diff --git a/dev-auth/oidc-provider.mjs b/dev-auth/oidc-provider.mjs
index d15deb4a..2e7702d1 100644
--- a/dev-auth/oidc-provider.mjs
+++ b/dev-auth/oidc-provider.mjs
@@ -43,6 +43,13 @@ const configuration = {
         "http://localhost:3003/api/auth/oauth2/callback/oidc",
         "http://localhost:3000/api/auth/oauth2/callback/okta",
       ],
+      // Post-logout redirect URIs for RP-Initiated Logout
+      post_logout_redirect_uris: [
+        "http://localhost:3000/signin",
+        "http://localhost:3001/signin",
+        "http://localhost:3002/signin",
+        "http://localhost:3003/signin",
+      ],
       response_types: ["code"],
       grant_types: ["authorization_code", "refresh_token"],
       token_endpoint_auth_method: "client_secret_post",
@@ -77,6 +84,19 @@ const configuration = {
     // Disable built-in dev interactions in favor of our custom auto-login
     // and auto-consent middleware used for local testing.
     devInteractions: { enabled: false },
+    // Enable RP-Initiated Logout for sign-out flow
+    rpInitiatedLogout: {
+      enabled: true,
+      // Auto-confirm logout for dev (skip confirmation page)
+      logoutSource: async (ctx, form) => {
+        ctx.body = `<!DOCTYPE html>
+          <html><head><title>Logging out...</title></head>
+          <body>
+            ${form}
+            <script>document.forms[0].submit();</script>
+          </body></html>`;
+      },
+    },
   },
   // Explicitly declare supported scopes, including offline_access for refresh tokens
   // Scopes supported by the dev provider (app requests offline_access in dev and prod)
diff --git a/src/app/api/auth/refresh-token/route.ts b/src/app/api/auth/refresh-token/route.ts
index bfe8dacc..588696f6 100644
--- a/src/app/api/auth/refresh-token/route.ts
+++ b/src/app/api/auth/refresh-token/route.ts
@@ -1,8 +1,11 @@
-import { cookies } from "next/headers";
+import { cookies, headers } from "next/headers";
 import type { NextRequest } from "next/server";
 import { NextResponse } from "next/server";
-import { refreshAccessToken } from "@/lib/auth/auth";
-import { BETTER_AUTH_SECRET, COOKIE_NAME } from "@/lib/auth/constants";
+import { auth, refreshAccessToken } from "@/lib/auth/auth";
+import {
+  BETTER_AUTH_SECRET,
+  OIDC_TOKEN_COOKIE_NAME,
+} from "@/lib/auth/constants";
 import type { OidcTokenData } from "@/lib/auth/types";
 import { decrypt } from "@/lib/auth/utils";
 
@@ -13,6 +16,16 @@ import { decrypt } from "@/lib/auth/utils";
  */
 export async function POST(request: NextRequest) {
   try {
+    // Check if Better Auth session exists before attempting token refresh
+    const session = await auth.api.getSession({
+      headers: await headers(),
+    });
+
+    if (!session?.user?.id) {
+      // No active session - skip token refresh (user is logged out)
+      return NextResponse.json({ error: "No active session" }, { status: 401 });
+    }
+
     const body = await request.json();
     const { userId } = body;
 
@@ -20,8 +33,13 @@ export async function POST(request: NextRequest) {
       return NextResponse.json({ error: "Missing userId" }, { status: 400 });
     }
 
+    // Verify userId matches the session
+    if (userId !== session.user.id) {
+      return NextResponse.json({ error: "User ID mismatch" }, { status: 401 });
+    }
+
     const cookieStore = await cookies();
-    const encryptedCookie = cookieStore.get(COOKIE_NAME);
+    const encryptedCookie = cookieStore.get(OIDC_TOKEN_COOKIE_NAME);
 
     if (!encryptedCookie?.value) {
       return NextResponse.json({ error: "No token found" }, { status: 401 });
@@ -32,32 +50,33 @@ export async function POST(request: NextRequest) {
       tokenData = await decrypt(encryptedCookie.value, BETTER_AUTH_SECRET);
     } catch (error) {
       console.error("[Refresh API] Token decryption failed:", error);
-      cookieStore.delete(COOKIE_NAME);
+      cookieStore.delete(OIDC_TOKEN_COOKIE_NAME);
       return NextResponse.json({ error: "Invalid token" }, { status: 401 });
     }
 
     if (tokenData.userId !== userId) {
       console.error("[Refresh API] Token userId mismatch");
-      cookieStore.delete(COOKIE_NAME);
+      cookieStore.delete(OIDC_TOKEN_COOKIE_NAME);
       return NextResponse.json({ error: "Invalid token" }, { status: 401 });
     }
 
     if (!tokenData.refreshToken) {
       console.error("[Refresh API] No refresh token available");
-      cookieStore.delete(COOKIE_NAME);
+      cookieStore.delete(OIDC_TOKEN_COOKIE_NAME);
       return NextResponse.json({ error: "No refresh token" }, { status: 401 });
     }
 
     // Call refreshAccessToken which will save the new token in the cookie
-    const refreshedData = await refreshAccessToken(
-      tokenData.refreshToken,
+    const refreshedData = await refreshAccessToken({
+      refreshToken: tokenData.refreshToken,
+      refreshTokenExpiresAt: tokenData.refreshTokenExpiresAt,
       userId,
-      tokenData.refreshTokenExpiresAt,
-    );
+      idToken: tokenData.idToken,
+    });
 
     if (!refreshedData) {
       console.error("[Refresh API] Token refresh failed");
-      cookieStore.delete(COOKIE_NAME);
+      cookieStore.delete(OIDC_TOKEN_COOKIE_NAME);
       return NextResponse.json(
         { error: "[Refresh API] Refresh failed" },
         { status: 401 },
diff --git a/src/app/catalog/page.tsx b/src/app/catalog/page.tsx
index dd17ff61..e623747c 100644
--- a/src/app/catalog/page.tsx
+++ b/src/app/catalog/page.tsx
@@ -1,18 +1,7 @@
-import { headers } from "next/headers";
-import { redirect } from "next/navigation";
-import { auth } from "@/lib/auth/auth";
 import { getServers } from "./actions";
 import { ServersWrapper } from "./components/servers-wrapper";
 
 export default async function CatalogPage() {
-  const session = await auth.api.getSession({
-    headers: await headers(),
-  });
-
-  if (!session) {
-    redirect("/signin");
-  }
-
   const servers = await getServers();
 
