diff --git a/PRIVACY.md b/PRIVACY.md
index 02e8e151034..06257ae10d2 100644
--- a/PRIVACY.md
+++ b/PRIVACY.md
@@ -11,6 +11,7 @@ Roo Code respects your privacy and is committed to transparency about how we han
 - **Prompts & AI Requests**: When you use AI-powered features, your prompts and relevant project context are sent to your chosen AI model provider (e.g., OpenAI, Anthropic, OpenRouter) to generate responses. We do not store or process this data. These AI providers have their own privacy policies and may store data per their terms of service. If you choose Roo Code Cloud as the provider (proxy mode), prompts may transit Roo Code servers only to forward them to the upstream model and are not stored.
 - **API Keys & Credentials**: If you enter an API key (e.g., to connect an AI model), it is stored locally on your device and never sent to us or any third party, except the provider you have chosen.
 - **Telemetry (Usage Data)**: We collect anonymous feature usage and error data to help us improve Roo Code. This telemetry is powered by PostHog and includes your VS Code machine ID, feature usage patterns, and exception reports. This telemetry does **not** collect personally identifiable information, your code, or AI prompts. You can opt out of this telemetry at any time through the settings.
+- **Zoo Code Observability (Authenticated Subscribers Only):** If you sign in to Zoo Code and have an active subscription, Zoo Code will send LLM usage telemetry to the Zoo Code backend (zoocode.dev). This includes task ID, AI provider name, model name, token counts (input/output/cache), and estimated cost. This data is linked to your authenticated Zoo Code account. You can stop this collection at any time by signing out via the Zoo Code badge in the chat area.
 - **Marketplace Requests**: When you browse or search the Marketplace for Model Configuration Profiles (MCPs) or Custom Modes, Roo Code makes a secure API call to Roo Code's backend servers to retrieve listing information. These requests send only the query parameters (e.g., extension version, search term) necessary to fulfill the request and do not include your code, prompts, or personally identifiable information.
 
 ### **How We Use Your Data (If Collected)**
diff --git a/packages/types/src/vscode-extension-host.ts b/packages/types/src/vscode-extension-host.ts
index 53bc9567f77..202326eb016 100644
--- a/packages/types/src/vscode-extension-host.ts
+++ b/packages/types/src/vscode-extension-host.ts
@@ -372,6 +372,12 @@ export type ExtensionState = Pick<
 	mdmCompliant?: boolean
 	taskSyncEnabled: boolean
 	openAiCodexIsAuthenticated?: boolean
+	zooCodeIsAuthenticated?: boolean
+	zooCodeUserName?: string
+	zooCodeUserEmail?: string
+	zooCodeUserImage?: string
+	zooCodeBaseUrl?: string
+	deviceName?: string
 	debug?: boolean
 
 	/**
@@ -505,6 +511,7 @@ export interface WebviewMessage {
 		| "rooCloudManualUrl"
 		| "openAiCodexSignIn"
 		| "openAiCodexSignOut"
+		| "zooCodeSignOut"
 		| "switchOrganization"
 		| "condenseTaskContextRequest"
 		| "requestIndexingStatus"
diff --git a/src/activate/__tests__/handleUri.spec.ts b/src/activate/__tests__/handleUri.spec.ts
index 73a0f6cf256..187d9eeeba3 100644
--- a/src/activate/__tests__/handleUri.spec.ts
+++ b/src/activate/__tests__/handleUri.spec.ts
@@ -6,22 +6,39 @@ vi.mock("vscode", () => ({
 
 import * as vscode from "vscode"
 
-import { handleUri } from "../handleUri"
+const { mockGetVisibleInstance, mockHandleZooCodeAuthCallback, mockSetZooCodeUserInfo, mockVisibleProvider } =
+	vi.hoisted(() => {
+		const mockVisibleProvider = {
+			handleOpenRouterCallback: vi.fn(),
+			handleRequestyCallback: vi.fn(),
+			handleZooCodeCallback: vi.fn(),
+		} as any
 
-const mockVisibleProvider = {
-	handleOpenRouterCallback: vi.fn(),
-	handleRequestyCallback: vi.fn(),
-} as any
+		return {
+			mockGetVisibleInstance: vi.fn(() => mockVisibleProvider),
+			mockHandleZooCodeAuthCallback: vi.fn(),
+			mockSetZooCodeUserInfo: vi.fn(),
+			mockVisibleProvider,
+		}
+	})
 
 vi.mock("../../core/webview/ClineProvider", () => ({
 	ClineProvider: {
-		getVisibleInstance: vi.fn(() => mockVisibleProvider),
+		getVisibleInstance: mockGetVisibleInstance,
 	},
 }))
 
+vi.mock("../../services/zoo-code-auth", () => ({
+	handleAuthCallback: mockHandleZooCodeAuthCallback,
+	setZooCodeUserInfo: mockSetZooCodeUserInfo,
+}))
+
+import { handleUri } from "../handleUri"
+
 describe("handleUri", () => {
 	beforeEach(() => {
 		vi.clearAllMocks()
+		mockGetVisibleInstance.mockReturnValue(mockVisibleProvider)
 	})
 
 	it("ignores legacy cloud auth callback", async () => {
@@ -36,4 +53,67 @@ describe("handleUri", () => {
 			"Roo Code Cloud sign-in is currently unavailable. Configure another provider to continue.",
 		)
 	})
+
+	it("stores callback user info even when no webview is visible", async () => {
+		mockGetVisibleInstance.mockReturnValue(null)
+		mockHandleZooCodeAuthCallback.mockResolvedValue(true)
+
+		await handleUri({
+			path: "/auth-callback",
+			query: "token=zoo_ext_test_token&name=Jane%20Doe&email=jane%40example.com&image=https%3A%2F%2Fexample.com%2Favatar.png",
+		} as any)
+
+		expect(mockHandleZooCodeAuthCallback).toHaveBeenCalledWith("zoo_ext_test_token")
+		expect(mockSetZooCodeUserInfo).toHaveBeenCalledWith({
+			name: "Jane Doe",
+			email: "jane@example.com",
+			image: "https://example.com/avatar.png",
+		})
+		expect(mockVisibleProvider.handleZooCodeCallback).not.toHaveBeenCalled()
+	})
+
+	it("refreshes the visible provider after a successful auth callback", async () => {
+		mockHandleZooCodeAuthCallback.mockResolvedValue(true)
+
+		await handleUri({
+			path: "/auth-callback",
+			query: "token=zoo_ext_test_token",
+		} as any)
+
+		// When no user info is provided, null values are passed to clear stale data
+		expect(mockSetZooCodeUserInfo).toHaveBeenCalledWith({
+			name: null,
+			email: null,
+			image: null,
+		})
+		expect(mockVisibleProvider.handleZooCodeCallback).toHaveBeenCalledWith("zoo_ext_test_token")
+	})
+
+	it("clears stale user info fields when re-authing with missing fields", async () => {
+		mockHandleZooCodeAuthCallback.mockResolvedValue(true)
+
+		// Re-auth with only name - email and image should be cleared
+		await handleUri({
+			path: "/auth-callback",
+			query: "token=zoo_ext_test_token&name=John%20Doe",
+		} as any)
+
+		expect(mockSetZooCodeUserInfo).toHaveBeenCalledWith({
+			name: "John Doe",
+			email: null,
+			image: null,
+		})
+	})
+
+	it("does not persist user info when auth callback validation fails", async () => {
+		mockHandleZooCodeAuthCallback.mockResolvedValue(false)
+
+		await handleUri({
+			path: "/auth-callback",
+			query: "token=zoo_ext_test_token&name=Jane%20Doe",
+		} as any)
+
+		expect(mockSetZooCodeUserInfo).not.toHaveBeenCalled()
+		expect(mockVisibleProvider.handleZooCodeCallback).not.toHaveBeenCalled()
+	})
 })
diff --git a/src/activate/handleUri.ts b/src/activate/handleUri.ts
index fc95aa5e48f..523d254bc3d 100644
--- a/src/activate/handleUri.ts
+++ b/src/activate/handleUri.ts
@@ -2,18 +2,16 @@ import * as vscode from "vscode"
 
 import { getRouterUnavailableSignInMessage } from "../core/config/routerRemoval"
 import { ClineProvider } from "../core/webview/ClineProvider"
+import { handleAuthCallback as handleZooCodeAuthCallback, setZooCodeUserInfo } from "../services/zoo-code-auth"
 
 export const handleUri = async (uri: vscode.Uri) => {
 	const path = uri.path
 	const query = new URLSearchParams(uri.query.replace(/\+/g, "%2B"))
 	const visibleProvider = ClineProvider.getVisibleInstance()
 
