        var options = new PasswordOptions { RequireLowercase = true };
+        var options = new IdmtPasswordOptions { RequireLowercase = true };
         var result = Validators.IsValidNewPassword("NOLOWERCASE1", options, out var errors);
 
         Assert.False(result);
@@ -65,7 +65,7 @@ public void IsValidNewPassword_ValidatesLowercase()
     [Fact]
     public void IsValidNewPassword_ValidatesUppercase()
     {
-        var options = new PasswordOptions { RequireUppercase = true };
+        var options = new IdmtPasswordOptions { RequireUppercase = true };
         var result = Validators.IsValidNewPassword("nouppercase1", options, out var errors);
 
         Assert.False(result);
@@ -76,7 +76,7 @@ public void IsValidNewPassword_ValidatesUppercase()
     [Fact]
     public void IsValidNewPassword_ValidatesNonAlphanumeric()
     {
-        var options = new PasswordOptions { RequireNonAlphanumeric = true };
+        var options = new IdmtPasswordOptions { RequireNonAlphanumeric = true };
         var result = Validators.IsValidNewPassword("NoSpecialChar1", options, out var errors);
 
         Assert.False(result);
@@ -87,7 +87,7 @@ public void IsValidNewPassword_ValidatesNonAlphanumeric()
     [Fact]
     public void IsValidNewPassword_ValidatesUniqueChars()
     {
-        var options = new PasswordOptions { RequiredUniqueChars = 4 };
+        var options = new IdmtPasswordOptions { RequiredUniqueChars = 4 };
         var result = Validators.IsValidNewPassword("aaaa1", options, out var errors);
 
         Assert.False(result);
@@ -98,7 +98,7 @@ public void IsValidNewPassword_ValidatesUniqueChars()
     [Fact]
     public void IsValidNewPassword_ReturnsTrue_WhenAllRequirementsMet()
     {
-        var options = new PasswordOptions
+        var options = new IdmtPasswordOptions
         {
             RequiredLength = 6,
             RequireDigit = true,
@@ -114,28 +114,6 @@ public void IsValidNewPassword_ReturnsTrue_WhenAllRequirementsMet()
         Assert.Null(errors);
     }
 
-    [Theory]
-    [InlineData("d81e3678-00a8-444f-a715-171804791e84", true)]
-    [InlineData("invalid-guid", false)]
-    [InlineData("", false)]
-    [InlineData(null, false)]
-    public void IsValidGuid_ValidatesCorrectly(string? guid, bool expected)
-    {
-        var result = Validators.IsValidGuid(guid);
-        Assert.Equal(expected, result);
-    }
-
-    [Theory]
-    [InlineData("tenant1", true)]
-    [InlineData("te", false)] // Length < 3
-    [InlineData("", false)]
-    [InlineData(null, false)]
-    public void IsValidTenantId_ValidatesCorrectly(string? tenantId, bool expected)
-    {
-        var result = Validators.IsValidTenantId(tenantId);
-        Assert.Equal(expected, result);
-    }
-
     [Theory]
     [InlineData("user1", true)]
     [InlineData("us", false)] // Length < 3