   return <ServersWrapper servers={servers} />;
diff --git a/src/app/signin/signin-button.tsx b/src/app/signin/signin-button.tsx
index 4f918000..3ce217ca 100644
--- a/src/app/signin/signin-button.tsx
+++ b/src/app/signin/signin-button.tsx
@@ -42,7 +42,7 @@ export function SignInButton({ providerId }: { providerId: string }) {
   return (
     <Button
       onClick={handleOIDCSignIn}
-      className="w-full h-9 gap-2"
+      className="w-full h-9 gap-2 cursor-pointer"
       size="default"
       disabled={isLoading}
     >
diff --git a/src/lib/auth/__tests__/auth-client.test.ts b/src/lib/auth/__tests__/auth-client.test.ts
new file mode 100644
index 00000000..8e557a90
--- /dev/null
+++ b/src/lib/auth/__tests__/auth-client.test.ts
@@ -0,0 +1,133 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import { clearRecordedRequests, server } from "@/mocks/node";
+import * as actions from "../actions";
+
+// Remove global mock of auth-client from vitest.setup.ts
+vi.unmock("@/lib/auth/auth-client");
+
+// Hoist mocks
+const mockAuthClientSignOut = vi.hoisted(() => vi.fn());
+const mockLocationReplace = vi.hoisted(() => vi.fn());
+
+// Mock Better Auth client
+vi.mock("better-auth/client/plugins", () => ({
+  genericOAuthClient: vi.fn(() => ({})),
+}));
+
+vi.mock("better-auth/react", () => ({
+  createAuthClient: vi.fn(() => ({
+    signIn: vi.fn(),
+    useSession: vi.fn(),
+    signOut: mockAuthClientSignOut,
+  })),
+}));
+
+// Mock window.location globally
+Object.defineProperty(globalThis, "window", {
+  value: {
+    location: {
+      replace: mockLocationReplace,
+    },
+  },
+  writable: true,
+  configurable: true,
+});
+
+describe("signOut", () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+    clearRecordedRequests();
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+    server.resetHandlers();
+  });
+
+  it("calls getOidcSignOutUrl, clearOidcTokenAction, redirect, and authClient.signOut", async () => {
+    const oidcLogoutUrl = "https://okta.example.com/logout?id_token_hint=xxx";
+
+    // Spy on server actions
+    const getOidcSignOutUrlSpy = vi
+      .spyOn(actions, "getOidcSignOutUrl")
+      .mockResolvedValue(oidcLogoutUrl);
+    const clearOidcTokenActionSpy = vi
+      .spyOn(actions, "clearOidcTokenAction")
+      .mockResolvedValue(undefined);
+    mockAuthClientSignOut.mockResolvedValue(undefined);
+
+    const { signOut } = await import("../auth-client");
+
+    await signOut();
+
+    // Verify all functions were called
+    expect(getOidcSignOutUrlSpy).toHaveBeenCalledTimes(1);
+    expect(clearOidcTokenActionSpy).toHaveBeenCalledTimes(1);
+    expect(mockLocationReplace).toHaveBeenCalledWith(oidcLogoutUrl);
+    expect(mockAuthClientSignOut).toHaveBeenCalledTimes(1);
+  });
+
+  it("calls functions in correct order", async () => {
+    const callOrder: string[] = [];
+
+    vi.spyOn(actions, "getOidcSignOutUrl").mockImplementation(async () => {
+      callOrder.push("getOidcSignOutUrl");
+      return "https://okta.example.com/logout";
+    });
+
+    vi.spyOn(actions, "clearOidcTokenAction").mockImplementation(async () => {
+      callOrder.push("clearOidcTokenAction");
+    });
+
+    mockLocationReplace.mockImplementation(() => {
+      callOrder.push("window.location.replace");
+    });
+
+    mockAuthClientSignOut.mockImplementation(async () => {
+      callOrder.push("authClient.signOut");
+    });
+
+    const { signOut } = await import("../auth-client");
+
+    await signOut();
+
+    expect(callOrder).toEqual([
+      "getOidcSignOutUrl",
+      "clearOidcTokenAction",
+      "window.location.replace",
+      "authClient.signOut",
+    ]);
+  });
+
+  it("redirects to /signin on error", async () => {
+    const consoleErrorSpy = vi
+      .spyOn(console, "error")
+      .mockImplementation(() => {});
+
+    vi.spyOn(actions, "getOidcSignOutUrl").mockRejectedValue(
+      new Error("Network error"),
+    );
+
+    const { signOut } = await import("../auth-client");
+
+    await signOut();
+
+    expect(mockLocationReplace).toHaveBeenCalledWith("/signin");
+    expect(consoleErrorSpy).toHaveBeenCalledWith(
+      "[Auth] Sign out error:",
+      expect.any(Error),
+    );
+  });
+
+  it("uses /signin as fallback when no OIDC URL", async () => {
+    vi.spyOn(actions, "getOidcSignOutUrl").mockResolvedValue("/signin");
+    vi.spyOn(actions, "clearOidcTokenAction").mockResolvedValue(undefined);
+    mockAuthClientSignOut.mockResolvedValue(undefined);
+
+    const { signOut } = await import("../auth-client");
+
+    await signOut();
+
+    expect(mockLocationReplace).toHaveBeenCalledWith("/signin");
+  });
+});
diff --git a/src/lib/auth/__tests__/auth.test.ts b/src/lib/auth/__tests__/auth.test.ts
index 2752be7a..4ac3d3e2 100644
--- a/src/lib/auth/__tests__/auth.test.ts
+++ b/src/lib/auth/__tests__/auth.test.ts
@@ -82,9 +82,14 @@ describe("auth", () => {
 
     it("should return null when token is expired", async () => {
       const expiredTokenData: OidcTokenData = {
+        id: "expired-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "expired-token",
         userId: "user-123",
-        expiresAt: Date.now() - 1000, // Expired 1 second ago
+        accessTokenExpiresAt: Date.now() - 1000, // Expired 1 second ago
       };
 
       const encryptedPayload = await encrypt(
@@ -102,9 +107,14 @@ describe("auth", () => {
 
     it("should return null when token belongs to different user", async () => {
       const tokenData: OidcTokenData = {
+        id: "valid-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "valid-token",
         userId: "user-456", // Different user
-        expiresAt: Date.now() + 3600000,
+        accessTokenExpiresAt: Date.now() + 3600000,
       };
 
       const encryptedPayload = await encrypt(
@@ -120,9 +130,14 @@ describe("auth", () => {
 
     it("should return access token when valid", async () => {
       const tokenData: OidcTokenData = {
+        id: "valid-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "valid-access-token-123",
         userId: "user-123",
-        expiresAt: Date.now() + 3600000, // Valid for 1 hour
+        accessTokenExpiresAt: Date.now() + 3600000, // Valid for 1 hour
       };
 
       const encryptedPayload = await encrypt(
@@ -138,7 +153,7 @@ describe("auth", () => {
 
     it("should return null when token data is invalid", async () => {
       // Create invalid token data (missing required fields)
-      const invalidData = { accessToken: "token" }; // Missing userId and expiresAt
+      const invalidData = { accessToken: "token" }; // Missing userId and accessTokenExpiresAt
       const invalidPayload = await encrypt(
         invalidData as OidcTokenData,
         process.env.BETTER_AUTH_SECRET as string,
@@ -181,26 +196,36 @@ describe("auth", () => {
   describe("OidcTokenData Type Guard", () => {
     it("should validate correct OidcTokenData structure", () => {
       const validData: OidcTokenData = {
+        id: "valid-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "token",
         userId: "user-123",
-        expiresAt: Date.now() + 3600000,
+        accessTokenExpiresAt: Date.now() + 3600000,
         refreshToken: "refresh-token",
       };
 