-	if (!visibleProvider) {
-		return
-	}
-
 	switch (path) {
 		case "/openrouter": {
+			if (!visibleProvider) return
 			const code = query.get("code")
 			if (code) {
 				await visibleProvider.handleOpenRouterCallback(code)
@@ -21,6 +19,7 @@ export const handleUri = async (uri: vscode.Uri) => {
 			break
 		}
 		case "/requesty": {
+			if (!visibleProvider) return
 			const code = query.get("code")
 			const baseUrl = query.get("baseUrl")
 			if (code) {
@@ -32,6 +31,33 @@ export const handleUri = async (uri: vscode.Uri) => {
 			vscode.window.showInformationMessage(getRouterUnavailableSignInMessage())
 			break
 		}
+		case "/auth-callback": {
+			const token = query.get("token")
+			if (token) {
+				// Extract user info from callback URL params
+				// URLSearchParams.get() already decodes percent-encoded values - no need for decodeURIComponent
+				// Use null (not undefined) for missing values to actively clear stale data
+				const name = query.get("name") ?? null
+				const email = query.get("email") ?? null
+				const image = query.get("image") ?? null
+
+				const success = await handleZooCodeAuthCallback(token)
+				if (success) {
+					// Store user info after successful auth validation (regardless of webview visibility)
+					// Always call setZooCodeUserInfo to clear stale data when fields are missing
+					await setZooCodeUserInfo({
+						name,
+						email,
+						image,
+					})
+					// Refresh webview state if a panel is currently open
+					if (visibleProvider) {
+						await visibleProvider.handleZooCodeCallback(token)
+					}
+				}
+			}
+			break
+		}
 		default:
 			break
 	}
diff --git a/src/core/task/Task.ts b/src/core/task/Task.ts
index 6f630b8b8ed..26b72957296 100644
--- a/src/core/task/Task.ts
+++ b/src/core/task/Task.ts
@@ -3076,7 +3076,10 @@ export class Task extends EventEmitter<TaskEvents> implements TaskLike {
 						total: totalCost,
 					}
 
-					const drainStreamInBackgroundToFindAllUsage = async (apiReqIndex: number) => {
+					const drainStreamInBackgroundToFindAllUsage = async (
+						apiReqIndex: number,
+						status: "completed" | "cancelled" = "completed",
+					) => {
 						const timeoutMs = DEFAULT_USAGE_COLLECTION_TIMEOUT_MS
 						const startTime = performance.now()
 						const modelId = getModelId(this.apiConfiguration)
@@ -3098,6 +3101,7 @@ export class Task extends EventEmitter<TaskEvents> implements TaskLike {
 								total?: number
 							},
 							messageIndex: number = apiReqIndex,
+							status: "completed" | "cancelled" = "completed",
 						) => {
 							if (
 								tokens.input > 0 ||
@@ -3155,6 +3159,27 @@ export class Task extends EventEmitter<TaskEvents> implements TaskLike {
 									cacheReadTokens: tokens.cacheRead,
 									cost: tokens.total ?? costResult.totalCost,
 								})
+
+								// Zoo Code observability telemetry
+								import("../../services/zoo-telemetry")
+									.then(async ({ sendLlmTelemetry }) => {
+										const mode = await this.getTaskMode().catch(() => "unknown")
+										return sendLlmTelemetry({
+											taskId: this.taskId,
+											provider: this.apiConfiguration?.apiProvider ?? "unknown",
+											model: this.apiConfiguration
+												? (getModelId(this.apiConfiguration) ?? "unknown")
+												: "unknown",
+											mode,
+											inputTokens: costResult.totalInputTokens,
+											outputTokens: costResult.totalOutputTokens,
+											cacheReadTokens: tokens.cacheRead ?? 0,
+											cacheWriteTokens: tokens.cacheWrite ?? 0,
+											totalCost: tokens.total ?? costResult.totalCost,
+											status,
+										}).catch(() => {})
+									})
+									.catch(() => {})
 							}
 						}
 
@@ -3208,6 +3233,7 @@ export class Task extends EventEmitter<TaskEvents> implements TaskLike {
 										total: bgTotalCost,
 									},
 									lastApiReqIndex,
+									status,
 								)
 							} else {
 								console.warn(
@@ -3232,13 +3258,18 @@ export class Task extends EventEmitter<TaskEvents> implements TaskLike {
 										total: bgTotalCost,
 									},
 									lastApiReqIndex,
+									status,
 								)
 							}
 						}
 					}
 
 					// Start the background task and handle any errors
-					drainStreamInBackgroundToFindAllUsage(lastApiReqIndex).catch((error) => {
+					// Pass "cancelled" status if the task was aborted by the user
+					drainStreamInBackgroundToFindAllUsage(
+						lastApiReqIndex,
+						this.abort ? "cancelled" : "completed",
+					).catch((error) => {
 						console.error("Background usage collection failed:", error)
 					})
 				} catch (error) {
diff --git a/src/core/webview/ClineProvider.ts b/src/core/webview/ClineProvider.ts
index 293b04bc137..ed26a101eff 100644
--- a/src/core/webview/ClineProvider.ts
+++ b/src/core/webview/ClineProvider.ts
@@ -240,8 +240,9 @@ export class ClineProvider
 
 			// Create named listener functions so we can remove them later.
 			const onTaskStarted = () => this.emit(RooCodeEventName.TaskStarted, instance.taskId)
-			const onTaskCompleted = (taskId: string, tokenUsage: TokenUsage, toolUsage: ToolUsage) =>
+			const onTaskCompleted = (taskId: string, tokenUsage: TokenUsage, toolUsage: ToolUsage) => {
 				this.emit(RooCodeEventName.TaskCompleted, taskId, tokenUsage, toolUsage)
+			}
 			const onTaskAborted = async () => {
 				this.emit(RooCodeEventName.TaskAborted, instance.taskId)
 
@@ -1197,7 +1198,7 @@ export class ClineProvider
 			"default-src 'none'",
 			`font-src ${webview.cspSource} data:`,
 			`style-src ${webview.cspSource} 'unsafe-inline' https://* http://${localServerUrl} http://0.0.0.0:${localPort}`,
-			`img-src ${webview.cspSource} https://storage.googleapis.com https://img.clerk.com data:`,
+			`img-src ${webview.cspSource} https://storage.googleapis.com https://img.clerk.com https://avatars.githubusercontent.com https://lh3.googleusercontent.com data:`,
 			`media-src ${webview.cspSource}`,
 			`script-src 'unsafe-eval' ${webview.cspSource} https://* https://*.posthog.com http://${localServerUrl} http://0.0.0.0:${localPort} 'nonce-${nonce}'`,
 			`connect-src ${webview.cspSource} ${openRouterDomain} https://* https://*.posthog.com ws://${localServerUrl} ws://0.0.0.0:${localPort} http://${localServerUrl} http://0.0.0.0:${localPort}`,
@@ -1288,7 +1289,7 @@ export class ClineProvider
             <meta charset="utf-8">
             <meta name="viewport" content="width=device-width,initial-scale=1,shrink-to-fit=no">
             <meta name="theme-color" content="#000000">
-            <meta http-equiv="Content-Security-Policy" content="default-src 'none'; font-src ${webview.cspSource} data:; style-src ${webview.cspSource} 'unsafe-inline'; img-src ${webview.cspSource} https://storage.googleapis.com https://img.clerk.com data:; media-src ${webview.cspSource}; script-src ${webview.cspSource} 'wasm-unsafe-eval' 'nonce-${nonce}' https://ph.roocode.com 'strict-dynamic'; connect-src ${webview.cspSource} ${openRouterDomain} https://api.requesty.ai https://ph.roocode.com;">
+            <meta http-equiv="Content-Security-Policy" content="default-src 'none'; font-src ${webview.cspSource} data:; style-src ${webview.cspSource} 'unsafe-inline'; img-src ${webview.cspSource} https://storage.googleapis.com https://img.clerk.com https://avatars.githubusercontent.com https://lh3.googleusercontent.com data:; media-src ${webview.cspSource}; script-src ${webview.cspSource} 'wasm-unsafe-eval' 'nonce-${nonce}' https://ph.roocode.com 'strict-dynamic'; connect-src ${webview.cspSource} ${openRouterDomain} https://api.requesty.ai https://ph.roocode.com;">
             <link rel="stylesheet" type="text/css" href="${stylesUri}">
 			<link href="${codiconsUri}" rel="stylesheet" />
 			<script nonce="${nonce}">
@@ -1681,6 +1682,15 @@ export class ClineProvider
 		await this.upsertProviderProfile(currentApiConfigName, newConfiguration)
 	}
 
