From b644474b6a655d654664049b87a9f5bf30c71036 Mon Sep 17 00:00:00 2001
From: Mridang Agarwalla <mridang.agarwalla@gmail.com>
Date: Wed, 23 Apr 2025 13:06:38 +0300
Subject: [PATCH 1/5] Improved the spec tests by adding some tests for the
 session service

---
 ...o_sanity_check_the_session_service_spec.rb | 82 +++++++++++++++++++
 1 file changed, 82 insertions(+)
 create mode 100644 spec/sdk_test_to_sanity_check_the_session_service_spec.rb

diff --git a/spec/sdk_test_to_sanity_check_the_session_service_spec.rb b/spec/sdk_test_to_sanity_check_the_session_service_spec.rb
new file mode 100644
index 00000000..d73e2c0e
--- /dev/null
+++ b/spec/sdk_test_to_sanity_check_the_session_service_spec.rb
@@ -0,0 +1,82 @@
+# frozen_string_literal: true
+
+require 'minitest/autorun'
+
+# SessionService Integration Tests
+#
+# This suite verifies the Zitadel SessionService API's basic operations using a
+# personal access token:
+#
+#  1. Create a session with specified checks and lifetime
+#  2. Retrieve the session by ID
+#  3. List sessions and ensure the created session appears
+#  4. Update the session's lifetime and confirm a new token is returned
+#
+# Each test runs in isolation: a new session is created in `before` and deleted
+# in `after` to ensure a clean state.
+
+require_relative 'spec_helper'
+require 'securerandom'
+
+VALID_TOKEN = ENV.fetch('AUTH_TOKEN')
+BASE_URL    = ENV.fetch('BASE_URL')
+CLIENT      = ZitadelClient::Zitadel.with_access_token(BASE_URL, VALID_TOKEN)
+
+describe 'Zitadel SessionService' do
+  # Setup: create a fresh session before each test example
+  before do
+    req  = ZitadelClient::SessionServiceCreateSessionRequest.new(
+      checks: ZitadelClient::SessionServiceChecks.new(
+        user: ZitadelClient::SessionServiceCheckUser.new(login_name: 'johndoe')
+      ),
+      lifetime: '18000s'
+    )
+    resp = CLIENT.sessions.session_service_create_session(req)
+    @session_id    = resp.session_id
+    @session_token = resp.session_token
+  end
+
+  # Teardown: delete the session after each test example
+  after do
+    delete_req = ZitadelClient::SessionServiceDeleteSessionBody.new
+    begin
+      CLIENT.sessions.session_service_delete_session(@session_id, delete_req)
+    rescue StandardError
+      # Ignore cleanup errors
+    end
+  end
+
+  it 'retrieves the session details by the session identifier' do
+    response = CLIENT.sessions.session_service_get_session(
+      @session_id,
+      session_token: @session_token
+    )
+    _(response.session.id).must_equal @session_id
+  end
+
+  it 'raises an error when retrieving a non-existent session' do
+    assert_raises(ZitadelClient::ApiError) do
+      CLIENT.sessions.session_service_get_session(
+        SecureRandom.uuid,
+        session_token: @session_token
+      )
+    end
+  end
+
+  it 'includes the created session when listing all sessions' do
+    request  = ZitadelClient::SessionServiceListSessionsRequest.new(queries: [])
+    response = CLIENT.sessions.session_service_list_sessions(
+      request
+    )
+    _(response.sessions.map(&:id)).must_include @session_id
+  end
+
+  it 'updates the session lifetime and returns a new token' do
+    request  = ZitadelClient::SessionServiceSetSessionRequest.new(lifetime: '36000s')
+    response = CLIENT.sessions.session_service_set_session(
+      @session_id,
+      request
+    )
+    _(response.session_token).must_be_instance_of String
+  end
+end

From 6a69b8115f1c574c2a4d5e0c20b62ce97d689541 Mon Sep 17 00:00:00 2001
From: Mridang Agarwalla <mridang.agarwalla@gmail.com>
Date: Wed, 23 Apr 2025 14:23:28 +0300
Subject: [PATCH 2/5] Added more tests to validate that the user-service works
 too