       // Type guard is private, so we test indirectly through getOidcProviderAccessToken
       expect(validData).toHaveProperty("accessToken");
       expect(validData).toHaveProperty("userId");
-      expect(validData).toHaveProperty("expiresAt");
+      expect(validData).toHaveProperty("accessTokenExpiresAt");
       expect(typeof validData.accessToken).toBe("string");
       expect(typeof validData.userId).toBe("string");
-      expect(typeof validData.expiresAt).toBe("number");
+      expect(typeof validData.accessTokenExpiresAt).toBe("number");
     });
 
     it("should handle optional refreshToken", () => {
       const dataWithoutRefresh: OidcTokenData = {
+        id: "valid-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "token",
         userId: "user-123",
-        expiresAt: Date.now() + 3600000,
+        accessTokenExpiresAt: Date.now() + 3600000,
       };
 
       expect(dataWithoutRefresh.refreshToken).toBeUndefined();
diff --git a/src/lib/auth/__tests__/crypto.test.ts b/src/lib/auth/__tests__/crypto.test.ts
new file mode 100644
index 00000000..4c0b005c
--- /dev/null
+++ b/src/lib/auth/__tests__/crypto.test.ts
@@ -0,0 +1,152 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { decrypt, isOidcTokenData } from "../crypto";
+
+// Mock jose module for error cases
+vi.mock("jose", async (importOriginal) => {
+  const original = await importOriginal<typeof import("jose")>();
+  return {
+    ...original,
+    compactDecrypt: vi.fn(original.compactDecrypt),
+  };
+});
+
+describe("crypto", () => {
+  const testSecret = "test-secret-at-least-32-characters-long";
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  describe("decrypt error handling", () => {
+    it("throws on invalid token data structure", async () => {
+      const jose = await import("jose");
+      // Mock compactDecrypt to return data that doesn't pass isOidcTokenData
+      vi.mocked(jose.compactDecrypt).mockResolvedValueOnce({
+        plaintext: new TextEncoder().encode(JSON.stringify({ foo: "bar" })),
+        protectedHeader: { alg: "dir", enc: "A256GCM" },
+        key: new Uint8Array(32),
+      });
+
+      await expect(decrypt("some-jwe", testSecret)).rejects.toThrow(
+        "Token decryption error: Invalid token data structure",
+      );
+    });
+
+    it("throws on JWEDecryptionFailed error", async () => {
+      const jose = await import("jose");
+      const decryptionError = new jose.errors.JWEDecryptionFailed();
+      vi.mocked(jose.compactDecrypt).mockRejectedValueOnce(decryptionError);
+
+      await expect(decrypt("some-jwe", testSecret)).rejects.toThrow(
+        "Token decryption failed - possible tampering",
+      );
+    });
+
+    it("throws on JWEInvalid error for malformed JWE", async () => {
+      const jose = await import("jose");
+      const invalidError = new jose.errors.JWEInvalid("Invalid JWE");
+      vi.mocked(jose.compactDecrypt).mockRejectedValueOnce(invalidError);
+
+      await expect(decrypt("not-a-valid-jwe", testSecret)).rejects.toThrow(
+        "Invalid JWE format",
+      );
+    });
+  });
+
+  describe("isOidcTokenData", () => {
+    it("returns false for null", () => {
+      expect(isOidcTokenData(null)).toBe(false);
+    });
+
+    it("returns false for undefined", () => {
+      expect(isOidcTokenData(undefined)).toBe(false);
+    });
+
+    it("returns false for non-object types", () => {
+      expect(isOidcTokenData("string")).toBe(false);
+      expect(isOidcTokenData(123)).toBe(false);
+      expect(isOidcTokenData(true)).toBe(false);
+    });
+
+    it("returns false when accessToken is missing", () => {
+      expect(
+        isOidcTokenData({
+          userId: "user-123",
+          accessTokenExpiresAt: Date.now(),
+        }),
+      ).toBe(false);
+    });
+
+    it("returns false when userId is missing", () => {
+      expect(
+        isOidcTokenData({
+          accessToken: "token",
+          accessTokenExpiresAt: Date.now(),
+        }),
+      ).toBe(false);
+    });
+
+    it("returns false when accessTokenExpiresAt is missing", () => {
+      expect(
+        isOidcTokenData({
+          accessToken: "token",
+          userId: "user-123",
+        }),
+      ).toBe(false);
+    });
+
+    it("returns false when accessToken is not a string", () => {
+      expect(
+        isOidcTokenData({
+          accessToken: 123,
+          userId: "user-123",
+          accessTokenExpiresAt: Date.now(),
+        }),
+      ).toBe(false);
+    });
+
+    it("returns false when refreshToken is present but not a string", () => {
+      expect(
+        isOidcTokenData({
+          accessToken: "token",
+          userId: "user-123",
+          accessTokenExpiresAt: Date.now(),
+          refreshToken: 123,
+        }),
+      ).toBe(false);
+    });
+
+    it("returns false when refreshTokenExpiresAt is present but not a number", () => {
+      expect(
+        isOidcTokenData({
+          accessToken: "token",
+          userId: "user-123",
+          accessTokenExpiresAt: Date.now(),
+          refreshTokenExpiresAt: "not-a-number",
+        }),
+      ).toBe(false);
+    });
+
+    it("returns true for valid minimal data", () => {
+      expect(
+        isOidcTokenData({
+          accessToken: "token",
+          userId: "user-123",
+          accessTokenExpiresAt: Date.now(),
+        }),
+      ).toBe(true);
+    });
+
+    it("returns true for valid complete data", () => {
+      expect(
+        isOidcTokenData({
+          accessToken: "token",
+          userId: "user-123",
+          accessTokenExpiresAt: Date.now(),
+          refreshToken: "refresh-token",
+          refreshTokenExpiresAt: Date.now() + 86400000,
+        }),
+      ).toBe(true);
+    });
+  });
+});
diff --git a/src/lib/auth/__tests__/token.test.ts b/src/lib/auth/__tests__/token.test.ts
index 3d649549..aa7f73cf 100644
--- a/src/lib/auth/__tests__/token.test.ts
+++ b/src/lib/auth/__tests__/token.test.ts
@@ -84,9 +84,14 @@ describe("token", () => {
     it("should return existing token if still valid", async () => {
       const userId = "user-123";
       const tokenData: OidcTokenData = {
+        id: "valid-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "valid-access-token",
         userId,
-        expiresAt: Date.now() + 3600000, // Valid for 1 hour
+        accessTokenExpiresAt: Date.now() + 3600000, // Valid for 1 hour
       };
 
       const encryptedPayload = await encrypt(
@@ -105,9 +110,14 @@ describe("token", () => {
     it("should refresh token if expired", async () => {
       const userId = "user-123";
       const expiredTokenData: OidcTokenData = {
+        id: "expired-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "expired-access-token",
         userId,
-        expiresAt: Date.now() - 1000, // Expired 1 second ago
+        accessTokenExpiresAt: Date.now() - 1000, // Expired 1 second ago
       };
 
       const encryptedPayload = await encrypt(
@@ -154,9 +164,14 @@ describe("token", () => {
     it("should return null if refresh API returns invalid response", async () => {
       const userId = "user-123";
       const expiredTokenData: OidcTokenData = {
+        id: "expired-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "expired-token",
         userId,
-        expiresAt: Date.now() - 1000,
+        accessTokenExpiresAt: Date.now() - 1000,
       };
 
       const encryptedPayload = await encrypt(
@@ -182,9 +197,14 @@ describe("token", () => {
     it("should handle network errors during refresh", async () => {
       const userId = "user-123";
       const expiredTokenData: OidcTokenData = {
+        id: "expired-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "expired-token",
         userId,
-        expiresAt: Date.now() - 1000,
+        accessTokenExpiresAt: Date.now() - 1000,
       };
 
       const encryptedPayload = await encrypt(
@@ -293,10 +313,15 @@ describe("token", () => {
     it("should handle complete refresh flow end-to-end", async () => {
       const userId = "user-123";
       const expiredTokenData: OidcTokenData = {
+        id: "expired-token-id",
+        createdAt: new Date(),
+        updatedAt: new Date(),
+        providerId: "provider-id",
+        accountId: "account-id",
         accessToken: "expired-token",
         refreshToken: "valid-refresh-token",
         userId,
-        expiresAt: Date.now() - 1000,
+        accessTokenExpiresAt: Date.now() - 1000,
         refreshTokenExpiresAt: Date.now() + 86400000,
       };
 