+	// Zoo Code Auth (for observability telemetry)
+
+	async handleZooCodeCallback(_token: string) {
+		// Auth mutation (token storage, subscription check, success toast) was already
+		// performed by handleAuthCallback() in handleUri.ts before this method was called.
+		// This method only needs to refresh the webview state to reflect the new auth status.
+		await this.postStateToWebview()
+	}
+
 	// Requesty
 
 	async handleRequestyCallback(code: string, baseUrl: string | null) {
@@ -2156,6 +2166,38 @@ export class ClineProvider
 		const mergedDeniedCommands = this.mergeDeniedCommands(deniedCommands)
 		const cwd = this.cwd
 		const currentTask = this.getCurrentTask()
+		let zooCodeState: {
+			zooCodeIsAuthenticated: boolean
+			zooCodeUserName: string | undefined
+			zooCodeUserEmail: string | undefined
+			zooCodeUserImage: string | undefined
+			zooCodeBaseUrl: string
+			deviceName: string
+		} = {
+			zooCodeIsAuthenticated: false,
+			zooCodeUserName: undefined,
+			zooCodeUserEmail: undefined,
+			zooCodeUserImage: undefined,
+			zooCodeBaseUrl: "https://www.zoocode.dev",
+			deviceName: os.hostname(),
+		}
+
+		try {
+			const { isZooCodeAuthenticated, getCachedZooCodeUserInfo, getZooCodeBaseUrl } = await import(
+				"../../services/zoo-code-auth"
+			)
+			const userInfo = getCachedZooCodeUserInfo()
+			zooCodeState = {
+				zooCodeIsAuthenticated: await isZooCodeAuthenticated(),
+				zooCodeUserName: userInfo.name,
+				zooCodeUserEmail: userInfo.email,
+				zooCodeUserImage: userInfo.image,
+				zooCodeBaseUrl: getZooCodeBaseUrl(),
+				deviceName: os.hostname(),
+			}
+		} catch {
+			// Keep the default unauthenticated state if the optional Zoo Code auth service is unavailable.
+		}
 
 		return {
 			version: this.context.extension?.packageJSON?.version ?? "",
@@ -2279,6 +2321,7 @@ export class ClineProvider
 					return false
 				}
 			})(),
+			...zooCodeState,
 			debug: vscode.workspace.getConfiguration(Package.name).get<boolean>("debug", false),
 		}
 	}
diff --git a/src/core/webview/webviewMessageHandler.ts b/src/core/webview/webviewMessageHandler.ts
index ce58b2b33bd..4d6733f9811 100644
--- a/src/core/webview/webviewMessageHandler.ts
+++ b/src/core/webview/webviewMessageHandler.ts
@@ -2421,6 +2421,18 @@ export const webviewMessageHandler = async (
 			await provider.postStateToWebview()
 			break
 		}
+		case "zooCodeSignOut": {
+			try {
+				const { disconnectZooCode } = await import("../../services/zoo-code-auth")
+				await disconnectZooCode()
+				await provider.postStateToWebview()
+			} catch (error) {
+				provider.log(
+					`Failed to sign out of Zoo Code: ${error instanceof Error ? error.message : String(error)}`,
+				)
+			}
+			break
+		}
 		case "switchOrganization": {
 			try {
 				const organizationId = message.organizationId ?? null
diff --git a/src/extension.ts b/src/extension.ts
index 9b167bb2394..140b3ddb176 100644
--- a/src/extension.ts
+++ b/src/extension.ts
@@ -49,6 +49,7 @@ import {
 } from "./activate"
 import { initializeI18n } from "./i18n"
 import { initializeModelCacheRefresh } from "./api/providers/fetchers/modelCache"
+import { initZooCodeAuth } from "./services/zoo-code-auth"
 
 /**
  * Built using https://github.com/microsoft/vscode-webview-ui-toolkit
@@ -158,6 +159,9 @@ export async function activate(context: vscode.ExtensionContext) {
 	// Initialize OpenAI Codex OAuth manager for ChatGPT subscription-based access.
 	openAiCodexOAuthManager.initialize(context, (message) => outputChannel.appendLine(message))
 
+	// Initialize Zoo Code auth service for extension session token management.
+	await initZooCodeAuth(context)
+
 	// Get default commands from configuration.
 	const defaultCommands = vscode.workspace.getConfiguration(Package.name).get<string[]>("allowedCommands") || []
 