---
 ...t_to_sanity_check_the_user_service_spec.rb | 74 +++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 spec/sdk_test_to_sanity_check_the_user_service_spec.rb

diff --git a/spec/sdk_test_to_sanity_check_the_user_service_spec.rb b/spec/sdk_test_to_sanity_check_the_user_service_spec.rb
new file mode 100644
index 00000000..d8644743
--- /dev/null
+++ b/spec/sdk_test_to_sanity_check_the_user_service_spec.rb
@@ -0,0 +1,74 @@
+# frozen_string_literal: true
+
+require 'minitest/autorun'
+require_relative 'spec_helper'
+require 'securerandom'
+
+# UserService Integration Tests
+#
+# This suite verifies the Zitadel UserService API's basic operations using a
+# personal access token:
+#
+#  1. Create a human user
+#  2. Retrieve the user by ID
+#  3. List users and ensure the created user appears
+#  4. Update the user's email and confirm the change
+#  5. Error when retrieving a non-existent user
+#
+# Each test runs in isolation: a new user is created in `before` and deleted in
+# `after` to ensure a clean state.
+
+VALID_TOKEN = ENV.fetch('AUTH_TOKEN')
+BASE_URL    = ENV.fetch('BASE_URL')
+CLIENT      = ZitadelClient::Zitadel.with_access_token(BASE_URL, VALID_TOKEN)
+
+describe 'Zitadel UserService' do
+  before do
+    request = ZitadelClient::UserServiceAddHumanUserRequest.new(
+      username: SecureRandom.hex,
+      profile: ZitadelClient::UserServiceSetHumanProfile.new(
+        given_name: 'John',
+        family_name: 'Doe'
+      ),
+      email: ZitadelClient::UserServiceSetHumanEmail.new(
+        email: "johndoe#{SecureRandom.hex}@example.com"
+      )
+    )
+
+    @user = CLIENT.users.user_service_add_human_user(request)
+  end
+
+  after do
+    CLIENT.users.user_service_delete_user(@user.user_id)
+  rescue StandardError
+    # Ignore cleanup errors
+  end
+
+  it 'retrieves the user details by ID' do
+    response = CLIENT.users.user_service_get_user_by_id(@user.user_id)
+    _(response.user.user_id).must_equal @user.user_id
+  end
+
+  it 'raises an error when retrieving a non-existent user' do
+    assert_raises(ZitadelClient::ApiError) do
+      CLIENT.users.user_service_get_user_by_id(SecureRandom.uuid)
+    end
+  end
+
+  it 'includes the created user when listing all users' do
+    request  = ZitadelClient::UserServiceListUsersRequest.new(queries: [])
+    response = CLIENT.users.user_service_list_users(request)
+    _(response.result.map(&:user_id)).must_include @user.user_id
+  end
+
+  it "updates the user's email and reflects the change" do
+    new_email = "updated#{SecureRandom.hex}@example.com"
+    update_req = ZitadelClient::UserServiceUpdateHumanUserRequest.new(
+      email: ZitadelClient::UserServiceSetHumanEmail.new(email: new_email)
+    )
+    CLIENT.users.user_service_update_human_user(@user.user_id, update_req)
+
+    response = CLIENT.users.user_service_get_user_by_id(@user.user_id)
+    _(response.user.human.email.email).must_equal new_email
+  end
+end

From 702584b882e95e9f4661a8ad22f6a3b22343cf63 Mon Sep 17 00:00:00 2001
From: Mridang Agarwalla <mridang.agarwalla@gmail.com>
Date: Wed, 23 Apr 2025 17:56:26 +0300
Subject: [PATCH 3/5] Added more tests to better verify the auth

---
 .../auth/o_auth_authenticator.rb              |  2 +-
 spec/auth/use_access_token_spec.rb            | 34 +++++++++
 spec/auth/use_client_credentials_spec.rb      | 36 ++++++++++
 spec/auth/use_private_key_spec.rb             | 51 ++++++++++++++
 ..._client_credentials_authentication_spec.rb | 69 -------------------
 ...rsonal_access_token_authentication_spec.rb | 64 -----------------
 ...est_using_web_token_authentication_spec.rb | 65 -----------------
 7 files changed, 122 insertions(+), 199 deletions(-)
 create mode 100644 spec/auth/use_access_token_spec.rb
 create mode 100644 spec/auth/use_client_credentials_spec.rb
 create mode 100644 spec/auth/use_private_key_spec.rb
 delete mode 100644 spec/sdk_test_using_client_credentials_authentication_spec.rb
 delete mode 100644 spec/sdk_test_using_personal_access_token_authentication_spec.rb
 delete mode 100644 spec/sdk_test_using_web_token_authentication_spec.rb