diff --git a/src/lib/auth/__tests__/utils.test.ts b/src/lib/auth/__tests__/utils.test.ts
new file mode 100644
index 00000000..98deed81
--- /dev/null
+++ b/src/lib/auth/__tests__/utils.test.ts
@@ -0,0 +1,249 @@
+import type { Account } from "better-auth";
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest";
+import type { OidcTokenData } from "../types";
+
+// Mock jose library
+vi.mock("jose", () => ({
+  CompactEncrypt: class CompactEncrypt {
+    constructor(private plaintext: Uint8Array) {}
+    setProtectedHeader() {
+      return this;
+    }
+    async encrypt() {
+      return `mock-jwe-${Buffer.from(this.plaintext).toString("base64")}`;
+    }
+  },
+  compactDecrypt: vi.fn().mockImplementation(async (jwe: string) => {
+    if (jwe === "invalid-jwe") {
+      throw new Error("Decryption failed");
+    }
+    const base64 = jwe.replace("mock-jwe-", "");
+    const plaintext = Buffer.from(base64, "base64");
+    return { plaintext };
+  }),
+  errors: {
+    JWEDecryptionFailed: class JWEDecryptionFailed extends Error {},
+    JWEInvalid: class JWEInvalid extends Error {},
+  },
+}));
+
+// Mock next/headers
+const mockCookies = vi.hoisted(() => ({
+  get: vi.fn(),
+  set: vi.fn(),
+  delete: vi.fn(),
+}));
+
+vi.mock("next/headers", () => ({
+  cookies: vi.fn(() => mockCookies),
+}));
+
+// Import after mocks
+import { encrypt } from "../crypto";
+import { getOidcIdToken, saveAccountToken } from "../utils";
+
+describe("utils", () => {
+  let consoleErrorSpy: ReturnType<typeof vi.spyOn>;
+  let consoleWarnSpy: ReturnType<typeof vi.spyOn>;
+  let consoleLogSpy: ReturnType<typeof vi.spyOn>;
+
+  beforeEach(() => {
+    vi.clearAllMocks();
+    consoleErrorSpy = vi.spyOn(console, "error").mockImplementation(() => {});
+    consoleWarnSpy = vi.spyOn(console, "warn").mockImplementation(() => {});
+    consoleLogSpy = vi.spyOn(console, "log").mockImplementation(() => {});
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  describe("getOidcIdToken", () => {
+    it("returns null when cookie is not present", async () => {
+      mockCookies.get.mockReturnValue(undefined);
+
+      const token = await getOidcIdToken("user-123");
+
+      expect(token).toBeNull();
+    });
+
+    it("returns null when cookie value is empty", async () => {
+      mockCookies.get.mockReturnValue({ value: "" });
+
+      const token = await getOidcIdToken("user-123");
+
+      expect(token).toBeNull();
+    });
+
+    it("returns null when decryption fails", async () => {
+      mockCookies.get.mockReturnValue({ value: "invalid-jwe" });
+
+      const token = await getOidcIdToken("user-123");
+
+      expect(token).toBeNull();
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        "[Auth] Token decryption failed:",
+        expect.any(Error),
+      );
+    });
+
+    it("returns null when userId does not match", async () => {
+      const tokenData: OidcTokenData = {
+        accessToken: "access-token",
+        userId: "different-user",
+        accessTokenExpiresAt: Date.now() + 3600000,
+        idToken: "id-token-123",
+      };
+
+      const encryptedPayload = await encrypt(
+        tokenData,
+        process.env.BETTER_AUTH_SECRET as string,
+      );
+      mockCookies.get.mockReturnValue({ value: encryptedPayload });
+
+      const token = await getOidcIdToken("user-123");
+
+      expect(token).toBeNull();
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        "[Auth] Token userId mismatch",
+      );
+    });
+
+    it("returns idToken when valid", async () => {
+      const tokenData: OidcTokenData = {
+        accessToken: "access-token",
+        userId: "user-123",
+        accessTokenExpiresAt: Date.now() + 3600000,
+        idToken: "id-token-123",
+      };
+
+      const encryptedPayload = await encrypt(
+        tokenData,
+        process.env.BETTER_AUTH_SECRET as string,
+      );
+      mockCookies.get.mockReturnValue({ value: encryptedPayload });
+
+      const token = await getOidcIdToken("user-123");
+
+      expect(token).toBe("id-token-123");
+    });
+
+    it("returns null when idToken is not present", async () => {
+      const tokenData: OidcTokenData = {
+        accessToken: "access-token",
+        userId: "user-123",
+        accessTokenExpiresAt: Date.now() + 3600000,
+      };
+
+      const encryptedPayload = await encrypt(
+        tokenData,
+        process.env.BETTER_AUTH_SECRET as string,
+      );
+      mockCookies.get.mockReturnValue({ value: encryptedPayload });
+
+      const token = await getOidcIdToken("user-123");
+
+      expect(token).toBeNull();
+    });
+
+    it("returns null and logs error on unexpected error", async () => {
+      // Mock cookies() to throw an unexpected error
+      const { cookies } = await import("next/headers");
+      vi.mocked(cookies).mockRejectedValueOnce(new Error("Unexpected error"));
+
+      const token = await getOidcIdToken("user-123");
+
+      expect(token).toBeNull();
+      expect(consoleErrorSpy).toHaveBeenCalledWith(
+        "[Auth] Unexpected error reading OIDC ID token:",
+        expect.any(Error),
+      );
+    });
+  });
+
+  describe("saveAccountToken", () => {
+    it("saves token when account has accessToken and userId", async () => {
+      const account: Account = {
+        id: "account-id",
+        accountId: "account-id",
+        providerId: "oidc",
+        userId: "user-123",
+        accessToken: "access-token",
+        refreshToken: "refresh-token",
+        idToken: "id-token",
+        accessTokenExpiresAt: new Date(Date.now() + 3600000),
+        refreshTokenExpiresAt: new Date(Date.now() + 86400000),
+        createdAt: new Date(),
+        updatedAt: new Date(),
+      };
+
+      await saveAccountToken(account);
+
+      expect(mockCookies.set).toHaveBeenCalledWith(
+        "oidc_token",
+        expect.any(String),
+        expect.objectContaining({
+          httpOnly: true,
+          sameSite: "lax",
+          path: "/",
+        }),
+      );
+      expect(consoleLogSpy).toHaveBeenCalledWith(
+        "[Save Token] Token cookie saved successfully",
+      );
+    });
+
+    it("uses default expiration when accessTokenExpiresAt is not provided", async () => {
+      const account: Account = {
+        id: "account-id",
+        accountId: "account-id",
+        providerId: "oidc",
+        userId: "user-123",
+        accessToken: "access-token",
+        refreshToken: null,
+        idToken: null,
+        accessTokenExpiresAt: null,
+        refreshTokenExpiresAt: null,
+        createdAt: new Date(),
+        updatedAt: new Date(),
+      };
+
+      await saveAccountToken(account);
+
+      expect(mockCookies.set).toHaveBeenCalled();
+      expect(consoleLogSpy).toHaveBeenCalledWith(
+        "[Save Token] Token cookie saved successfully",
+      );
+    });
+
+    it("warns when accessToken is missing", async () => {
+      const account = {
+        id: "account-id",
+        userId: "user-123",
+        accessToken: null,
+      } as unknown as Account;
+
+      await saveAccountToken(account);
+
+      expect(mockCookies.set).not.toHaveBeenCalled();
+      expect(consoleWarnSpy).toHaveBeenCalledWith(
+        "[Save Token] Missing accessToken or userId, not saving token",
+      );
+    });
+
+    it("warns when userId is missing", async () => {
+      const account = {
+        id: "account-id",
+        accessToken: "access-token",
+        userId: null,
+      } as unknown as Account;
+
+      await saveAccountToken(account);
+
+      expect(mockCookies.set).not.toHaveBeenCalled();
+      expect(consoleWarnSpy).toHaveBeenCalledWith(
+        "[Save Token] Missing accessToken or userId, not saving token",
+      );
+    });
+  });
+});
diff --git a/src/lib/auth/actions.ts b/src/lib/auth/actions.ts
new file mode 100644
index 00000000..4f98b089
--- /dev/null
+++ b/src/lib/auth/actions.ts
@@ -0,0 +1,57 @@
+"use server";
+
+import { headers } from "next/headers";
+import {
+  auth,
+  clearOidcProviderToken,
+  getOidcDiscovery,
+} from "@/lib/auth/auth";
+import { BASE_URL } from "@/lib/auth/constants";
+import { getOidcIdToken } from "@/lib/auth/utils";
+
+/**
+ * Server action to clear OIDC token cookie on sign out.
+ */
+export async function clearOidcTokenAction(): Promise<void> {
+  await clearOidcProviderToken();
+}
+
+/**
+ * Server action to build the OIDC logout URL for RP-Initiated Logout.
+ * Returns the OIDC provider's logout URL, or "/signin" as fallback.
+ */
+export async function getOidcSignOutUrl(): Promise<string> {
+  try {
+    const session = await auth.api.getSession({
+      headers: await headers(),
+    });
+
+    if (!session?.user?.id) {
+      console.warn("[Auth] No active session for logout");
+      return "/signin";
+    }
+
+    const discovery = await getOidcDiscovery();
+
+    if (!discovery?.endSessionEndpoint) {
+      console.error("[Auth] OIDC end_session_endpoint not available");
+      return "/signin";
+    }
+
+    const idToken = await getOidcIdToken(session.user.id);
+
+    if (!idToken) {
+      console.warn("[Auth] No idToken found for OIDC logout");
+      return "/signin";
+    }
+
+    const url = new URL(discovery.endSessionEndpoint);
+    url.searchParams.set("id_token_hint", idToken);
+    url.searchParams.set("post_logout_redirect_uri", `${BASE_URL}/signin`);
+
+    return url.toString();
+  } catch (error) {
+    console.error("[Auth] Error building OIDC logout URL:", error);
+    return "/signin";
+  }
+}
diff --git a/src/lib/auth/auth-actions.ts b/src/lib/auth/auth-actions.ts
deleted file mode 100644
index 8bd03320..00000000
--- a/src/lib/auth/auth-actions.ts
+++ /dev/null
@@ -1,12 +0,0 @@
-"use server";
-
-import { clearOidcProviderToken } from "@/lib/auth/auth";
-
-/**
- * Server action to clear OIDC token cookie on sign out.
- * Called by client-side signOut function.
- * Throws an error if it fails.
- */
-export async function clearOidcTokenAction(): Promise<void> {
-  await clearOidcProviderToken();
-}
diff --git a/src/lib/auth/auth-client.ts b/src/lib/auth/auth-client.ts
index a86221ce..f9ea20f3 100644
--- a/src/lib/auth/auth-client.ts
+++ b/src/lib/auth/auth-client.ts
@@ -1,7 +1,9 @@
+"use client";
+
 import { genericOAuthClient } from "better-auth/client/plugins";
 import { createAuthClient } from "better-auth/react";
 import { toast } from "sonner";
-import { clearOidcTokenAction } from "./auth-actions";
+import { clearOidcTokenAction, getOidcSignOutUrl } from "./actions";
 