diff --git a/src/i18n/locales/ca/common.json b/src/i18n/locales/ca/common.json
index 59a36758039..ecaa4aab4dd 100644
--- a/src/i18n/locales/ca/common.json
+++ b/src/i18n/locales/ca/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: S'ha rebut un token d'autenticació no vàlid.",
+			"token_verification_failed": "Zoo Code: Ha fallat la verificació del token.",
+			"invalid_token": "Zoo Code: Token no vàlid.",
+			"could_not_verify_token": "Zoo Code: No s'ha pogut verificar el token."
+		},
+		"info": {
+			"connected": "Zoo Code: Connectat correctament! Ara podeu utilitzar Zoo Code com a proveïdor d'IA.",
+			"disconnected": "Zoo Code: Desconnectat correctament."
+		}
 	}
 }
diff --git a/src/i18n/locales/de/common.json b/src/i18n/locales/de/common.json
index 2b0777e23cf..19695fb27b2 100644
--- a/src/i18n/locales/de/common.json
+++ b/src/i18n/locales/de/common.json
@@ -250,5 +250,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Ungültiger Authentifizierungstoken empfangen.",
+			"token_verification_failed": "Zoo Code: Token-Überprüfung fehlgeschlagen.",
+			"invalid_token": "Zoo Code: Ungültiger Token.",
+			"could_not_verify_token": "Zoo Code: Token konnte nicht verifiziert werden."
+		},
+		"info": {
+			"connected": "Zoo Code: Erfolgreich verbunden! Du kannst Zoo Code jetzt als KI-Anbieter verwenden.",
+			"disconnected": "Zoo Code: Erfolgreich getrennt."
+		}
 	}
 }
diff --git a/src/i18n/locales/en/common.json b/src/i18n/locales/en/common.json
index 2bf02164559..5ad6da5fe96 100644
--- a/src/i18n/locales/en/common.json
+++ b/src/i18n/locales/en/common.json
@@ -247,5 +247,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Invalid authentication token received.",
+			"token_verification_failed": "Zoo Code: Token verification failed.",
+			"invalid_token": "Zoo Code: Invalid token.",
+			"could_not_verify_token": "Zoo Code: Could not verify token."
+		},
+		"info": {
+			"connected": "Zoo Code: Successfully connected! You can now use Zoo Code as your AI provider.",
+			"disconnected": "Zoo Code: Disconnected successfully."
+		}
 	}
 }
diff --git a/src/i18n/locales/es/common.json b/src/i18n/locales/es/common.json
index da19260cb2d..3382d0a43e8 100644
--- a/src/i18n/locales/es/common.json
+++ b/src/i18n/locales/es/common.json
@@ -250,5 +250,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Se recibió un token de autenticación inválido.",
+			"token_verification_failed": "Zoo Code: Error al verificar el token.",
+			"invalid_token": "Zoo Code: Token inválido.",
+			"could_not_verify_token": "Zoo Code: No se pudo verificar el token."
+		},
+		"info": {
+			"connected": "Zoo Code: ¡Conectado correctamente! Ahora puedes usar Zoo Code como proveedor de IA.",
+			"disconnected": "Zoo Code: Desconectado correctamente."
+		}
 	}
 }
diff --git a/src/i18n/locales/fr/common.json b/src/i18n/locales/fr/common.json
index d2815d5160a..857d8ea2d2f 100644
--- a/src/i18n/locales/fr/common.json
+++ b/src/i18n/locales/fr/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Jeton d'authentification invalide reçu.",
+			"token_verification_failed": "Zoo Code: La vérification du jeton a échoué.",
+			"invalid_token": "Zoo Code: Jeton invalide.",
+			"could_not_verify_token": "Zoo Code: Impossible de vérifier le jeton."
+		},
+		"info": {
+			"connected": "Zoo Code: Connecté avec succès ! Vous pouvez maintenant utiliser Zoo Code comme fournisseur d'IA.",
+			"disconnected": "Zoo Code: Déconnecté avec succès."
+		}
 	}
 }
diff --git a/src/i18n/locales/hi/common.json b/src/i18n/locales/hi/common.json
index ba3978cab02..d2945dda2e7 100644
--- a/src/i18n/locales/hi/common.json
+++ b/src/i18n/locales/hi/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: अमान्य प्रमाणीकरण token प्राप्त हुआ।",
+			"token_verification_failed": "Zoo Code: Token सत्यापन विफल रहा।",
+			"invalid_token": "Zoo Code: अमान्य token।",
+			"could_not_verify_token": "Zoo Code: Token सत्यापित नहीं किया जा सका।"
+		},
+		"info": {
+			"connected": "Zoo Code: सफलतापूर्वक कनेक्ट हो गया! अब तुम Zoo Code को अपने AI प्रदाता के रूप में उपयोग कर सकते हो।",
+			"disconnected": "Zoo Code: सफलतापूर्वक डिस्कनेक्ट हो गया।"
+		}
 	}
 }
diff --git a/src/i18n/locales/id/common.json b/src/i18n/locales/id/common.json
index f315227b4ba..1953bd7a651 100644
--- a/src/i18n/locales/id/common.json
+++ b/src/i18n/locales/id/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Token autentikasi yang diterima tidak valid.",
+			"token_verification_failed": "Zoo Code: Verifikasi token gagal.",
+			"invalid_token": "Zoo Code: Token tidak valid.",
+			"could_not_verify_token": "Zoo Code: Tidak dapat memverifikasi token."
+		},
+		"info": {
+			"connected": "Zoo Code: Berhasil terhubung! Kamu sekarang bisa menggunakan Zoo Code sebagai penyedia AI.",
+			"disconnected": "Zoo Code: Berhasil terputus."
+		}
 	}
 }
diff --git a/src/i18n/locales/it/common.json b/src/i18n/locales/it/common.json
index 9d276c23d20..4b0a448abda 100644
--- a/src/i18n/locales/it/common.json
+++ b/src/i18n/locales/it/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Ricevuto un token di autenticazione non valido.",
+			"token_verification_failed": "Zoo Code: Verifica del token non riuscita.",
+			"invalid_token": "Zoo Code: Token non valido.",
+			"could_not_verify_token": "Zoo Code: Impossibile verificare il token."
+		},
+		"info": {
+			"connected": "Zoo Code: Connesso con successo! Ora puoi usare Zoo Code come fornitore AI.",
+			"disconnected": "Zoo Code: Disconnesso con successo."
+		}
 	}
 }
diff --git a/src/i18n/locales/ja/common.json b/src/i18n/locales/ja/common.json
index 989ae512ee7..ac1f8349a3e 100644
--- a/src/i18n/locales/ja/common.json
+++ b/src/i18n/locales/ja/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: 無効な認証 token を受信しました。",
+			"token_verification_failed": "Zoo Code: Token の検証に失敗しました。",
+			"invalid_token": "Zoo Code: 無効な token です。",
+			"could_not_verify_token": "Zoo Code: Token を検証できませんでした。"
+		},
+		"info": {
+			"connected": "Zoo Code: 接続に成功しました！Zoo Code を AI プロバイダーとして使用できます。",
+			"disconnected": "Zoo Code: 正常に切断されました。"
+		}
 	}
 }
diff --git a/src/i18n/locales/ko/common.json b/src/i18n/locales/ko/common.json
index 2635d900798..9c404e338d6 100644
--- a/src/i18n/locales/ko/common.json
+++ b/src/i18n/locales/ko/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: 잘못된 인증 token을 수신했습니다.",
+			"token_verification_failed": "Zoo Code: Token 검증에 실패했습니다.",
+			"invalid_token": "Zoo Code: 잘못된 token입니다.",
+			"could_not_verify_token": "Zoo Code: Token을 검증할 수 없습니다."
+		},
+		"info": {
+			"connected": "Zoo Code: 연결에 성공했습니다! 이제 Zoo Code를 AI 제공자로 사용할 수 있습니다.",
+			"disconnected": "Zoo Code: 연결이 해제되었습니다."
+		}
 	}
 }
diff --git a/src/i18n/locales/nl/common.json b/src/i18n/locales/nl/common.json
index 2c8b8f783b6..e97978eea58 100644
--- a/src/i18n/locales/nl/common.json
+++ b/src/i18n/locales/nl/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Ongeldig authenticatietoken ontvangen.",
+			"token_verification_failed": "Zoo Code: Tokenverificatie mislukt.",
+			"invalid_token": "Zoo Code: Ongeldig token.",
+			"could_not_verify_token": "Zoo Code: Token kon niet worden geverifieerd."
+		},
+		"info": {
+			"connected": "Zoo Code: Succesvol verbonden! Je kunt Zoo Code nu gebruiken als AI-provider.",
+			"disconnected": "Zoo Code: Succesvol losgekoppeld."
+		}
 	}
 }
diff --git a/src/i18n/locales/pl/common.json b/src/i18n/locales/pl/common.json
index aa72c5aaec5..6bcf93d726d 100644
--- a/src/i18n/locales/pl/common.json
+++ b/src/i18n/locales/pl/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Otrzymano nieprawidłowy token uwierzytelniania.",
+			"token_verification_failed": "Zoo Code: Weryfikacja tokenu nie powiodła się.",
+			"invalid_token": "Zoo Code: Nieprawidłowy token.",
+			"could_not_verify_token": "Zoo Code: Nie udało się zweryfikować tokenu."
+		},
+		"info": {
+			"connected": "Zoo Code: Połączono pomyślnie! Możesz teraz używać Zoo Code jako dostawcy AI.",
+			"disconnected": "Zoo Code: Rozłączono pomyślnie."
+		}
 	}
 }
diff --git a/src/i18n/locales/pt-BR/common.json b/src/i18n/locales/pt-BR/common.json
index 69bac459783..be231e2b9c0 100644
--- a/src/i18n/locales/pt-BR/common.json
+++ b/src/i18n/locales/pt-BR/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Token de autenticação inválido recebido.",
+			"token_verification_failed": "Zoo Code: Falha na verificação do token.",
+			"invalid_token": "Zoo Code: Token inválido.",
+			"could_not_verify_token": "Zoo Code: Não foi possível verificar o token."