diff --git a/lib/zitadel-client/auth/o_auth_authenticator.rb b/lib/zitadel-client/auth/o_auth_authenticator.rb
index 949db853..967d3116 100644
--- a/lib/zitadel-client/auth/o_auth_authenticator.rb
+++ b/lib/zitadel-client/auth/o_auth_authenticator.rb
@@ -84,7 +84,7 @@ def get_grant(auth_client, auth_scopes)
     def refresh_token
       @token = get_grant(@auth_session, @auth_scopes)
     rescue StandardError => e
-      raise RuntimeError.new("Failed to refresh token: #{e.message}"), cause: e
+      raise ApiError.new("Failed to refresh token: #{e.message}"), cause: e
     end
   end
 end
diff --git a/spec/auth/use_access_token_spec.rb b/spec/auth/use_access_token_spec.rb
new file mode 100644
index 00000000..10758d5d
--- /dev/null
+++ b/spec/auth/use_access_token_spec.rb
@@ -0,0 +1,34 @@
+# frozen_string_literal: true
+
+require 'minitest/autorun'
+require_relative '../spec_helper'
+
+# SettingsService Integration Tests (Personal Access Token)
+#
+# This suite verifies the Zitadel SettingsService API's general settings
+# endpoint works when authenticating via a Personal Access Token:
+#
+#  1. Retrieve general settings successfully with a valid token
+#  2. Expect an ApiError when using an invalid token
+#
+# Each test runs in isolation: the client is instantiated in each example to
+# guarantee a clean, stateless call.
+describe 'Zitadel SettingsService (Personal Access Token)' do
+  it 'retrieves general settings with valid token' do
+    client = ZitadelClient::Zitadel.with_access_token(
+      ENV.fetch('BASE_URL')   { raise 'BASE_URL not set' },
+      ENV.fetch('AUTH_TOKEN') { raise 'AUTH_TOKEN not set' }
+    )
+    client.settings.settings_service_get_general_settings
+  end
+
+  it 'raises an ApiError with invalid token' do
+    client = ZitadelClient::Zitadel.with_access_token(
+      ENV.fetch('BASE_URL') { raise 'BASE_URL not set' },
+      'invalid'
+    )
+    assert_raises(ZitadelClient::ApiError) do
+      client.settings.settings_service_get_general_settings
+    end
+  end
+end
diff --git a/spec/auth/use_client_credentials_spec.rb b/spec/auth/use_client_credentials_spec.rb
new file mode 100644
index 00000000..ce87bdec
--- /dev/null
+++ b/spec/auth/use_client_credentials_spec.rb
@@ -0,0 +1,36 @@
+# frozen_string_literal: true
+
+require 'minitest/autorun'
+require_relative '../spec_helper'
+
+# SettingsService Integration Tests (Client Credentials)
+#
+# This suite verifies the Zitadel SettingsService API's general settings
+# endpoint works when authenticating via Client Credentials:
+#
+#  1. Retrieve general settings successfully with valid credentials
+#  2. Expect an ApiError when using invalid credentials
+#
+# Each test runs in isolation: the client is instantiated in each example to
+# guarantee a clean, stateless call.
+describe 'Zitadel SettingsService (Client Credentials)' do
+  it 'retrieves general settings with valid credentials' do
+    client = ZitadelClient::Zitadel.with_client_credentials(
+      ENV.fetch('BASE_URL')      { raise 'BASE_URL not set' },
+      ENV.fetch('CLIENT_ID')     { raise 'CLIENT_ID not set' },
+      ENV.fetch('CLIENT_SECRET') { raise 'CLIENT_SECRET not set' }
+    )
+    client.settings.settings_service_get_general_settings
+  end
+
+  it 'raises an ApiError with invalid credentials' do
+    client = ZitadelClient::Zitadel.with_client_credentials(
+      ENV.fetch('BASE_URL') { raise 'BASE_URL not set' },
+      'invalid',
+      'invalid'
+    )
+    assert_raises(ZitadelClient::ApiError) do
+      client.settings.settings_service_get_general_settings
+    end
+  end
+end
diff --git a/spec/auth/use_private_key_spec.rb b/spec/auth/use_private_key_spec.rb
new file mode 100644
index 00000000..7b0e1b0c
--- /dev/null
+++ b/spec/auth/use_private_key_spec.rb
@@ -0,0 +1,51 @@
+# frozen_string_literal: true
+
+require 'minitest/autorun'
+require_relative '../spec_helper'
+require 'tempfile'
+
+# SettingsService Integration Tests (Private Key Assertion)
+#
+# This suite verifies the Zitadel SettingsService API's general settings
+# endpoint works when authenticating via a private key assertion:
+#
+#  1. Retrieve general settings successfully with a valid private key
+#  2. Expect an ApiError when using an invalid private key
+#
+# Each test runs in isolation: the client is instantiated in each example to
+# guarantee a clean, stateless call.