 export const authClient = createAuthClient({
   // Don't specify baseURL - it will use the same origin as the page
@@ -11,42 +13,30 @@ export const authClient = createAuthClient({
 
 export const { signIn, useSession } = authClient;
 
-export const signOut = async (options?: { redirectTo?: string }) => {
-  const redirectUri = options?.redirectTo || "/signin";
-
+/**
+ * Signs out the user from both the local session and OIDC provider
+ * Performs RP-Initiated Logout to terminate the SSO session at the provider
+ */
+export const signOut = async () => {
   try {
-    // Note: This does NOT logout from Okta SSO session
-    // User will be automatically re-authenticated on next signin (SSO behavior)
-    await authClient.signOut({
-      fetchOptions: {
-        onSuccess: async () => {
-          // Clear OIDC token cookie after successful sign out
-          try {
-            await clearOidcTokenAction();
-          } catch (error) {
-            console.warn("[Auth] Failed to clear OIDC token:", error);
-            // Continue with redirect even if cookie cleanup fails
-          }
-          window.location.href = redirectUri;
-        },
-        onError: (ctx) => {
-          console.error("[Auth] Better Auth sign out error:", ctx.error);
-          toast.error("Sign out failed", {
-            description:
-              ctx.error.message || "An error occurred during sign out",
-          });
-          // Still redirect even if there's an error
-          window.location.href = redirectUri;
-        },
-      },
-    });
+    // 1. Get logout URL FIRST (while session still exists)
+    const redirectUrl = await getOidcSignOutUrl();
+
+    // 2. Clear OIDC token cookie AFTER BA session is gone
+    await clearOidcTokenAction();
+
+    // 3. Redirect to OIDC provider logout
+    window.location.replace(redirectUrl);
+    // 4. Sign out from Better Auth (invalidates session)
+    await authClient.signOut();
   } catch (error) {
     console.error("[Auth] Sign out error:", error);
     toast.error("Sign out failed", {
       description:
         error instanceof Error ? error.message : "An unexpected error occurred",
     });
-    // Still redirect even if there's an error
-    window.location.href = redirectUri;
+
+    // Fallback redirect on error
+    window.location.replace("/signin");
   }
 };
diff --git a/src/lib/auth/auth.ts b/src/lib/auth/auth.ts
index 59b52b90..eebae549 100644
--- a/src/lib/auth/auth.ts
+++ b/src/lib/auth/auth.ts
@@ -1,56 +1,51 @@
-import type { Auth, BetterAuthOptions } from "better-auth";
-import { betterAuth } from "better-auth";
+import { type Auth, type BetterAuthOptions, betterAuth } from "better-auth";
 import { genericOAuth } from "better-auth/plugins";
 import { cookies } from "next/headers";
 import {
   BASE_URL,
   BETTER_AUTH_SECRET,
-  COOKIE_NAME,
   IS_PRODUCTION,
   OIDC_CLIENT_ID,
   OIDC_CLIENT_SECRET,
-  OIDC_ISSUER_URL,
+  OIDC_DISCOVERY_URL,
   OIDC_PROVIDER_ID,
   OIDC_SCOPES,
+  OIDC_TOKEN_COOKIE_NAME,
   TOKEN_SEVEN_DAYS_SECONDS,
   TRUSTED_ORIGINS,
 } from "./constants";
-import type { OIDCDiscovery, OidcTokenData, TokenResponse } from "./types";
-import { decrypt, encrypt, saveAccountToken } from "./utils";
+import { saveTokenCookie } from "./cookie";
+import type {
+  OidcDiscovery,
+  OidcDiscoveryResponse,
+  OidcTokenData,
+  TokenResponse,
+} from "./types";
+import { decrypt, saveAccountToken } from "./utils";
+
+// Re-export saveTokenCookie for backwards compatibility
+export { saveTokenCookie } from "./cookie";
 
 /**
  * Cached token endpoint to avoid repeated discovery calls.
  */
 let cachedTokenEndpoint: string | null = null;
+let cachedEndSessionEndpoint: string | null = null;
 