+		},
+		"info": {
+			"connected": "Zoo Code: Conectado com sucesso! Agora você pode usar o Zoo Code como provedor de IA.",
+			"disconnected": "Zoo Code: Desconectado com sucesso."
+		}
 	}
 }
diff --git a/src/i18n/locales/ru/common.json b/src/i18n/locales/ru/common.json
index d22c4899405..800d53f6606 100644
--- a/src/i18n/locales/ru/common.json
+++ b/src/i18n/locales/ru/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Получен недействительный token аутентификации.",
+			"token_verification_failed": "Zoo Code: Не удалось проверить token.",
+			"invalid_token": "Zoo Code: Недействительный token.",
+			"could_not_verify_token": "Zoo Code: Не удалось проверить token."
+		},
+		"info": {
+			"connected": "Zoo Code: Успешно подключено! Теперь ты можешь использовать Zoo Code в качестве AI-провайдера.",
+			"disconnected": "Zoo Code: Успешно отключено."
+		}
 	}
 }
diff --git a/src/i18n/locales/tr/common.json b/src/i18n/locales/tr/common.json
index 847a364dfc7..0b1e64c0a1a 100644
--- a/src/i18n/locales/tr/common.json
+++ b/src/i18n/locales/tr/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Geçersiz kimlik doğrulama token'ı alındı.",
+			"token_verification_failed": "Zoo Code: Token doğrulaması başarısız oldu.",
+			"invalid_token": "Zoo Code: Geçersiz token.",
+			"could_not_verify_token": "Zoo Code: Token doğrulanamadı."
+		},
+		"info": {
+			"connected": "Zoo Code: Başarıyla bağlandı! Artık Zoo Code'u AI sağlayıcısı olarak kullanabilirsin.",
+			"disconnected": "Zoo Code: Başarıyla bağlantı kesildi."
+		}
 	}
 }
diff --git a/src/i18n/locales/vi/common.json b/src/i18n/locales/vi/common.json
index 51353c06ba7..392c4ba3604 100644
--- a/src/i18n/locales/vi/common.json
+++ b/src/i18n/locales/vi/common.json
@@ -262,5 +262,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: Nhận được token xác thực không hợp lệ.",
+			"token_verification_failed": "Zoo Code: Xác minh token thất bại.",
+			"invalid_token": "Zoo Code: Token không hợp lệ.",
+			"could_not_verify_token": "Zoo Code: Không thể xác minh token."
+		},
+		"info": {
+			"connected": "Zoo Code: Kết nối thành công! Bạn có thể sử dụng Zoo Code làm nhà cung cấp AI.",
+			"disconnected": "Zoo Code: Đã ngắt kết nối thành công."
+		}
 	}
 }
diff --git a/src/i18n/locales/zh-CN/common.json b/src/i18n/locales/zh-CN/common.json
index fcc5106e81b..9a685a2e067 100644
--- a/src/i18n/locales/zh-CN/common.json
+++ b/src/i18n/locales/zh-CN/common.json
@@ -260,5 +260,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: 收到无效的认证 token。",
+			"token_verification_failed": "Zoo Code: Token 验证失败。",
+			"invalid_token": "Zoo Code: 无效的 token。",
+			"could_not_verify_token": "Zoo Code: 无法验证 token。"
+		},
+		"info": {
+			"connected": "Zoo Code: 连接成功！你现在可以使用 Zoo Code 作为 AI 提供商。",
+			"disconnected": "Zoo Code: 已成功断开连接。"
+		}
 	}
 }
diff --git a/src/i18n/locales/zh-TW/common.json b/src/i18n/locales/zh-TW/common.json
index c8371e67e6f..a0b30b113f8 100644
--- a/src/i18n/locales/zh-TW/common.json
+++ b/src/i18n/locales/zh-TW/common.json
@@ -255,5 +255,17 @@
 	"docsLink": {
 		"label": "Docs",
 		"url": "https://docs.roocode.com"
+	},
+	"zooAuth": {
+		"errors": {
+			"invalid_token_received": "Zoo Code: 收到無效的認證 token。",
+			"token_verification_failed": "Zoo Code: Token 驗證失敗。",
+			"invalid_token": "Zoo Code: 無效的 token。",
+			"could_not_verify_token": "Zoo Code: 無法驗證 token。"
+		},
+		"info": {
+			"connected": "Zoo Code: 連線成功！你現在可以使用 Zoo Code 作為 AI 提供商。",
+			"disconnected": "Zoo Code: 已成功中斷連線。"
+		}
 	}
 }
diff --git a/src/services/__tests__/zoo-code-auth.test.ts b/src/services/__tests__/zoo-code-auth.test.ts
new file mode 100644
index 00000000000..a182b0a34cb
--- /dev/null
+++ b/src/services/__tests__/zoo-code-auth.test.ts
@@ -0,0 +1,463 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest"
+import * as vscode from "vscode"
+
+import {
+	checkSubscriptionStatus,
+	clearZooCodeToken,
+	clearZooCodeUserInfo,
+	disconnectZooCode,
+	getCachedSubscriptionStatus,
+	getCachedZooCodeToken,
+	getCachedZooCodeUserInfo,
+	getZooCodeBaseUrl,
+	handleAuthCallback,
+	initZooCodeAuth,
+	setZooCodeToken,
+	setZooCodeUserInfo,
+	verifyZooCodeToken,
+} from "../zoo-code-auth"
+
+vi.mock("vscode", () => ({
+	workspace: {
+		getConfiguration: vi.fn(() => ({
+			get: vi.fn((key: string, defaultValue?: string) => defaultValue),
+		})),
+	},
+	window: {
+		showErrorMessage: vi.fn(),
+		showInformationMessage: vi.fn(),
+	},
+}))
+
+vi.mock("../i18n", () => ({
+	t: vi.fn((key: string) => key),
+}))
+
+const mockFetch = vi.fn()
+global.fetch = mockFetch as any
+
+describe("zoo-code-auth", () => {
+	let mockSecrets: any
+	let mockContext: any
+
+	beforeEach(() => {
+		vi.clearAllMocks()
+		mockFetch.mockReset()
+
+		const secretStore: Record<string, string> = {}
+		mockSecrets = {
+			get: vi.fn(async (key: string) => secretStore[key]),
+			store: vi.fn(async (key: string, value: string) => {
+				secretStore[key] = value
+			}),
+			delete: vi.fn(async (key: string) => {
+				delete secretStore[key]
+			}),
+			onDidChange: vi.fn(() => ({ dispose: vi.fn() })),
+		}
+
+		mockContext = {
+			secrets: mockSecrets,
+		}
+	})
+
+	afterEach(async () => {
+		await clearZooCodeToken()
+		await clearZooCodeUserInfo()
+		vi.restoreAllMocks()
+	})
+
+	describe("getCachedSubscriptionStatus", () => {
+		it("returns unknown initially", () => {
+			expect(getCachedSubscriptionStatus()).toBe("unknown")
+		})
+	})
+
+	describe("checkSubscriptionStatus", () => {
+		it("returns inactive when no token is present", async () => {
+			await initZooCodeAuth(mockContext)
+
+			const status = await checkSubscriptionStatus()
+
+			expect(status).toBe("inactive")
+			expect(mockFetch).not.toHaveBeenCalled()
+		})
+
+		it("returns active when the API reports an active subscriber", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_test_token")
+
+			mockFetch.mockResolvedValueOnce({
+				ok: true,
+				json: async () => ({ isSubscriber: true, planId: "pro", status: "active" }),
+			})
+
+			const status = await checkSubscriptionStatus()
+
+			expect(status).toBe("active")
+			expect(mockFetch).toHaveBeenCalledWith(
+				expect.stringContaining("/api/subscription/status"),
+				expect.objectContaining({
+					headers: { Authorization: "Bearer zoo_ext_test_token" },
+				}),
+			)
+		})
+
+		it("returns inactive when the API reports a free user", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_test_token")
+
+			mockFetch.mockResolvedValueOnce({
+				ok: true,
+				json: async () => ({ isSubscriber: false, planId: "free", status: "active" }),
+			})
+
+			await expect(checkSubscriptionStatus()).resolves.toBe("inactive")
+		})
+
+		it("returns unknown when the API request fails", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_test_token")
+
+			mockFetch.mockResolvedValueOnce({
+				ok: false,
+				status: 500,
+				statusText: "Internal Server Error",
+			})
+
+			await expect(checkSubscriptionStatus()).resolves.toBe("unknown")
+		})
+
+		it("returns unknown when the API throws", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_test_token")
+			mockFetch.mockRejectedValueOnce(new Error("Network error"))
+
+			await expect(checkSubscriptionStatus()).resolves.toBe("unknown")
+		})
+
+		it("reuses the cached status when it was checked recently", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_test_token")
+
+			mockFetch.mockResolvedValueOnce({
+				ok: true,
+				json: async () => ({ isSubscriber: true, planId: "pro", status: "active" }),
+			})
+
+			expect(await checkSubscriptionStatus()).toBe("active")
+			expect(await checkSubscriptionStatus()).toBe("active")
+			expect(mockFetch).toHaveBeenCalledTimes(1)
+		})
+
+		it("handles AbortSignal timeouts", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_test_token")
+			mockFetch.mockRejectedValueOnce(new DOMException("Aborted", "AbortError"))
+
+			await expect(checkSubscriptionStatus()).resolves.toBe("unknown")
+		})
+	})
+
+	describe("getCachedZooCodeToken", () => {
+		it("returns an empty string when no token is set", async () => {
+			await clearZooCodeToken()
+
+			expect(getCachedZooCodeToken()).toBe("")
+		})
+
+		it("preloads the cached token during initialization", async () => {
+			await mockSecrets.store("zoo-code-session-token", "zoo_ext_cached_token")
+			mockFetch
+				.mockResolvedValueOnce({
+					ok: true,
+					json: async () => ({ valid: true }),
+				})
+				.mockResolvedValueOnce({
+					ok: true,
+					json: async () => ({ isSubscriber: true }),
+				})
+
