| FR-AUTH-001 | The system shall allow authorized users to log in securely. | High | Confirmed |
| FR-AUTH-002 | The system shall reject invalid login attempts. | High | Confirmed |
| FR-AUTH-003 | The system shall protect authenticated API endpoints with token-based authentication. | High | Confirmed |
| FR-AUTH-004 | The system shall allow authenticated users to logout from the current device. | Medium | Confirmed |
| FR-AUTH-005 | The system shall support logout from all devices where enabled. | Medium | Confirmed |
| FR-AUTH-006 | The system shall enforce RBAC on every protected action. | High | Confirmed |