 /**
- * Saves encrypted token data in HTTP-only cookie.
- * Exported for use by saveAccountToken in utils.
- */
-export async function saveTokenCookie(tokenData: OidcTokenData): Promise<void> {
-  const encrypted = await encrypt(tokenData, BETTER_AUTH_SECRET);
-  const cookieStore = await cookies();
-
-  cookieStore.set(COOKIE_NAME, encrypted, {
-    httpOnly: true,
-    secure: IS_PRODUCTION,
-    sameSite: "lax",
-    maxAge: TOKEN_SEVEN_DAYS_SECONDS,
-    path: "/",
-  });
-}
-
-/**
- * Discovers and caches the token endpoint from OIDC provider.
+ * Discovers and caches the token and end_session endpoints from OIDC provider.
+ * Exported for use in server actions and token refresh logic.
  */
-async function getTokenEndpoint(): Promise<string | null> {
+export async function getOidcDiscovery(): Promise<OidcDiscoveryResponse | null> {
   if (cachedTokenEndpoint) {
-    return cachedTokenEndpoint;
+    return {
+      tokenEndpoint: cachedTokenEndpoint,
+      endSessionEndpoint: cachedEndSessionEndpoint,
+    };
   }
 
   try {
-    const discoveryUrl = `${OIDC_ISSUER_URL}/.well-known/openid-configuration`;
-    const response = await fetch(discoveryUrl);
+    const response = await fetch(OIDC_DISCOVERY_URL);
 
     if (!response.ok) {
       console.error(
@@ -60,10 +55,14 @@ async function getTokenEndpoint(): Promise<string | null> {
       return null;
     }
 
-    const discovery = (await response.json()) as OIDCDiscovery;
+    const discovery = (await response.json()) as OidcDiscovery;
     cachedTokenEndpoint = discovery.token_endpoint;
+    cachedEndSessionEndpoint = discovery.end_session_endpoint;
 
-    return cachedTokenEndpoint;
+    return {
+      tokenEndpoint: cachedTokenEndpoint,
+      endSessionEndpoint: cachedEndSessionEndpoint,
+    };
   } catch (error) {
     console.error("[Auth] Error fetching OIDC discovery document:", error);
     return null;
@@ -74,24 +73,34 @@ async function getTokenEndpoint(): Promise<string | null> {
  * Attempts to refresh the access token using the refresh token.
  * Returns new token data if successful, null otherwise.
  */
-export async function refreshAccessToken(
-  refreshToken: string,
-  userId: string,
-  refreshTokenExpiresAt?: number,
-): Promise<OidcTokenData | null> {
-  if (!refreshToken || !userId) {
-    console.error("[Auth] Missing refresh token or userId");
-    return null;
-  }
+export async function refreshAccessToken({
+  refreshToken,
+  userId,
+  idToken: initialIdToken,
+  refreshTokenExpiresAt: initialRefreshTokenExpiresAt,
+}: {
+  refreshToken: string;
+  userId: string;
+  refreshTokenExpiresAt?: number | undefined | null;
+  idToken?: string | undefined | null;
+}): Promise<OidcTokenData | null> {
+  try {
+    if (
+      initialRefreshTokenExpiresAt &&
+      initialRefreshTokenExpiresAt <= Date.now()
+    ) {
+      console.error("[Auth] Refresh token expired");
+      return null;
+    }
 
-  // Check if refresh token is expired before attempting to refresh
-  if (refreshTokenExpiresAt && refreshTokenExpiresAt <= Date.now()) {
-    console.error("[Auth] Refresh token expired");
-    return null;
-  }
+    const discovery = await getOidcDiscovery();
 
-  try {
-    const tokenEndpoint = await getTokenEndpoint();
+    if (!discovery) {
+      console.error("[Auth] OIDC discovery not available");
+      return null;
+    }
+
+    const { tokenEndpoint } = discovery;
 
     if (!tokenEndpoint) {
       console.error("[Auth] Token endpoint not available");
@@ -122,13 +131,13 @@ export async function refreshAccessToken(
       return null;
     }
 
-    const tokenResponse = (await response.json()) as TokenResponse;
+    const tokenResponse: TokenResponse = await response.json();
 
-    const expiresAt = Date.now() + tokenResponse.expires_in * 1000;
+    const accessTokenExpiresAt = Date.now() + tokenResponse.expires_in * 1000;
     const refreshTokenExpiresAt = tokenResponse.refresh_expires_in
       ? Date.now() + tokenResponse.refresh_expires_in * 1000
       : undefined;
-
+    const idToken = tokenResponse.id_token ?? initialIdToken;
     const newRefreshToken = tokenResponse.refresh_token || refreshToken;
     if (!tokenResponse.refresh_token) {
       console.warn(
@@ -139,9 +148,10 @@ export async function refreshAccessToken(
     const newTokenData: OidcTokenData = {
       accessToken: tokenResponse.access_token,
       refreshToken: newRefreshToken,
-      expiresAt,
+      accessTokenExpiresAt,
       refreshTokenExpiresAt,
       userId,
+      idToken,
     };
 
     // Save the new token data in the cookie
@@ -156,12 +166,18 @@ export async function refreshAccessToken(
 }
 
 export const auth: Auth<BetterAuthOptions> = betterAuth({
+  debug: !IS_PRODUCTION,
   secret: BETTER_AUTH_SECRET,
   baseURL: BASE_URL,
+  account: {
+    storeStateStrategy: "cookie",
+    storeAccountCookie: true,
+  },
   trustedOrigins: TRUSTED_ORIGINS,
   session: {
     cookieCache: {
       enabled: true,
+      strategy: "jwe",
       maxAge: TOKEN_SEVEN_DAYS_SECONDS, // 7 days - match session duration!
     },
     // Session duration should match or exceed refresh token lifetime
@@ -174,7 +190,7 @@ export const auth: Auth<BetterAuthOptions> = betterAuth({
       config: [
         {
           providerId: OIDC_PROVIDER_ID,
-          discoveryUrl: `${OIDC_ISSUER_URL}/.well-known/openid-configuration`,
+          discoveryUrl: OIDC_DISCOVERY_URL,
           redirectURI: `${BASE_URL}/api/auth/oauth2/callback/${OIDC_PROVIDER_ID}`,
           clientId: OIDC_CLIENT_ID,
           clientSecret: OIDC_CLIENT_SECRET,
@@ -206,7 +222,7 @@ export async function getOidcProviderAccessToken(
 ): Promise<string | null> {
   try {
     const cookieStore = await cookies();
-    const encryptedCookie = cookieStore.get(COOKIE_NAME);
+    const encryptedCookie = cookieStore.get(OIDC_TOKEN_COOKIE_NAME);
 
     if (!encryptedCookie?.value) {
       return null;
@@ -227,11 +243,14 @@ export async function getOidcProviderAccessToken(
 
     const now = Date.now();
 
-    if (tokenData.expiresAt <= now) {
+    if (
+      tokenData.accessTokenExpiresAt &&
+      tokenData.accessTokenExpiresAt <= now
+    ) {
       return null;
     }
 