+describe 'Zitadel SettingsService (Private Key Assertion)' do
+  before do
+    @jwt_file = Tempfile.new(%w[jwt .json])
+    @jwt_file.write(
+      ENV.fetch('JWT_KEY') { raise 'JWT_KEY not set' }
+    )
+    @jwt_file.flush
+    @jwt_file.close
+  end
+
+  it 'retrieves general settings with valid private key' do
+    jwt_file = Tempfile.new(%w[jwt .json])
+    jwt_file.write(
+      ENV.fetch('JWT_KEY') { raise 'JWT_KEY not set' }
+    )
+    jwt_file.flush
+    jwt_file.close
+
+    client = ZitadelClient::Zitadel.with_private_key(
+      ENV.fetch('BASE_URL') { raise 'BASE_URL not set' },
+      @jwt_file.path
+    )
+    client.settings.settings_service_get_general_settings
+  end
+
+  it 'raises an ApiError with invalid private key' do
+    client = ZitadelClient::Zitadel.with_private_key(
+      'https://zitadel.cloud',
+      @jwt_file.path
+    )
+    assert_raises(ZitadelClient::ApiError) do
+      client.settings.settings_service_get_general_settings
+    end
+  end
+end
diff --git a/spec/sdk_test_using_client_credentials_authentication_spec.rb b/spec/sdk_test_using_client_credentials_authentication_spec.rb
deleted file mode 100644
index 6b194714..00000000
--- a/spec/sdk_test_using_client_credentials_authentication_spec.rb
+++ /dev/null
@@ -1,69 +0,0 @@
-# frozen_string_literal: true
-
-require 'minitest/autorun'
-require 'securerandom'
-require_relative 'spec_helper'
-
-describe 'Zitadel Client' do
-  before do
-    @client_id     = ENV.fetch('CLIENT_ID', nil)
-    @client_secret = ENV.fetch('CLIENT_SECRET', nil)
-    @base_url      = ENV.fetch('BASE_URL', nil)
-    @user_id       = create_user(@base_url, @client_id, @client_secret)
-  end
-
-  # rubocop:disable Metrics/MethodLength
-  def create_user(base_url, client_id, client_secret)
-    client = ZitadelClient::Zitadel.with_client_credentials(base_url, client_id, client_secret)
-
-    begin
-      response = client.users.user_service_add_human_user(
-        ZitadelClient::UserServiceAddHumanUserRequest.new(
-          username: SecureRandom.hex,
-          profile: ZitadelClient::UserServiceSetHumanProfile.new(given_name: 'John', family_name: 'Doe'),
-          email: ZitadelClient::UserServiceSetHumanEmail.new(email: "johndoe#{SecureRandom.hex}@caos.ag")
-        )
-      )
-      puts "User created: #{response}"
-      response.user_id
-    rescue StandardError => e
-      raise "Exception while creating user: #{e.message}"
-    end
-  end
-  # rubocop:enable Metrics/MethodLength
-
-  describe 'with valid token' do
-    it 'deactivates and reactivates a user' do
-      client = ZitadelClient::Zitadel.with_client_credentials(@base_url, @client_id, @client_secret)
-
-      begin
-        deactivate_response = client.users.user_service_deactivate_user(@user_id)
-        puts "User deactivated: #{deactivate_response}"
-
-        reactivate_response = client.users.user_service_reactivate_user(@user_id)
-        puts "User reactivated: #{reactivate_response}"
-
-        # you can add real assertions here, for example:
-        # _(reactivate_response).must_respond_to :user_id
-      rescue StandardError => e
-        flunk "Exception when calling deactivate_user or reactivate_user with valid token: #{e.message}"
-      end
-    end
-  end
-
-  describe 'with invalid token' do
-    it 'does not deactivate or reactivate a user' do
-      client = ZitadelClient::Zitadel.with_client_credentials(@base_url, 'id', 'secret')
-
-      # deactivate should raise
-      assert_raises(StandardError) do
-        client.users.user_service_deactivate_user(@user_id)
-      end
-
-      # reactivate should raise
-      assert_raises(StandardError) do
-        client.users.user_service_reactivate_user(@user_id)
-      end
-    end
-  end
-end
diff --git a/spec/sdk_test_using_personal_access_token_authentication_spec.rb b/spec/sdk_test_using_personal_access_token_authentication_spec.rb
deleted file mode 100644
index 553e56b2..00000000
--- a/spec/sdk_test_using_personal_access_token_authentication_spec.rb
+++ /dev/null
@@ -1,64 +0,0 @@
-# frozen_string_literal: true
-
-require_relative 'spec_helper'
-require 'securerandom'
-
-describe 'Zitadel Client (Personal Access Token)' do
-  before do
-    @valid_token   = ENV.fetch('AUTH_TOKEN', nil)
-    @invalid_token = 'whoops'
-    @base_url      = ENV.fetch('BASE_URL', nil)