+			await initZooCodeAuth(mockContext)
+			await Promise.resolve()
+
+			expect(getCachedZooCodeToken()).toBe("zoo_ext_cached_token")
+		})
+	})
+
+	describe("initZooCodeAuth", () => {
+		it("clears stored user info and token when the cached token is invalid", async () => {
+			await mockSecrets.store("zoo-code-session-token", "zoo_ext_stale_token")
+			await mockSecrets.store("zoo-code-user-name", "Jane Doe")
+			await mockSecrets.store("zoo-code-user-email", "jane@example.com")
+			await mockSecrets.store("zoo-code-user-image", "https://example.com/avatar.png")
+			mockFetch.mockResolvedValueOnce({
+				ok: true,
+				json: async () => ({ valid: false }),
+			})
+
+			await initZooCodeAuth(mockContext)
+
+			// Both token and user info should be cleared on a definitive invalid response
+			expect(getCachedZooCodeToken()).toBe("")
+			expect(getCachedZooCodeUserInfo()).toEqual({
+				name: undefined,
+				email: undefined,
+				image: undefined,
+			})
+		})
+
+		it("clears stored user info and token when backend returns HTTP error (invalid token)", async () => {
+			await mockSecrets.store("zoo-code-session-token", "zoo_ext_stale_token")
+			await mockSecrets.store("zoo-code-user-name", "Jane Doe")
+			await mockSecrets.store("zoo-code-user-email", "jane@example.com")
+			mockFetch.mockResolvedValueOnce({
+				ok: false,
+				status: 401,
+				statusText: "Unauthorized",
+			})
+
+			await initZooCodeAuth(mockContext)
+
+			expect(getCachedZooCodeToken()).toBe("")
+			expect(getCachedZooCodeUserInfo()).toEqual({
+				name: undefined,
+				email: undefined,
+				image: undefined,
+			})
+		})
+
+		it("preserves token and user info when the backend is temporarily unreachable", async () => {
+			await mockSecrets.store("zoo-code-session-token", "zoo_ext_valid_token")
+			await mockSecrets.store("zoo-code-user-name", "Jane Doe")
+			await mockSecrets.store("zoo-code-user-email", "jane@example.com")
+			// Simulate a network error during verification
+			mockFetch.mockRejectedValueOnce(new Error("Network error"))
+
+			await initZooCodeAuth(mockContext)
+
+			// Token and user info should be kept; subscription status should be unknown
+			expect(getCachedZooCodeToken()).toBe("zoo_ext_valid_token")
+			expect(getCachedZooCodeUserInfo().name).toBe("Jane Doe")
+			expect(getCachedSubscriptionStatus()).toBe("unknown")
+		})
+	})
+
+	describe("setZooCodeToken", () => {
+		it("resets the cached subscription status when the token changes", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_token1")
+			mockFetch.mockResolvedValueOnce({
+				ok: true,
+				json: async () => ({ isSubscriber: true, planId: "pro", status: "active" }),
+			})
+			await checkSubscriptionStatus()
+
+			await setZooCodeToken("zoo_ext_token2")
+
+			expect(getCachedSubscriptionStatus()).toBe("unknown")
+		})
+	})
+
+	describe("clearZooCodeToken", () => {
+		it("resets the cached subscription status when the token is cleared", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_test_token")
+			mockFetch.mockResolvedValueOnce({
+				ok: true,
+				json: async () => ({ isSubscriber: true, planId: "pro", status: "active" }),
+			})
+			await checkSubscriptionStatus()
+
+			await clearZooCodeToken()
+
+			expect(getCachedSubscriptionStatus()).toBe("unknown")
+			expect(getCachedZooCodeToken()).toBe("")
+		})
+	})
+
+	describe("getZooCodeBaseUrl", () => {
+		it("returns the default URL when ZOO_CODE_BASE_URL is not set", () => {
+			const originalEnv = process.env.ZOO_CODE_BASE_URL
+			delete process.env.ZOO_CODE_BASE_URL
+
+			expect(getZooCodeBaseUrl()).toBe("https://www.zoocode.dev")
+
+			if (originalEnv) {
+				process.env.ZOO_CODE_BASE_URL = originalEnv
+			}
+		})
+
+		it("respects ZOO_CODE_BASE_URL", () => {
+			const originalEnv = process.env.ZOO_CODE_BASE_URL
+			process.env.ZOO_CODE_BASE_URL = "https://staging.zoocode.dev"
+
+			expect(getZooCodeBaseUrl()).toBe("https://staging.zoocode.dev")
+
+			if (originalEnv) {
+				process.env.ZOO_CODE_BASE_URL = originalEnv
+			} else {
+				delete process.env.ZOO_CODE_BASE_URL
+			}
+		})
+	})
+
+	describe("handleAuthCallback", () => {
+		it("does not persist a token when backend verification fails", async () => {
+			await initZooCodeAuth(mockContext)
+			mockFetch.mockResolvedValueOnce({
+				ok: true,
+				json: async () => ({ valid: false }),
+			})
+
+			const success = await handleAuthCallback("zoo_ext_fake_token")
+
+			expect(success).toBe(false)
+			expect(getCachedZooCodeToken()).toBe("")
+			expect(mockSecrets.store).not.toHaveBeenCalledWith("zoo-code-session-token", "zoo_ext_fake_token")
+		})
+
+		it("persists a token only after backend verification succeeds", async () => {
+			await initZooCodeAuth(mockContext)
+			mockFetch
+				.mockResolvedValueOnce({
+					ok: true,
+					json: async () => ({ valid: true }),
+				})
+				.mockResolvedValueOnce({
+					ok: true,
+					json: async () => ({ isSubscriber: true }),
+				})
+
+			const success = await handleAuthCallback("zoo_ext_real_token")
+
+			expect(success).toBe(true)
+			expect(getCachedZooCodeToken()).toBe("zoo_ext_real_token")
+			expect(mockSecrets.store).toHaveBeenCalledWith("zoo-code-session-token", "zoo_ext_real_token")
+		})
+	})
+
+	describe("verifyZooCodeToken", () => {
+		it("returns 'valid' when the backend confirms the token", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_valid_token")
+			mockFetch.mockResolvedValueOnce({
+				ok: true,
+				json: async () => ({ valid: true }),
+			})
+
+			expect(await verifyZooCodeToken()).toBe("valid")
+			// Token should NOT be cleared — no side effects
+			expect(getCachedZooCodeToken()).toBe("zoo_ext_valid_token")
+		})
+
+		it("returns 'invalid' when the backend reports valid: false", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_invalid_token")
+			mockFetch.mockResolvedValueOnce({
+				ok: true,
+				json: async () => ({ valid: false }),
+			})
+
+			expect(await verifyZooCodeToken()).toBe("invalid")
+			// No side effects — caller decides what to do
+			expect(getCachedZooCodeToken()).toBe("zoo_ext_invalid_token")
+		})
+
+		it("returns 'invalid' when the backend returns HTTP error", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_invalid_token")
+			mockFetch.mockResolvedValueOnce({
+				ok: false,
+				status: 401,
+				statusText: "Unauthorized",
+			})
+
+			expect(await verifyZooCodeToken()).toBe("invalid")
+		})
+
+		it("returns 'unreachable' when a network error occurs", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_token")
+			mockFetch.mockRejectedValueOnce(new Error("Network error"))
+
+			expect(await verifyZooCodeToken()).toBe("unreachable")
+			// Token must NOT be cleared on network error
+			expect(getCachedZooCodeToken()).toBe("zoo_ext_token")
+		})
+
+		it("returns 'invalid' when no token is stored", async () => {
+			await initZooCodeAuth(mockContext)
+
+			expect(await verifyZooCodeToken()).toBe("invalid")
+		})
+	})
+
+	describe("setZooCodeUserInfo", () => {
+		it("clears email when passed null", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeUserInfo({
+				name: "Jane Doe",
+				email: "jane@example.com",
+				image: "https://example.com/avatar.png",
+			})
+
+			// Verify email is set
+			expect(getCachedZooCodeUserInfo().email).toBe("jane@example.com")
+
+			// Clear email with null
+			await setZooCodeUserInfo({ email: null })
+
+			// Email should be cleared, but other fields should remain
+			const info = getCachedZooCodeUserInfo()
+			expect(info.email).toBeUndefined()
+			expect(info.name).toBe("Jane Doe")
+			expect(info.image).toBe("https://example.com/avatar.png")
+		})
+
+		it("does not clear email when passed undefined", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeUserInfo({
+				name: "Jane Doe",
+				email: "jane@example.com",
+				image: "https://example.com/avatar.png",
+			})
+
+			// Pass undefined for email - should preserve existing value
+			await setZooCodeUserInfo({ name: "John Doe", email: undefined })
+
+			const info = getCachedZooCodeUserInfo()
+			expect(info.email).toBe("jane@example.com")
+			expect(info.name).toBe("John Doe")
+		})
+	})
+
+	describe("disconnectZooCode", () => {
+		it("revokes the current token and clears cached auth state", async () => {
+			await initZooCodeAuth(mockContext)
+			await setZooCodeToken("zoo_ext_real_token")
+			await setZooCodeUserInfo({
+				name: "Jane Doe",
+				email: "jane@example.com",
+				image: "https://example.com/avatar.png",
+			})
+			mockFetch.mockResolvedValueOnce({ ok: true })
