diff --git a/src/Server/ZB.MOM.WW.OtOpcUa.Security/Auth/AutoLoginAuthenticationHandler.cs b/src/Server/ZB.MOM.WW.OtOpcUa.Security/Auth/AutoLoginAuthenticationHandler.cs
new file mode 100644
index 00000000..7e130725
--- /dev/null
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Security/Auth/AutoLoginAuthenticationHandler.cs
@@ -0,0 +1,56 @@
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using ZB.MOM.WW.Auth.AspNetCore;   // ZbClaimTypes — same source AuthEndpoints mints claims from.
+
+namespace ZB.MOM.WW.OtOpcUa.Security.Auth;
+
+/// <summary>
+///     Auth handler used ONLY when <see cref="AuthDisableLoginOptions.DisableLogin"/> is true.
+///     Registered under the cookie scheme name, it authenticates EVERY request as the configured
+///     dev user with all <see cref="DevAuthRoles.All"/> roles — no credential check, no cookie.
+///     The minted principal mirrors the shape the real login (AuthEndpoints) produces.
+/// </summary>
+public sealed class AutoLoginAuthenticationHandler
+    : AuthenticationHandler<AuthenticationSchemeOptions>
+{
+    private readonly AuthDisableLoginOptions _opts;
+
+    /// <summary>Initializes the handler with the scheme plumbing and the disable-login options.</summary>
+    /// <param name="options">The per-scheme authentication options monitor.</param>
+    /// <param name="logger">The logger factory the base handler uses.</param>
+    /// <param name="encoder">The URL encoder the base handler uses.</param>
+    /// <param name="disableLoginOptions">The disable-login dev flag and configured username.</param>
+    public AutoLoginAuthenticationHandler(
+        IOptionsMonitor<AuthenticationSchemeOptions> options,
+        ILoggerFactory logger,
+        UrlEncoder encoder,
+        IOptions<AuthDisableLoginOptions> disableLoginOptions)
+        : base(options, logger, encoder)
+        => _opts = disableLoginOptions.Value;
+
+    /// <inheritdoc />
+    protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+    {
+        var user = string.IsNullOrWhiteSpace(_opts.User) ? "multi-role-test" : _opts.User;
+
+        var claims = new List<Claim>
+        {
+            // ZbClaimTypes.Name = ClaimTypes.Name — populates Identity.Name canonically.
+            new(ZbClaimTypes.Name, user),
+            new(ZbClaimTypes.Username, user),
+            new(ZbClaimTypes.DisplayName, user),
+        };
+        foreach (var role in DevAuthRoles.All)
+            // ZbClaimTypes.Role = ClaimTypes.Role — framework [Authorize(Roles=...)] + IsInRole work.
+            claims.Add(new Claim(ZbClaimTypes.Role, role));
+
+        var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
+        var principal = new ClaimsPrincipal(identity);
+        var ticket = new AuthenticationTicket(principal, Scheme.Name);
+        return Task.FromResult(AuthenticateResult.Success(ticket));
+    }
+}
diff --git a/tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/AutoLoginAuthenticationHandlerTests.cs b/tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/AutoLoginAuthenticationHandlerTests.cs
new file mode 100644
index 00000000..145044ec
--- /dev/null
+++ b/tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/AutoLoginAuthenticationHandlerTests.cs
@@ -0,0 +1,64 @@
+using System.Text.Encodings.Web;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Logging.Abstractions;
+using Microsoft.Extensions.Options;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Security.Auth;
+
+namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
+
+public class AutoLoginAuthenticationHandlerTests
+{
+    private static async Task<AuthenticateResult> AuthenticateAsync(string user = "multi-role-test")
+    {
+        var schemeOpts = new StubOptionsMonitor<AuthenticationSchemeOptions>(new AuthenticationSchemeOptions());
+        var disableOpts = Options.Create(new AuthDisableLoginOptions { DisableLogin = true, User = user });
+
+        var handler = new AutoLoginAuthenticationHandler(
+            schemeOpts, NullLoggerFactory.Instance, UrlEncoder.Default, disableOpts);
+        await handler.InitializeAsync(
+            new AuthenticationScheme(
+                CookieAuthenticationDefaults.AuthenticationScheme, null, typeof(AutoLoginAuthenticationHandler)),
+            new DefaultHttpContext());
+        return await handler.AuthenticateAsync();
+    }
+
+    [Fact]
+    public async Task Authenticates_as_configured_user_with_all_roles()
+    {
+        var result = await AuthenticateAsync();
+
+        result.Succeeded.ShouldBeTrue();
+        result.Principal!.Identity!.IsAuthenticated.ShouldBeTrue();
+        result.Principal.Identity.Name.ShouldBe("multi-role-test");
+        foreach (var role in DevAuthRoles.All)
+            result.Principal.IsInRole(role).ShouldBeTrue();
+        // Satisfies the FleetAdmin (Administrator) + DriverOperator (Operator|Administrator) policies.
+        result.Principal.IsInRole("Administrator").ShouldBeTrue();
+        result.Principal.IsInRole("Operator").ShouldBeTrue();
+    }
+
+    [Fact]
+    public async Task Honours_configured_username()
+    {
+        var result = await AuthenticateAsync("custom-dev");
+        result.Principal!.Identity!.Name.ShouldBe("custom-dev");
+    }
+
+    /// <summary>
+    ///     Minimal <see cref="IOptionsMonitor{TOptions}"/> stub returning a fixed value for any
+    ///     name. The test project does not reference Moq, so the scheme-options monitor the base
+    ///     <see cref="AuthenticationHandler{TOptions}"/> needs is hand-rolled here.
+    /// </summary>
+    private sealed class StubOptionsMonitor<T>(T value) : IOptionsMonitor<T>
+    {
+        public T CurrentValue { get; } = value;
+
+        public T Get(string? name) => CurrentValue;
+
+        public IDisposable? OnChange(Action<T, string?> listener) => null;
+    }
+}