-    @user_id       = create_user(@valid_token, @base_url)
-  end
-
-  # rubocop:disable Metrics/MethodLength
-  def create_user(token, base_url)
-    client = ZitadelClient::Zitadel.with_access_token(base_url, token)
-
-    begin
-      resp = client.users.user_service_add_human_user(
-        ZitadelClient::UserServiceAddHumanUserRequest.new(
-          username: SecureRandom.hex,
-          profile: ZitadelClient::UserServiceSetHumanProfile.new(given_name: 'John', family_name: 'Doe'),
-          email: ZitadelClient::UserServiceSetHumanEmail.new(email: "johndoe#{SecureRandom.hex}@caos.ag")
-        )
-      )
-      puts "User created: #{resp}"
-      resp.user_id
-    rescue StandardError => e
-      raise "Exception while creating user: #{e.message}"
-    end
-  end
-  # rubocop:enable Metrics/MethodLength
-
-  describe 'with valid token' do
-    it 'deactivates and reactivates a user without error' do
-      client = ZitadelClient::Zitadel.with_access_token(@base_url, @valid_token)
-
-      begin
-        deactivate_resp = client.users.user_service_deactivate_user(@user_id)
-        puts "User deactivated: #{deactivate_resp}"
-
-        reactivate_resp = client.users.user_service_reactivate_user(@user_id)
-        puts "User reactivated: #{reactivate_resp}"
-      rescue StandardError => e
-        flunk "Exception when calling deactivate_user or reactivate_user with valid token: #{e.message}"
-      end
-    end
-  end
-
-  describe 'with invalid token' do
-    it 'raises an ApiError when deactivating or reactivating' do
-      client = ZitadelClient::Zitadel.with_access_token(@base_url, @invalid_token)
-
-      # Expect API authentication errors
-      assert_raises(ZitadelClient::ApiError) do
-        client.users.user_service_deactivate_user(@user_id)
-      end
-
-      assert_raises(ZitadelClient::ApiError) do
-        client.users.user_service_reactivate_user(@user_id)
-      end
-    end
-  end
-end
diff --git a/spec/sdk_test_using_web_token_authentication_spec.rb b/spec/sdk_test_using_web_token_authentication_spec.rb
deleted file mode 100644
index 26040fc4..00000000
--- a/spec/sdk_test_using_web_token_authentication_spec.rb
+++ /dev/null
@@ -1,65 +0,0 @@
-# frozen_string_literal: true
-
-require_relative 'spec_helper'
-require 'securerandom'
-require 'tempfile'
-
-describe 'Zitadel Client (JWT Bearer OAuth)' do
-  before do
-    jwt_key = ENV.fetch('JWT_KEY') { raise 'JWT_KEY not set in environment' }
-    # Create and retain the Tempfile so it isn't GC'd before the test runs
-    @jwt_file = Tempfile.new(%w[jwt .json])
-    @jwt_file.write(jwt_key)
-    @jwt_file.flush
-    @jwt_file.close
-    @key_file = @jwt_file.path
-
-    @base_url = ENV.fetch('BASE_URL', nil)
-    @user_id  = create_user(@key_file, @base_url)
-  end
-
-  def create_temp_keyfile(jwt_key)
-    file = Tempfile.new('jwt_')
-    file.write(jwt_key)
-    file.close
-    file.path
-  end
-
-  # rubocop:disable Metrics/MethodLength
-  def create_user(key_file, base_url)
-    client = ZitadelClient::Zitadel.with_private_key(base_url, key_file)
-
-    begin
-      resp = client.users.user_service_add_human_user(
-        ZitadelClient::UserServiceAddHumanUserRequest.new(
-          username: SecureRandom.hex,
-          profile: ZitadelClient::UserServiceSetHumanProfile.new(given_name: 'John', family_name: 'Doe'),
-          email: ZitadelClient::UserServiceSetHumanEmail.new(email: "johndoe#{SecureRandom.hex}@caos.ag")
-        )
-      )
-      puts "User created: #{resp}"
-      resp.user_id
-    rescue StandardError => e
-      raise "Exception while creating user: #{e.message}"
-    end
-  end
-  # rubocop:enable Metrics/MethodLength
-
-  describe 'with valid token' do
-    it 'deactivates and reactivates a user without error' do
-      raise ArgumentError, 'key_file cannot be nil' if @key_file.nil?
-
-      client = ZitadelClient::Zitadel.with_private_key(@base_url, @key_file)
-
-      begin
-        deactivate_resp = client.users.user_service_deactivate_user(@user_id)
-        puts "User deactivated: #{deactivate_resp}"
-
-        reactivate_resp = client.users.user_service_reactivate_user(@user_id)
-        puts "User reactivated: #{reactivate_resp}"
-      rescue StandardError => e
-        flunk "Exception when calling deactivate_user or reactivate_user with valid token: #{e.message}"
-      end
-    end
-  end
-end

