Testing an Authdog integration means exercising your app against a real but isolated environment. Use a dedicated dev environment with its own keys and users, and validate the `authdog-session` exactly as production would — without ever touching production secrets. See [Deployments](/docs/deployments) for how environments map to stages.

## Use a dedicated dev environment

Point your tests at a dev environment. Because each environment has its own signing keys, connections, and user store, tests can create and mutate users freely without affecting staging or production. The dev environment has its own public key (`pk_...`) — that's the only credential your test suite needs.

## Seed users and roles

Set up the state each test expects: seed users, assign roles, and add members to [organizations](/docs/organizations). Seeding against the dev environment gives you deterministic fixtures — a known user with a known role — so assertions about access are stable.

## Validate the session

Your backend enforces auth by validating the `authdog-session` cookie (or an `Authorization: Bearer <token>` header) against the environment's public key, the same as in production. Test both the authorized and unauthorized paths:

```ts
// Protected route rejects a request with no session
const res = await app.request("/api/private");
expect(res.status).toBe(401);

// ...and accepts one carrying a valid authdog-session
const ok = await app.request("/api/private", {
  headers: { cookie: `authdog-session=${session}` },
});
expect(ok.status).toBe(200);
```

See [Backend requests](/docs/backend) for how the session is resolved and enforced on the server.

## Test webhooks

Webhook deliveries are signed with an HMAC `X-Authdog-Signature` header. In tests, either verify that signature against your endpoint's secret, or mock the delivery with a correctly computed signature so you exercise the same verification path production uses. Because delivery uses durable retry, also confirm your handler is idempotent.

## CI tips

- Store the **dev** public key in CI — never production keys or secrets.
- Keep test users and roles in the dev environment, isolated from real data.
- Run session-validation and webhook-signature tests on every build so auth regressions surface early.
