diff --git a/tests/settings/user-lifecycle.spec.ts b/tests/settings/user-lifecycle.spec.ts
index cd4277aa..92293975 100644
--- a/tests/settings/user-lifecycle.spec.ts
+++ b/tests/settings/user-lifecycle.spec.ts
@@ -137,8 +137,10 @@ async function createUserViaApi(
   page: import('@playwright/test').Page,
   user: { email: string; name: string; password: string; role: 'admin' | 'user' | 'guest' }
 ): Promise<{ id: string | number; email: string }> {
+  const token = await getAuthToken(page);
   const response = await page.request.post('/api/v1/users', {
     data: user,
+    headers: { Authorization: `Bearer ${token}` },
   });
 
   expect(response.ok()).toBe(true);
@@ -176,15 +178,28 @@ async function loginWithCredentials(
   await emailInput.fill(email);
   await passwordInput.fill(password);
 
-  const loginResponse = page.waitForResponse(
-    (response) => response.url().includes('/api/v1/auth/login') && response.request().method() === 'POST',
-    { timeout: 15000 }
-  );
+  const maxAttempts = 3;
+  for (let attempt = 1; attempt <= maxAttempts; attempt += 1) {
+    const loginResponse = page.waitForResponse(
+      (response) => response.url().includes('/api/v1/auth/login') && response.request().method() === 'POST',
+      { timeout: 15000 }
+    );
 
-  await page.getByRole('button', { name: /login|sign in/i }).first().click();
-  const response = await loginResponse;
-  expect(response.ok()).toBe(true);
-  await waitForLoadingComplete(page, { timeout: 15000 });
+    await page.getByRole('button', { name: /login|sign in/i }).first().click();
+    const response = await loginResponse;
+
+    if (response.ok()) {
+      await waitForLoadingComplete(page, { timeout: 15000 });
+      return;
+    }
+
+    if (response.status() === 429 && attempt < maxAttempts) {
+      continue;
+    }
+
+    const bodyText = await response.text().catch(() => '');
+    throw new Error(`Login failed: ${response.status()} ${bodyText}`);
+  }
 }
 
 async function loginWithCredentialsExpectFailure(
@@ -240,35 +255,7 @@ test.describe('Admin-User E2E Workflow', () => {
     await resetSecurityState(page);
     adminEmail = adminUser.email;
     await loginUser(page, adminUser);
-    const meResponse = await page.request.get('/api/v1/auth/me');
-    expect(meResponse.ok()).toBe(true);
     await waitForLoadingComplete(page, { timeout: 15000 });
-
-    const token = await getAuthToken(page);
-    await expect.poll(async () => {
-      const statusResponse = await page.request.get('/api/v1/security/status', {
-        headers: { Authorization: `Bearer ${token}` },
-      });
-      if (!statusResponse.ok()) {
-        return 'status-unavailable';
-      }
-
-      const status = await statusResponse.json();
-      return JSON.stringify({
-        acl: Boolean(status?.acl?.enabled),
-        waf: Boolean(status?.waf?.enabled),
-        rateLimit: Boolean(status?.rate_limit?.enabled),
-        crowdsec: Boolean(status?.crowdsec?.enabled),
-      });
-    }, {
-      timeout: 10000,
-      message: 'Expected security modules to be disabled before user lifecycle test',
-    }).toBe(JSON.stringify({
-      acl: false,
-      waf: false,
-      rateLimit: false,
-      crowdsec: false,
-    }));
   });
 
   // Full user creation → role assignment → user login → resource access
@@ -592,6 +579,7 @@ test.describe('Admin-User E2E Workflow', () => {
     });
 
     await test.step('Verify session cleared', async () => {
+      await navigateToLogin(page);
       const emailInput = page.locator('input[type="email"]').or(page.getByLabel(/email/i)).first();
       await expect(emailInput).toBeVisible({ timeout: 15000 });