From d2da2caf6b60a857f4f4d96d18c44e401ad29f82 Mon Sep 17 00:00:00 2001
From: Mridang Agarwalla <mridang.agarwalla@gmail.com>
Date: Thu, 24 Apr 2025 07:24:20 +0300
Subject: [PATCH 4/5] Renamed the test clases for better readability

---
 ...e_session_service_spec.rb => validate_session_service_spec.rb} | 0
 ...eck_the_user_service_spec.rb => validate_user_service_spec.rb} | 0
 2 files changed, 0 insertions(+), 0 deletions(-)
 rename spec/{sdk_test_to_sanity_check_the_session_service_spec.rb => validate_session_service_spec.rb} (100%)
 rename spec/{sdk_test_to_sanity_check_the_user_service_spec.rb => validate_user_service_spec.rb} (100%)

diff --git a/spec/sdk_test_to_sanity_check_the_session_service_spec.rb b/spec/validate_session_service_spec.rb
similarity index 100%
rename from spec/sdk_test_to_sanity_check_the_session_service_spec.rb
rename to spec/validate_session_service_spec.rb
diff --git a/spec/sdk_test_to_sanity_check_the_user_service_spec.rb b/spec/validate_user_service_spec.rb
similarity index 100%
rename from spec/sdk_test_to_sanity_check_the_user_service_spec.rb
rename to spec/validate_user_service_spec.rb

From 0dd8635ca03e63c8a609e86668b496d836179e00 Mon Sep 17 00:00:00 2001
From: Mridang Agarwalla <mridang.agarwalla@gmail.com>
Date: Thu, 24 Apr 2025 10:24:59 +0300
Subject: [PATCH 5/5] Improved the spec tests to ensure that we use the let
 assignments

---
 spec/auth/use_access_token_spec.rb            | 16 +++++++---
 spec/auth/use_client_credentials_spec.rb      | 19 +++++++----
 spec/auth/use_private_key_spec.rb             | 32 ++++++++-----------
 ..._spec.rb => check_session_service_spec.rb} | 31 +++++++++---------
 ...ice_spec.rb => check_user_service_spec.rb} | 29 ++++++++++-------
 5 files changed, 71 insertions(+), 56 deletions(-)
 rename spec/{validate_session_service_spec.rb => check_session_service_spec.rb} (73%)
 rename spec/{validate_user_service_spec.rb => check_user_service_spec.rb} (70%)

diff --git a/spec/auth/use_access_token_spec.rb b/spec/auth/use_access_token_spec.rb
index 10758d5d..5a1d22c5 100644
--- a/spec/auth/use_access_token_spec.rb
+++ b/spec/auth/use_access_token_spec.rb
@@ -14,17 +14,23 @@
 # Each test runs in isolation: the client is instantiated in each example to
 # guarantee a clean, stateless call.
 describe 'Zitadel SettingsService (Personal Access Token)' do
-  it 'retrieves general settings with valid token' do
-    client = ZitadelClient::Zitadel.with_access_token(
-      ENV.fetch('BASE_URL')   { raise 'BASE_URL not set' },
-      ENV.fetch('AUTH_TOKEN') { raise 'AUTH_TOKEN not set' }
+  let(:base_url)       { ENV.fetch('BASE_URL')   { raise 'BASE_URL not set' } }
+  let(:valid_token)    { ENV.fetch('AUTH_TOKEN') { raise 'AUTH_TOKEN not set' } }
+  let(:zitadel_client) do
+    ZitadelClient::Zitadel.with_access_token(
+      base_url,
+      valid_token
     )
+  end
+
+  it 'retrieves general settings with valid token' do
+    client = zitadel_client
     client.settings.settings_service_get_general_settings
   end
 
   it 'raises an ApiError with invalid token' do
     client = ZitadelClient::Zitadel.with_access_token(
-      ENV.fetch('BASE_URL') { raise 'BASE_URL not set' },
+      base_url,
       'invalid'
     )
     assert_raises(ZitadelClient::ApiError) do
diff --git a/spec/auth/use_client_credentials_spec.rb b/spec/auth/use_client_credentials_spec.rb
index ce87bdec..85d236c6 100644
--- a/spec/auth/use_client_credentials_spec.rb
+++ b/spec/auth/use_client_credentials_spec.rb
@@ -14,18 +14,25 @@
 # Each test runs in isolation: the client is instantiated in each example to
 # guarantee a clean, stateless call.
 describe 'Zitadel SettingsService (Client Credentials)' do
-  it 'retrieves general settings with valid credentials' do
-    client = ZitadelClient::Zitadel.with_client_credentials(
-      ENV.fetch('BASE_URL')      { raise 'BASE_URL not set' },
-      ENV.fetch('CLIENT_ID')     { raise 'CLIENT_ID not set' },
-      ENV.fetch('CLIENT_SECRET') { raise 'CLIENT_SECRET not set' }
+  let(:base_url)      { ENV.fetch('BASE_URL')      { raise 'BASE_URL not set'      } }
+  let(:client_id)     { ENV.fetch('CLIENT_ID')     { raise 'CLIENT_ID not set'     } }
+  let(:client_secret) { ENV.fetch('CLIENT_SECRET') { raise 'CLIENT_SECRET not set' } }
+  let(:zitadel_client)  do
+    ZitadelClient::Zitadel.with_client_credentials(
+      base_url,
+      client_id,
+      client_secret
     )
+  end
+
+  it 'retrieves general settings with valid credentials' do
+    client = zitadel_client
     client.settings.settings_service_get_general_settings
   end
 