+
+			await disconnectZooCode()
+
+			expect(mockFetch).toHaveBeenCalledWith(
+				expect.stringContaining("/api/extension/auth/revoke"),
+				expect.objectContaining({
+					method: "POST",
+					headers: { Authorization: "Bearer zoo_ext_real_token" },
+				}),
+			)
+			expect(getCachedZooCodeToken()).toBe("")
+			expect(getCachedZooCodeUserInfo()).toEqual({
+				name: undefined,
+				email: undefined,
+				image: undefined,
+			})
+		})
+	})
+})
diff --git a/src/services/__tests__/zoo-telemetry.test.ts b/src/services/__tests__/zoo-telemetry.test.ts
new file mode 100644
index 00000000000..5f5ace80de6
--- /dev/null
+++ b/src/services/__tests__/zoo-telemetry.test.ts
@@ -0,0 +1,132 @@
+import { afterEach, beforeEach, describe, expect, it, vi } from "vitest"
+
+const {
+	mockCheckSubscriptionStatus,
+	mockGetCachedSubscriptionStatus,
+	mockGetCachedZooCodeToken,
+	mockGetZooCodeBaseUrl,
+} = vi.hoisted(() => ({
+	mockCheckSubscriptionStatus: vi.fn(),
+	mockGetCachedSubscriptionStatus: vi.fn(),
+	mockGetCachedZooCodeToken: vi.fn(),
+	mockGetZooCodeBaseUrl: vi.fn(),
+}))
+
+vi.mock("../zoo-code-auth", () => ({
+	checkSubscriptionStatus: mockCheckSubscriptionStatus,
+	getCachedSubscriptionStatus: mockGetCachedSubscriptionStatus,
+	getCachedZooCodeToken: mockGetCachedZooCodeToken,
+	getZooCodeBaseUrl: mockGetZooCodeBaseUrl,
+}))
+
+import { sendLlmTelemetry } from "../zoo-telemetry"
+
+describe("sendLlmTelemetry", () => {
+	const payload = {
+		taskId: "task-123",
+		provider: "anthropic",
+		model: "claude-sonnet-4",
+		mode: "code",
+		inputTokens: 11,
+		outputTokens: 7,
+		cacheReadTokens: 3,
+		cacheWriteTokens: 5,
+		totalCost: 1.23,
+	}
+
+	beforeEach(() => {
+		vi.clearAllMocks()
+		mockGetZooCodeBaseUrl.mockReturnValue("https://www.zoocode.dev")
+	})
+
+	afterEach(() => {
+		vi.restoreAllMocks()
+	})
+
+	it("skips telemetry when there is no cached token", async () => {
+		mockGetCachedZooCodeToken.mockReturnValue("")
+		global.fetch = vi.fn()
+
+		await sendLlmTelemetry(payload)
+
+		expect(global.fetch).not.toHaveBeenCalled()
+	})
+
+	it("refreshes an unknown subscription status before sending", async () => {
+		mockGetCachedZooCodeToken.mockReturnValue("zoo_ext_test_token")
+		mockGetCachedSubscriptionStatus.mockReturnValue("unknown")
+		mockCheckSubscriptionStatus.mockResolvedValue("inactive")
+		global.fetch = vi.fn()
+
+		await sendLlmTelemetry(payload)
+
+		expect(mockCheckSubscriptionStatus).toHaveBeenCalled()
+		expect(global.fetch).not.toHaveBeenCalled()
+	})
+
+	it("fires the observability request without waiting for it to settle", async () => {
+		mockGetCachedZooCodeToken.mockReturnValue("zoo_ext_test_token")
+		mockGetCachedSubscriptionStatus.mockReturnValue("active")
+
+		let resolveFetch: ((value: unknown) => void) | undefined
+		global.fetch = vi.fn(
+			() =>
+				new Promise((resolve) => {
+					resolveFetch = resolve
+				}),
+		) as typeof fetch
+
+		const result = await Promise.race([
+			sendLlmTelemetry(payload).then(() => "resolved"),
+			new Promise((resolve) => setTimeout(() => resolve("timeout"), 20)),
+		])
+
+		expect(result).toBe("resolved")
+		expect(global.fetch).toHaveBeenCalledWith(
+			"https://www.zoocode.dev/api/observability/events",
+			expect.objectContaining({
+				method: "POST",
+				headers: {
+					"Content-Type": "application/json",
+					Authorization: "Bearer zoo_ext_test_token",
+				},
+				signal: expect.any(AbortSignal),
+			}),
+		)
+		expect(JSON.parse((global.fetch as any).mock.calls[0][1].body)).toMatchObject({
+			...payload,
+			status: "completed",
+			editor: "vscode",
+		})
+
+		resolveFetch?.({ ok: true })
+	})
+
+	it("sends cancelled status when provided in payload", async () => {
+		mockGetCachedZooCodeToken.mockReturnValue("zoo_ext_test_token")
+		mockGetCachedSubscriptionStatus.mockReturnValue("active")
+
+		global.fetch = vi.fn().mockResolvedValue({ ok: true })
+
+		await sendLlmTelemetry({ ...payload, status: "cancelled" })
+
+		expect(JSON.parse((global.fetch as any).mock.calls[0][1].body)).toMatchObject({
+			...payload,
+			status: "cancelled",
+			editor: "vscode",
+		})
+	})
+
+	it("defaults to completed status when not provided", async () => {
+		mockGetCachedZooCodeToken.mockReturnValue("zoo_ext_test_token")
+		mockGetCachedSubscriptionStatus.mockReturnValue("active")
+
+		global.fetch = vi.fn().mockResolvedValue({ ok: true })
+
+		await sendLlmTelemetry(payload)
+
+		expect(JSON.parse((global.fetch as any).mock.calls[0][1].body)).toMatchObject({
+			status: "completed",
+		})
+	})
+})
diff --git a/src/services/zoo-code-auth.ts b/src/services/zoo-code-auth.ts
new file mode 100644
index 00000000000..79fb6610ad9
--- /dev/null
+++ b/src/services/zoo-code-auth.ts
@@ -0,0 +1,306 @@
+import * as vscode from "vscode"
+
+import { t } from "../i18n"
+
+const ZOO_CODE_TOKEN_KEY = "zoo-code-session-token"
+const ZOO_CODE_USER_NAME_KEY = "zoo-code-user-name"
+const ZOO_CODE_USER_EMAIL_KEY = "zoo-code-user-email"
+const ZOO_CODE_USER_IMAGE_KEY = "zoo-code-user-image"
+
+let secretStorage: vscode.SecretStorage | undefined
+
+// In-memory cache for synchronous access in ZooCodeHandler hot path
+let _cachedToken: string | undefined = undefined
+let _cachedUserName: string | undefined = undefined
+let _cachedUserEmail: string | undefined = undefined
+let _cachedUserImage: string | undefined = undefined
+let _cachedSubscriptionStatus: "active" | "inactive" | "unknown" = "unknown"
+let _lastSubscriptionCheck: number = 0
+const SUBSCRIPTION_CHECK_INTERVAL_MS = 5 * 60 * 1000 // 5 minutes
+
+export async function initZooCodeAuth(context: vscode.ExtensionContext): Promise<void> {
+	if (!context.secrets) {
+		// Secret storage unavailable (e.g. test environment without secrets mock).
+		// Treat as unauthenticated startup — all cached values remain undefined.
+		return
+	}
+	secretStorage = context.secrets
+
+	// Pre-load the token and user info into memory on init so ZooCodeHandler can access them synchronously
+	_cachedToken = await secretStorage.get(ZOO_CODE_TOKEN_KEY)
+	_cachedUserName = await secretStorage.get(ZOO_CODE_USER_NAME_KEY)
+	_cachedUserEmail = await secretStorage.get(ZOO_CODE_USER_EMAIL_KEY)
+	_cachedUserImage = await secretStorage.get(ZOO_CODE_USER_IMAGE_KEY)
+
+	// Validate persisted auth state on init before reporting the user as connected.
+	if (_cachedToken) {
+		const result = await verifyZooCodeToken()
+		if (result === "invalid") {
+			// Token is definitively rejected by the backend — clear everything.
+			await clearZooCodeUserInfo()
+			await clearZooCodeToken()
+		} else if (result === "unreachable") {
+			// Network is temporarily down; keep the cached session but mark subscription
+			// status as unknown so callers know it hasn't been confirmed.
+			_cachedSubscriptionStatus = "unknown"
+		} else {
+			// result === "valid"
+			void checkSubscriptionStatus().catch(() => {})
+		}
+	}
+
+	// Watch for secret changes and update cache
+	context.secrets.onDidChange((e) => {
+		if (e.key === ZOO_CODE_TOKEN_KEY) {
+			secretStorage?.get(ZOO_CODE_TOKEN_KEY).then((token) => {
+				_cachedToken = token
+				// Reset subscription status when token changes
+				_cachedSubscriptionStatus = "unknown"
+				_lastSubscriptionCheck = 0
+				if (token) {
+					checkSubscriptionStatus().catch(() => {})
+				}
+			})
+		}
+		if (e.key === ZOO_CODE_USER_NAME_KEY) {
+			secretStorage?.get(ZOO_CODE_USER_NAME_KEY).then((name) => {
+				_cachedUserName = name
+			})
+		}
+		if (e.key === ZOO_CODE_USER_EMAIL_KEY) {
+			secretStorage?.get(ZOO_CODE_USER_EMAIL_KEY).then((email) => {
+				_cachedUserEmail = email
+			})
+		}
+		if (e.key === ZOO_CODE_USER_IMAGE_KEY) {
+			secretStorage?.get(ZOO_CODE_USER_IMAGE_KEY).then((image) => {
+				_cachedUserImage = image
+			})
+		}
+	})
+}
+
+// Synchronous getter for use in ZooCodeHandler (called in hot path during API requests)
+export function getCachedZooCodeToken(): string {
+	return _cachedToken ?? ""
+}
+
+export function getCachedZooCodeUserInfo(): { name?: string; email?: string; image?: string } {
+	return {
+		name: _cachedUserName,
+		email: _cachedUserEmail,
+		image: _cachedUserImage,
+	}
+}
+
+/**
+ * Get the cached subscription status. This is a synchronous getter that returns
+ * the last known subscription status. Call checkSubscriptionStatus() to refresh.
+ */
+export function getCachedSubscriptionStatus(): "active" | "inactive" | "unknown" {
+	return _cachedSubscriptionStatus
+}
+
+/**
