diff --git a/internal/api/tenant_user_membership_test.go b/internal/api/tenant_user_membership_test.go
new file mode 100644
index 000000000..bcf976f5b
--- /dev/null
+++ b/internal/api/tenant_user_membership_test.go
@@ -0,0 +1,121 @@
+package api
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/rcourtman/pulse-go-rewrite/internal/config"
+	"github.com/rcourtman/pulse-go-rewrite/internal/models"
+	internalauth "github.com/rcourtman/pulse-go-rewrite/pkg/auth"
+)
+
+func TestTenantMiddlewareAllowsMemberSession(t *testing.T) {
+	defer SetMultiTenantEnabled(false)
+	SetMultiTenantEnabled(true)
+	// Dev mode enables license checks for multi-tenant features.
+	t.Setenv("PULSE_DEV", "true")
+
+	dataDir := t.TempDir()
+	hashed, err := internalauth.HashPassword("Password!1")
+	if err != nil {
+		t.Fatalf("hash password: %v", err)
+	}
+
+	cfg := &config.Config{
+		DataPath:   dataDir,
+		ConfigPath: dataDir,
+		AuthUser:   "admin",
+		AuthPass:   hashed,
+	}
+
+	org := &models.Organization{
+		ID:          "org-a",
+		DisplayName: "Org A",
+		OwnerUserID: "alice",
+		Members: []models.OrganizationMember{
+			{UserID: "alice", Role: models.OrgRoleOwner, AddedAt: time.Now()},
+		},
+	}
+	mtp := config.NewMultiTenantPersistence(dataDir)
+	if err := mtp.SaveOrganization(org); err != nil {
+		t.Fatalf("save organization: %v", err)
+	}
+
+	router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
+
+	sessionToken := "member-session-token"
+	GetSessionStore().CreateSession(sessionToken, time.Hour, "agent", "127.0.0.1", "alice")
+
+	req := httptest.NewRequest(http.MethodGet, "/api/config", nil)
+	req.Header.Set("X-Pulse-Org-ID", "org-a")
+	req.AddCookie(&http.Cookie{Name: "pulse_session", Value: sessionToken})
+	rec := httptest.NewRecorder()
+	router.Handler().ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusOK {
+		t.Fatalf("expected 200 for org member, got %d", rec.Code)
+	}
+}
+
+func TestTenantMiddlewareRejectsNonMemberSession(t *testing.T) {
+	defer SetMultiTenantEnabled(false)
+	SetMultiTenantEnabled(true)
+	// Dev mode enables license checks for multi-tenant features.
+	t.Setenv("PULSE_DEV", "true")
+
+	dataDir := t.TempDir()
+	hashed, err := internalauth.HashPassword("Password!1")
+	if err != nil {
+		t.Fatalf("hash password: %v", err)
+	}
+
+	cfg := &config.Config{
+		DataPath:   dataDir,
+		ConfigPath: dataDir,
+		AuthUser:   "admin",
+		AuthPass:   hashed,
+	}
+
+	org := &models.Organization{
+		ID:          "org-a",
+		DisplayName: "Org A",
+		OwnerUserID: "alice",
+		Members: []models.OrganizationMember{
+			{UserID: "alice", Role: models.OrgRoleOwner, AddedAt: time.Now()},
+		},
+	}
+	mtp := config.NewMultiTenantPersistence(dataDir)
+	if err := mtp.SaveOrganization(org); err != nil {
+		t.Fatalf("save organization: %v", err)
+	}
+
+	router := NewRouter(cfg, nil, nil, nil, nil, "1.0.0")
+
+	sessionToken := "nonmember-session-token"
+	GetSessionStore().CreateSession(sessionToken, time.Hour, "agent", "127.0.0.1", "bob")
+
+	req := httptest.NewRequest(http.MethodGet, "/api/config", nil)
+	req.Header.Set("X-Pulse-Org-ID", "org-a")
+	req.AddCookie(&http.Cookie{Name: "pulse_session", Value: sessionToken})
+	rec := httptest.NewRecorder()
+	router.Handler().ServeHTTP(rec, req)
+
+	if rec.Code != http.StatusForbidden {
+		t.Fatalf("expected 403 for non-member, got %d", rec.Code)
+	}
+
+	var payload map[string]string
+	if err := json.Unmarshal(rec.Body.Bytes(), &payload); err != nil {
+		t.Fatalf("decode response: %v", err)
+	}
+	if payload["error"] != "access_denied" {
+		t.Fatalf("expected error=access_denied, got %q", payload["error"])
+	}
+	if msg := payload["message"]; msg == "" || !strings.Contains(msg, "member") {
+		t.Fatalf("expected member access denied message, got %q", msg)
+	}
+}