   it 'raises an ApiError with invalid credentials' do
     client = ZitadelClient::Zitadel.with_client_credentials(
-      ENV.fetch('BASE_URL') { raise 'BASE_URL not set' },
+      base_url,
       'invalid',
       'invalid'
     )
diff --git a/spec/auth/use_private_key_spec.rb b/spec/auth/use_private_key_spec.rb
index 7b0e1b0c..d8905fc8 100644
--- a/spec/auth/use_private_key_spec.rb
+++ b/spec/auth/use_private_key_spec.rb
@@ -15,34 +15,30 @@
 # Each test runs in isolation: the client is instantiated in each example to
 # guarantee a clean, stateless call.
 describe 'Zitadel SettingsService (Private Key Assertion)' do
-  before do
-    @jwt_file = Tempfile.new(%w[jwt .json])
-    @jwt_file.write(
-      ENV.fetch('JWT_KEY') { raise 'JWT_KEY not set' }
+  let(:base_url) { ENV.fetch('BASE_URL') { raise 'BASE_URL not set' } }
+  let(:jwt_file) do
+    file = Tempfile.new(%w[jwt .json])
+    file.write(ENV.fetch('JWT_KEY') { raise 'JWT_KEY not set' })
+    file.flush
+    file.close
+    file
+  end
+  let(:zitadel_client) do
+    ZitadelClient::Zitadel.with_private_key(
+      base_url,
+      jwt_file.path
     )
-    @jwt_file.flush
-    @jwt_file.close
   end
 
   it 'retrieves general settings with valid private key' do
-    jwt_file = Tempfile.new(%w[jwt .json])
-    jwt_file.write(
-      ENV.fetch('JWT_KEY') { raise 'JWT_KEY not set' }
-    )
-    jwt_file.flush
-    jwt_file.close
-
-    client = ZitadelClient::Zitadel.with_private_key(
-      ENV.fetch('BASE_URL') { raise 'BASE_URL not set' },
-      @jwt_file.path
-    )
+    client = zitadel_client
     client.settings.settings_service_get_general_settings
   end
 
   it 'raises an ApiError with invalid private key' do
     client = ZitadelClient::Zitadel.with_private_key(
       'https://zitadel.cloud',
-      @jwt_file.path
+      jwt_file.path
     )
     assert_raises(ZitadelClient::ApiError) do
       client.settings.settings_service_get_general_settings
diff --git a/spec/validate_session_service_spec.rb b/spec/check_session_service_spec.rb
similarity index 73%
rename from spec/validate_session_service_spec.rb
rename to spec/check_session_service_spec.rb
index d73e2c0e..a2fced1d 100644
--- a/spec/validate_session_service_spec.rb
+++ b/spec/check_session_service_spec.rb
@@ -18,36 +18,39 @@
 require_relative 'spec_helper'
 require 'securerandom'
 
-VALID_TOKEN = ENV.fetch('AUTH_TOKEN')
-BASE_URL    = ENV.fetch('BASE_URL')
-CLIENT      = ZitadelClient::Zitadel.with_access_token(BASE_URL, VALID_TOKEN)
-
 describe 'Zitadel SessionService' do
-  # Setup: create a fresh session before each test example
+  let(:base_url)    { ENV.fetch('BASE_URL')   { raise 'BASE_URL not set'   } }
+  let(:valid_token) { ENV.fetch('AUTH_TOKEN') { raise 'AUTH_TOKEN not set' } }
+  let(:client)      do
+    ZitadelClient::Zitadel.with_access_token(
+      base_url,
+      valid_token
+    )
+  end
+
   before do
-    req  = ZitadelClient::SessionServiceCreateSessionRequest.new(
+    req = ZitadelClient::SessionServiceCreateSessionRequest.new(
       checks: ZitadelClient::SessionServiceChecks.new(
         user: ZitadelClient::SessionServiceCheckUser.new(login_name: 'johndoe')
       ),
       lifetime: '18000s'
     )
-    resp = CLIENT.sessions.session_service_create_session(req)
+    resp = client.sessions.session_service_create_session(req)
     @session_id    = resp.session_id
     @session_token = resp.session_token
   end
 