-    return tokenData.accessToken;
+    return tokenData.accessToken || null;
   } catch (error) {
     console.error("[Auth] Unexpected error reading OIDC token:", error);
     return null;
@@ -243,5 +262,5 @@ export async function getOidcProviderAccessToken(
  */
 export async function clearOidcProviderToken(): Promise<void> {
   const cookieStore = await cookies();
-  cookieStore.delete(COOKIE_NAME);
+  cookieStore.delete(OIDC_TOKEN_COOKIE_NAME);
 }
diff --git a/src/lib/auth/constants.ts b/src/lib/auth/constants.ts
index 2a820f4d..fa8f686c 100644
--- a/src/lib/auth/constants.ts
+++ b/src/lib/auth/constants.ts
@@ -8,11 +8,12 @@
  * Server-side only - not exposed to the client.
  */
 export const OIDC_PROVIDER_ID = process.env.OIDC_PROVIDER_ID || "oidc";
-export const OIDC_ISSUER_URL = process.env.OIDC_ISSUER_URL || "";
+const OIDC_ISSUER_URL = process.env.OIDC_ISSUER_URL || "";
 export const OIDC_CLIENT_ID = process.env.OIDC_CLIENT_ID || "";
 export const OIDC_CLIENT_SECRET = process.env.OIDC_CLIENT_SECRET || "";
 export const BASE_URL = process.env.BETTER_AUTH_URL || "http://localhost:3000";
 export const IS_PRODUCTION = process.env.NODE_ENV === "production";
+export const OIDC_DISCOVERY_URL = `${OIDC_ISSUER_URL}/.well-known/openid-configuration`;
 export const BETTER_AUTH_SECRET =
   process.env.BETTER_AUTH_SECRET || "build-time-better-auth-secret";
 export const OIDC_SCOPES = process.env.OIDC_SCOPES?.split(",") ?? [
@@ -27,7 +28,7 @@ export const TOKEN_ONE_HOUR_MS = 60 * 60 * 1000; // 3,600,000 ms (1 hour)
 export const TOKEN_SEVEN_DAYS_SECONDS = 7 * 24 * 60 * 60; // 604,800 seconds (7 days)
 
 // Cookie configuration
-export const COOKIE_NAME = "oidc_token" as const;
+export const OIDC_TOKEN_COOKIE_NAME = "oidc_token" as const;
 
 // Trusted origins for Better Auth
 const trustedOriginsFromEnv = process.env.TRUSTED_ORIGINS
diff --git a/src/lib/auth/cookie.ts b/src/lib/auth/cookie.ts
new file mode 100644
index 00000000..d00f2b5b
--- /dev/null
+++ b/src/lib/auth/cookie.ts
@@ -0,0 +1,31 @@
+/**
+ * Cookie utilities for OIDC token storage.
+ * Separated to avoid circular dependencies with auth modules.
+ */
+
+import { cookies } from "next/headers";
+import {
+  BETTER_AUTH_SECRET,
+  IS_PRODUCTION,
+  OIDC_TOKEN_COOKIE_NAME,
+  TOKEN_SEVEN_DAYS_SECONDS,
+} from "./constants";
+import { encrypt } from "./crypto";
+import type { OidcTokenData } from "./types";
+
+/**
+ * Saves encrypted token data in HTTP-only cookie.
+ * Used by saveAccountToken in utils and refreshAccessToken in auth.
+ */
+export async function saveTokenCookie(tokenData: OidcTokenData): Promise<void> {
+  const encrypted = await encrypt(tokenData, BETTER_AUTH_SECRET);
+  const cookieStore = await cookies();
+
+  cookieStore.set(OIDC_TOKEN_COOKIE_NAME, encrypted, {
+    httpOnly: true,
+    secure: IS_PRODUCTION,
+    sameSite: "lax",
+    maxAge: TOKEN_SEVEN_DAYS_SECONDS,
+    path: "/",
+  });
+}
diff --git a/src/lib/auth/crypto.ts b/src/lib/auth/crypto.ts
new file mode 100644
index 00000000..b7b66083
--- /dev/null
+++ b/src/lib/auth/crypto.ts
@@ -0,0 +1,88 @@
+/**
+ * Cryptographic utilities for token encryption and decryption.
+ * Separated to avoid circular dependencies with auth modules.
+ */
+
+import { createHash } from "node:crypto";
+import * as jose from "jose";
+import type { OidcTokenData } from "./types";
+
+/**
+ * Derives encryption key from secret.
+ * Uses SHA-256 to derive exactly 32 bytes (256 bits) from the provided secret,
+ * ensuring compatibility with AES-256-GCM regardless of secret length.
+ */
+function getSecret(secret: string): Uint8Array {
+  // Hash the secret to get exactly 32 bytes for AES-256-GCM
+  return new Uint8Array(createHash("sha256").update(secret).digest());
+}
+
+/**
+ * Encrypts token data using JWE (JSON Web Encryption).
+ * Uses AES-256-GCM with direct key agreement (alg: 'dir').
+ * Exported for testing purposes.
+ */
+export async function encrypt(
+  data: OidcTokenData,
+  secret: string,
+): Promise<string> {
+  const key = getSecret(secret);
+  const plaintext = new TextEncoder().encode(JSON.stringify(data));
+  return await new jose.CompactEncrypt(plaintext)
+    .setProtectedHeader({ alg: "dir", enc: "A256GCM" })
+    .encrypt(key);
+}
+
+/**
+ * Decrypts JWE token and returns parsed token data.
+ * Validates data structure after decryption.
+ * Exported for testing purposes.
+ */
+export async function decrypt(
+  jwe: string,
+  secret: string,
+): Promise<OidcTokenData> {
+  try {
+    const key = getSecret(secret);
+    const { plaintext } = await jose.compactDecrypt(jwe, key);
+    const data = JSON.parse(new TextDecoder().decode(plaintext));
+
+    if (!isOidcTokenData(data)) {
+      throw new Error("Invalid token data structure");
+    }
+
+    return data;
+  } catch (error) {
+    if (error instanceof jose.errors.JWEDecryptionFailed) {
+      throw new Error("Token decryption failed - possible tampering");
+    }
+    if (error instanceof jose.errors.JWEInvalid) {
+      throw new Error("Invalid JWE format");
+    }
+    // Wrap unexpected errors to avoid exposing internal details
+    const message = error instanceof Error ? error.message : "Unknown error";
+    throw new Error(`Token decryption error: ${message}`);
+  }
+}
+
+/**
+ * Type guard to validate OidcTokenData structure at runtime.
+ * Used after decrypting token data from cookie to ensure data integrity.
+ * Note: idToken is not validated here as it's optional and not critical for token validation.
+ */
+export function isOidcTokenData(data: unknown): data is OidcTokenData {
+  if (typeof data !== "object" || data === null) {
+    return false;
+  }
+
+  const obj = data as Record<string, unknown>;
+
+  return (
+    typeof obj.accessToken === "string" &&
+    typeof obj.accessTokenExpiresAt === "number" &&
+    typeof obj.userId === "string" &&
+    (obj.refreshToken === undefined || typeof obj.refreshToken === "string") &&
+    (obj.refreshTokenExpiresAt === undefined ||
+      typeof obj.refreshTokenExpiresAt === "number")
+  );
+}
diff --git a/src/lib/auth/types.ts b/src/lib/auth/types.ts
index 12263d8f..904aeab1 100644
--- a/src/lib/auth/types.ts
+++ b/src/lib/auth/types.ts
@@ -2,23 +2,53 @@
  * Authentication types and interfaces for OIDC token management.
  */
 
+import type { Account } from "better-auth";
+
 /**
  * Represents the data stored in the encrypted OIDC token cookie.
  */
-export interface OidcTokenData {
-  accessToken: string;
-  refreshToken?: string;
-  expiresAt: number;
+export interface OidcTokenData
+  extends Omit<
+    Account,
+    | "accessTokenExpiresAt"
+    | "accountId"
+    | "providerId"
+    | "refreshTokenExpiresAt"
+    | "createdAt"
+    | "updatedAt"
+    | "id"
+  > {
+  accessTokenExpiresAt: number;
   refreshTokenExpiresAt?: number;
-  userId: string;
+  providerId?: string;
+  accountId?: string;
+  updatedAt?: Date;
+  createdAt?: Date;
+  id?: string;
 }
 
