diff --git a/EnvelopeGenerator.GeneratorAPI/Extensions/EnvelopeAuthExtensions.cs b/EnvelopeGenerator.GeneratorAPI/Extensions/EnvelopeAuthExtensions.cs
new file mode 100644
index 00000000..48b2edb6
--- /dev/null
+++ b/EnvelopeGenerator.GeneratorAPI/Extensions/EnvelopeAuthExtensions.cs
@@ -0,0 +1,87 @@
+using System.Security.Claims;
+using EnvelopeGenerator.Application.Common.Dto.EnvelopeReceiver;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+
+namespace EnvelopeGenerator.GeneratorAPI.Extensions;
+
+///
+/// Provides helper methods for working with envelope-specific authentication claims.
+///
+public static class EnvelopeAuthExtensions
+{
+ ///
+ /// Retrieves a claim value by type.
+ ///
+ /// The current claims principal.
+ /// The claim type to resolve.
+ /// The claim value or null when missing.
+ public static string? GetClaimValue(this ClaimsPrincipal user, string claimType) => user.FindFirstValue(claimType);
+
+ ///
+ /// Gets the authenticated envelope UUID from the claims.
+ ///
+ public static string? GetAuthEnvelopeUuid(this ClaimsPrincipal user) => user.FindFirstValue(ClaimTypes.NameIdentifier);
+
+ ///
+ /// Gets the authenticated receiver signature from the claims.
+ ///
+ public static string? GetAuthReceiverSignature(this ClaimsPrincipal user) => user.FindFirstValue(ClaimTypes.Hash);
+
+ ///
+ /// Gets the authenticated receiver display name from the claims.
+ ///
+ public static string? GetAuthReceiverName(this ClaimsPrincipal user) => user.FindFirstValue(ClaimTypes.Name);
+
+ ///
+ /// Gets the authenticated receiver email address from the claims.
+ ///
+ public static string? GetAuthReceiverMail(this ClaimsPrincipal user) => user.FindFirstValue(ClaimTypes.Email);
+
+ ///
+ /// Gets the authenticated envelope title from the claims.
+ ///
+ public static string? GetAuthEnvelopeTitle(this ClaimsPrincipal user) => user.FindFirstValue(EnvelopeClaimTypes.Title);
+
+ ///
+ /// Gets the authenticated envelope identifier from the claims.
+ ///
+ public static int? GetAuthEnvelopeId(this ClaimsPrincipal user)
+ {
+ var envIdStr = user.FindFirstValue(EnvelopeClaimTypes.Id);
+ return int.TryParse(envIdStr, out var envId) ? envId : null;
+ }
+
+ ///
+ /// Signs in an envelope receiver using cookie authentication and attaches envelope claims.
+ ///
+ /// The current HTTP context.
+ /// Envelope receiver DTO to extract claims from.
+ /// Role to attach to the authentication ticket.
+ public static async Task SignInEnvelopeAsync(this HttpContext context, EnvelopeReceiverDto envelopeReceiver, string receiverRole)
+ {
+ var claims = new List
+ {
+ new(ClaimTypes.NameIdentifier, envelopeReceiver.Envelope!.Uuid),
+ new(ClaimTypes.Hash, envelopeReceiver.Receiver!.Signature),
+ new(ClaimTypes.Name, envelopeReceiver.Name ?? string.Empty),
+ new(ClaimTypes.Email, envelopeReceiver.Receiver.EmailAddress),
+ new(EnvelopeClaimTypes.Title, envelopeReceiver.Envelope.Title),
+ new(EnvelopeClaimTypes.Id, envelopeReceiver.Envelope.Id.ToString()),
+ new(ClaimTypes.Role, receiverRole)
+ };
+
+ var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
+
+ var authProperties = new AuthenticationProperties
+ {
+ AllowRefresh = false,
+ IsPersistent = false
+ };
+
+ await context.SignInAsync(
+ CookieAuthenticationDefaults.AuthenticationScheme,
+ new ClaimsPrincipal(claimsIdentity),
+ authProperties);
+ }
+}