-  # Teardown: delete the session after each test example
   after do
     delete_req = ZitadelClient::SessionServiceDeleteSessionBody.new
     begin
-      CLIENT.sessions.session_service_delete_session(@session_id, delete_req)
+      client.sessions.session_service_delete_session(@session_id, delete_req)
     rescue StandardError
       # Ignore cleanup errors
     end
   end
 
   it 'retrieves the session details by the session identifier' do
-    response = CLIENT.sessions.session_service_get_session(
+    response = client.sessions.session_service_get_session(
       @session_id,
       session_token: @session_token
     )
@@ -56,7 +59,7 @@
 
   it 'raises an error when retrieving a non-existent session' do
     assert_raises(ZitadelClient::ApiError) do
-      CLIENT.sessions.session_service_get_session(
+      client.sessions.session_service_get_session(
         SecureRandom.uuid,
         session_token: @session_token
       )
@@ -65,15 +68,13 @@
 
   it 'includes the created session when listing all sessions' do
     request  = ZitadelClient::SessionServiceListSessionsRequest.new(queries: [])
-    response = CLIENT.sessions.session_service_list_sessions(
-      request
-    )
+    response = client.sessions.session_service_list_sessions(request)
     _(response.sessions.map(&:id)).must_include @session_id
   end
 
   it 'updates the session lifetime and returns a new token' do
     request  = ZitadelClient::SessionServiceSetSessionRequest.new(lifetime: '36000s')
-    response = CLIENT.sessions.session_service_set_session(
+    response = client.sessions.session_service_set_session(
       @session_id,
       request
     )
diff --git a/spec/validate_user_service_spec.rb b/spec/check_user_service_spec.rb
similarity index 70%
rename from spec/validate_user_service_spec.rb
rename to spec/check_user_service_spec.rb
index d8644743..c71c240b 100644
--- a/spec/validate_user_service_spec.rb
+++ b/spec/check_user_service_spec.rb
@@ -18,11 +18,16 @@
 # Each test runs in isolation: a new user is created in `before` and deleted in
 # `after` to ensure a clean state.
 
-VALID_TOKEN = ENV.fetch('AUTH_TOKEN')
-BASE_URL    = ENV.fetch('BASE_URL')
-CLIENT      = ZitadelClient::Zitadel.with_access_token(BASE_URL, VALID_TOKEN)
-
 describe 'Zitadel UserService' do
+  let(:base_url)    { ENV.fetch('BASE_URL')   { raise 'BASE_URL not set'   } }
+  let(:valid_token) { ENV.fetch('AUTH_TOKEN') { raise 'AUTH_TOKEN not set' } }
+  let(:client)      do
+    ZitadelClient::Zitadel.with_access_token(
+      base_url,
+      valid_token
+    )
+  end
+
   before do
     request = ZitadelClient::UserServiceAddHumanUserRequest.new(
       username: SecureRandom.hex,
@@ -35,40 +40,40 @@
       )
     )
 
-    @user = CLIENT.users.user_service_add_human_user(request)
+    @user = client.users.user_service_add_human_user(request)
   end
 
   after do
-    CLIENT.users.user_service_delete_user(@user.user_id)
+    client.users.user_service_delete_user(@user.user_id)
   rescue StandardError
     # Ignore cleanup errors
   end
 
   it 'retrieves the user details by ID' do
-    response = CLIENT.users.user_service_get_user_by_id(@user.user_id)
+    response = client.users.user_service_get_user_by_id(@user.user_id)
     _(response.user.user_id).must_equal @user.user_id
   end
 
   it 'raises an error when retrieving a non-existent user' do
     assert_raises(ZitadelClient::ApiError) do
-      CLIENT.users.user_service_get_user_by_id(SecureRandom.uuid)
+      client.users.user_service_get_user_by_id(SecureRandom.uuid)
     end
   end
 
   it 'includes the created user when listing all users' do
     request  = ZitadelClient::UserServiceListUsersRequest.new(queries: [])
-    response = CLIENT.users.user_service_list_users(request)
+    response = client.users.user_service_list_users(request)
     _(response.result.map(&:user_id)).must_include @user.user_id
   end
 
   it "updates the user's email and reflects the change" do
-    new_email = "updated#{SecureRandom.hex}@example.com"
+    new_email  = "updated#{SecureRandom.hex}@example.com"
     update_req = ZitadelClient::UserServiceUpdateHumanUserRequest.new(
       email: ZitadelClient::UserServiceSetHumanEmail.new(email: new_email)
     )
-    CLIENT.users.user_service_update_human_user(@user.user_id, update_req)
+    client.users.user_service_update_human_user(@user.user_id, update_req)
 
-    response = CLIENT.users.user_service_get_user_by_id(@user.user_id)
+    response = client.users.user_service_get_user_by_id(@user.user_id)
     _(response.user.human.email.email).must_equal new_email
   end
 end