 /**
  * OIDC Discovery Document structure.
  * Retrieved from /.well-known/openid-configuration endpoint.
  */
-export interface OIDCDiscovery {
+export interface OidcDiscovery {
   token_endpoint: string;
+  end_session_endpoint: string;
+  issuer: string;
+  authorization_endpoint: string;
+  userinfo_endpoint: string;
+  registration_endpoint: string;
+  jwks_uri: string;
+  response_types_supported: string[];
+  response_modes_supported: string[];
+  grant_types_supported: string[];
+  subject_types_supported: string[];
+  id_token_signing_alg_values_supported: string[];
+  scopes_supported: string[];
+  claims_supported: string[];
+  code_challenge_methods_supported: string[];
+  token_endpoint_auth_methods_supported: string[];
+  request_object_signing_alg_values_supported: string[];
   [key: string]: unknown;
 }
 
@@ -32,4 +62,10 @@ export interface TokenResponse {
   expires_in: number;
   refresh_expires_in?: number;
   token_type: string;
+  id_token?: string;
+}
+
+export interface OidcDiscoveryResponse {
+  tokenEndpoint: string | null;
+  endSessionEndpoint: string | null;
 }
diff --git a/src/lib/auth/utils.ts b/src/lib/auth/utils.ts
index fdaa521d..394d00a2 100644
--- a/src/lib/auth/utils.ts
+++ b/src/lib/auth/utils.ts
@@ -1,89 +1,53 @@
 /**
- * Utility functions for authentication, token validation, and encryption.
+ * Utility functions for authentication and token management.
  */
 
-import { createHash } from "node:crypto";
-import * as jose from "jose";
-import { TOKEN_ONE_HOUR_MS } from "./constants";
+import type { Account } from "better-auth";
+import { cookies } from "next/headers";
+import {
+  BETTER_AUTH_SECRET,
+  OIDC_TOKEN_COOKIE_NAME,
+  TOKEN_ONE_HOUR_MS,
+} from "./constants";
+import { saveTokenCookie } from "./cookie";
+import { decrypt } from "./crypto";
 import type { OidcTokenData } from "./types";
 
-/**
- * Derives encryption key from secret.
- * Uses SHA-256 to derive exactly 32 bytes (256 bits) from the provided secret,
- * ensuring compatibility with AES-256-GCM regardless of secret length.
- */
-function getSecret(secret: string): Uint8Array {
-  // Hash the secret to get exactly 32 bytes for AES-256-GCM
-  return new Uint8Array(createHash("sha256").update(secret).digest());
-}
+// Re-export crypto functions for backwards compatibility
+export { decrypt, encrypt, isOidcTokenData } from "./crypto";
 
 /**
- * Encrypts token data using JWE (JSON Web Encryption).
- * Uses AES-256-GCM with direct key agreement (alg: 'dir').
- * Exported for testing purposes.
+ * Retrieves the OIDC ID token from HTTP-only cookie.
+ * Returns null if token not found or belongs to different user.
+ * Used for OIDC logout (RP-Initiated Logout).
  */
-export async function encrypt(
-  data: OidcTokenData,
-  secret: string,
-): Promise<string> {
-  const key = getSecret(secret);
-  const plaintext = new TextEncoder().encode(JSON.stringify(data));
-  return await new jose.CompactEncrypt(plaintext)
-    .setProtectedHeader({ alg: "dir", enc: "A256GCM" })
-    .encrypt(key);
-}
-
-/**
- * Decrypts JWE token and returns parsed token data.
- * Validates data structure after decryption.
- * Exported for testing purposes.
- */
-export async function decrypt(
-  jwe: string,
-  secret: string,
-): Promise<OidcTokenData> {
+export async function getOidcIdToken(userId: string): Promise<string | null> {
   try {
-    const key = getSecret(secret);
-    const { plaintext } = await jose.compactDecrypt(jwe, key);
-    const data = JSON.parse(new TextDecoder().decode(plaintext));
+    const cookieStore = await cookies();
+    const encryptedCookie = cookieStore.get(OIDC_TOKEN_COOKIE_NAME);
 
-    if (!isOidcTokenData(data)) {
-      throw new Error("Invalid token data structure");
+    if (!encryptedCookie?.value) {
+      return null;
     }
 
-    return data;
-  } catch (error) {
-    if (error instanceof jose.errors.JWEDecryptionFailed) {
-      throw new Error("Token decryption failed - possible tampering");
+    let tokenData: OidcTokenData;
+    try {
+      tokenData = await decrypt(encryptedCookie.value, BETTER_AUTH_SECRET);
+    } catch (error) {
+      console.error("[Auth] Token decryption failed:", error);
+      return null;
     }
-    if (error instanceof jose.errors.JWEInvalid) {
-      throw new Error("Invalid JWE format");
+
+    if (tokenData.userId !== userId) {
+      console.error("[Auth] Token userId mismatch");
+      return null;
     }
-    // Wrap unexpected errors to avoid exposing internal details
-    const message = error instanceof Error ? error.message : "Unknown error";
-    throw new Error(`Token decryption error: ${message}`);
-  }
-}
 
-/**
- * Type guard to validate OidcTokenData structure at runtime.
- * Used after decrypting token data from cookie to ensure data integrity.
- */
-export function isOidcTokenData(data: unknown): data is OidcTokenData {
-  if (typeof data !== "object" || data === null) {
-    return false;
+    return tokenData.idToken || null;
+  } catch (error) {
+    console.error("[Auth] Unexpected error reading OIDC ID token:", error);
+    return null;
   }
-
-  const obj = data as Record<string, unknown>;
-
-  return (
-    typeof obj.accessToken === "string" &&
-    typeof obj.expiresAt === "number" &&
-    typeof obj.userId === "string" &&
-    (obj.refreshToken === undefined || typeof obj.refreshToken === "string") &&
-    (obj.refreshTokenExpiresAt === undefined ||
-      typeof obj.refreshTokenExpiresAt === "number")
-  );
 }
 
 /**
@@ -92,15 +56,9 @@ export function isOidcTokenData(data: unknown): data is OidcTokenData {
  *
  * @param account - Account data from Better Auth containing OIDC tokens
  */
-export async function saveAccountToken(account: {
-  accessToken?: string | null;
-  refreshToken?: string | null;
-  accessTokenExpiresAt?: Date | string | null;
-  refreshTokenExpiresAt?: Date | string | null;
-  userId: string;
-}) {
+export async function saveAccountToken(account: Account) {
   if (account.accessToken && account.userId) {
-    const expiresAt = account.accessTokenExpiresAt
+    const accessTokenExpiresAt = account.accessTokenExpiresAt
       ? new Date(account.accessTokenExpiresAt).getTime()
       : Date.now() + TOKEN_ONE_HOUR_MS;
 
@@ -109,24 +67,14 @@ export async function saveAccountToken(account: {
       : undefined;
 
     const tokenData: OidcTokenData = {
+      ...account,
       accessToken: account.accessToken,
       refreshToken: account.refreshToken || undefined,
-      expiresAt,
+      accessTokenExpiresAt,
       refreshTokenExpiresAt,
       userId: account.userId,
     };
 
-    console.log("[Save Token] Token data to save:", {
-      hasAccessToken: !!tokenData.accessToken,
-      hasRefreshToken: !!tokenData.refreshToken,
-      expiresAt: new Date(tokenData.expiresAt).toISOString(),
-      refreshTokenExpiresAt: tokenData.refreshTokenExpiresAt
-        ? new Date(tokenData.refreshTokenExpiresAt).toISOString()
-        : "none",
-    });
-
-    // Dynamic import to avoid circular dependency
-    const { saveTokenCookie } = await import("./auth");
     await saveTokenCookie(tokenData);
 
     console.log("[Save Token] Token cookie saved successfully");