+ * Check the subscription status from the backend API.
+ * Updates the cached status and returns it.
+ * Implements caching to avoid excessive API calls (5 minute cache).
+ */
+export async function checkSubscriptionStatus(): Promise<"active" | "inactive" | "unknown"> {
+	const token = await getZooCodeToken()
+	if (!token) {
+		_cachedSubscriptionStatus = "inactive"
+		return "inactive"
+	}
+
+	// Return cached status if checked recently
+	const now = Date.now()
+	if (now - _lastSubscriptionCheck < SUBSCRIPTION_CHECK_INTERVAL_MS && _cachedSubscriptionStatus !== "unknown") {
+		return _cachedSubscriptionStatus
+	}
+
+	const baseUrl = getZooCodeBaseUrl()
+
+	try {
+		const response = await fetch(`${baseUrl}/api/subscription/status`, {
+			headers: { Authorization: `Bearer ${token}` },
+			signal: AbortSignal.timeout(10_000),
+		})
+
+		if (!response.ok) {
+			_cachedSubscriptionStatus = "unknown"
+			_lastSubscriptionCheck = now
+			return "unknown"
+		}
+
+		const data = (await response.json()) as { isSubscriber?: boolean }
+		_cachedSubscriptionStatus = data.isSubscriber ? "active" : "inactive"
+		_lastSubscriptionCheck = now
+		return _cachedSubscriptionStatus
+	} catch {
+		_cachedSubscriptionStatus = "unknown"
+		_lastSubscriptionCheck = now
+		return "unknown"
+	}
+}
+
+export async function getZooCodeToken(): Promise<string | undefined> {
+	if (!secretStorage) return undefined
+	return secretStorage.get(ZOO_CODE_TOKEN_KEY)
+}
+
+export async function setZooCodeToken(token: string): Promise<void> {
+	if (!secretStorage) return
+	await secretStorage.store(ZOO_CODE_TOKEN_KEY, token)
+	_cachedToken = token
+	// Reset subscription status when token is set
+	_cachedSubscriptionStatus = "unknown"
+	_lastSubscriptionCheck = 0
+}
+
+export async function setZooCodeUserInfo(info: {
+	name?: string | null
+	email?: string | null
+	image?: string | null
+}): Promise<void> {
+	if (!secretStorage) return
+
+	if (info.name) {
+		await secretStorage.store(ZOO_CODE_USER_NAME_KEY, info.name)
+		_cachedUserName = info.name
+	} else if (info.name === null) {
+		await secretStorage.delete(ZOO_CODE_USER_NAME_KEY)
+		_cachedUserName = undefined
+	}
+
+	if (info.email) {
+		await secretStorage.store(ZOO_CODE_USER_EMAIL_KEY, info.email)
+		_cachedUserEmail = info.email
+	} else if (info.email === null) {
+		await secretStorage.delete(ZOO_CODE_USER_EMAIL_KEY)
+		_cachedUserEmail = undefined
+	}
+
+	if (info.image) {
+		await secretStorage.store(ZOO_CODE_USER_IMAGE_KEY, info.image)
+		_cachedUserImage = info.image
+	} else if (info.image === null) {
+		await secretStorage.delete(ZOO_CODE_USER_IMAGE_KEY)
+		_cachedUserImage = undefined
+	}
+}
+
+export async function clearZooCodeUserInfo(): Promise<void> {
+	if (!secretStorage) return
+	await secretStorage.delete(ZOO_CODE_USER_NAME_KEY)
+	await secretStorage.delete(ZOO_CODE_USER_EMAIL_KEY)
+	await secretStorage.delete(ZOO_CODE_USER_IMAGE_KEY)
+	_cachedUserName = undefined
+	_cachedUserEmail = undefined
+	_cachedUserImage = undefined
+}
+
+export async function clearZooCodeToken(): Promise<void> {
+	if (!secretStorage) return
+	await secretStorage.delete(ZOO_CODE_TOKEN_KEY)
+	_cachedToken = undefined
+	_cachedSubscriptionStatus = "unknown"
+	_lastSubscriptionCheck = 0
+}
+
+export function getZooCodeBaseUrl(): string {
+	return process.env.ZOO_CODE_BASE_URL || "https://www.zoocode.dev"
+}
+
+export async function handleAuthCallback(token: string): Promise<boolean> {
+	if (!token || !token.startsWith("zoo_ext_")) {
+		vscode.window.showErrorMessage(t("common:zooAuth.errors.invalid_token_received"))
+		return false
+	}
+
+	// Verify token with backend before storing
+	const baseUrl = getZooCodeBaseUrl()
+	try {
+		const response = await fetch(`${baseUrl}/api/extension/auth/verify`, {
+			headers: { Authorization: `Bearer ${token}` },
+			signal: AbortSignal.timeout(10_000),
+		})
+		if (!response.ok) {
+			vscode.window.showErrorMessage(t("common:zooAuth.errors.token_verification_failed"))
+			return false
+		}
+		const data = (await response.json()) as { valid?: boolean }
+		if (!data.valid) {
+			vscode.window.showErrorMessage(t("common:zooAuth.errors.invalid_token"))
+			return false
+		}
+	} catch {
+		vscode.window.showErrorMessage(t("common:zooAuth.errors.could_not_verify_token"))
+		return false
+	}
+
+	await setZooCodeToken(token)
+
+	// Check subscription status after successful auth
+	await checkSubscriptionStatus().catch(() => {})
+
+	vscode.window.showInformationMessage(t("common:zooAuth.info.connected"))
+	return true
+}
+
+/**
+ * Verify the stored token against the backend.
+ * Returns:
+ *   - "valid"       — backend confirmed the token is good
+ *   - "invalid"     — backend explicitly rejected the token (HTTP error or valid: false)
+ *   - "unreachable" — network error / timeout; token state is unknown
+ *
+ * This function has no side-effects; callers are responsible for acting on the result.
+ */
+export async function verifyZooCodeToken(): Promise<"valid" | "invalid" | "unreachable"> {
+	const token = await getZooCodeToken()
+	if (!token) return "invalid"
+
+	const baseUrl = getZooCodeBaseUrl()
+
+	try {
+		const response = await fetch(`${baseUrl}/api/extension/auth/verify`, {
+			headers: { Authorization: `Bearer ${token}` },
+			signal: AbortSignal.timeout(10_000),
+		})
+
+		if (!response.ok) {
+			return "invalid"
+		}
+
+		const data = (await response.json()) as { valid?: boolean }
+		return data.valid === true ? "valid" : "invalid"
+	} catch {
+		return "unreachable"
+	}
+}
+
+export async function isZooCodeAuthenticated(): Promise<boolean> {
+	const token = await getZooCodeToken()
+	return !!token
+}
+
+export async function disconnectZooCode(): Promise<void> {
+	const token = await getZooCodeToken()
+	if (token) {
+		const baseUrl = getZooCodeBaseUrl()
+
+		try {
+			await fetch(`${baseUrl}/api/extension/auth/revoke`, {
+				method: "POST",
+				headers: { Authorization: `Bearer ${token}` },
+				signal: AbortSignal.timeout(10_000),
+			})
+		} catch {
+			// Ignore errors during revocation
+		}
+	}
+	await clearZooCodeToken()
+	await clearZooCodeUserInfo()
+	vscode.window.showInformationMessage(t("common:zooAuth.info.disconnected"))
+}
diff --git a/src/services/zoo-telemetry.ts b/src/services/zoo-telemetry.ts
new file mode 100644
index 00000000000..b181ff6d5b9
--- /dev/null
+++ b/src/services/zoo-telemetry.ts
@@ -0,0 +1,63 @@
+import {
+	getCachedZooCodeToken,
+	getZooCodeBaseUrl,
+	getCachedSubscriptionStatus,
+	checkSubscriptionStatus,
+} from "./zoo-code-auth"
+import { Package } from "../shared/package"
+
+export type LlmTelemetryPayload = {
+	taskId: string
+	provider: string
+	model: string
+	mode?: string
+	inputTokens: number
+	outputTokens: number
+	cacheReadTokens?: number
+	cacheWriteTokens?: number
+	totalCost?: number
+	status?: "completed" | "cancelled"
+}
+
+/**
+ * Send LLM telemetry to the Zoo Code observability backend.
+ * This is a fire-and-forget operation that silently fails on error.
+ * Only sends telemetry for authenticated users with active subscriptions.
+ */
+export async function sendLlmTelemetry(payload: LlmTelemetryPayload): Promise<void> {
+	const token = getCachedZooCodeToken()
+	if (!token) {
+		return
+	}
+
+	// Check subscription status before sending (uses 5-minute cache)
+	let status = getCachedSubscriptionStatus()
+	if (status === "unknown") {
+		status = await checkSubscriptionStatus().catch(() => "unknown" as const)
+	}
+
+	if (status !== "active") {
+		return
+	}
+
+	const baseUrl = getZooCodeBaseUrl()
+
+	const body = {
+		...payload,
+		status: payload.status ?? "completed",
+		extensionVersion: Package.version,
+		editor: "vscode",
+	}
+
+	void fetch(`${baseUrl}/api/observability/events`, {
+		method: "POST",
+		headers: {
+			"Content-Type": "application/json",
+			Authorization: `Bearer ${token}`,
+		},
+		body: JSON.stringify(body),
+		signal: AbortSignal.timeout(10_000),
+	}).catch(() => {
+		// Silently ignore errors - telemetry should never impact user experience
+	})
+}
diff --git a/webview-ui/src/components/chat/ChatTextArea.tsx b/webview-ui/src/components/chat/ChatTextArea.tsx
index 44e57ae1a7e..045b1e8f06e 100644
--- a/webview-ui/src/components/chat/ChatTextArea.tsx
+++ b/webview-ui/src/components/chat/ChatTextArea.tsx
@@ -31,6 +31,7 @@ import { AutoApproveDropdown } from "./AutoApproveDropdown"
 import { MAX_IMAGES_PER_MESSAGE } from "./ChatView"
 import ContextMenu from "./ContextMenu"
 import { IndexingStatusBadge } from "./IndexingStatusBadge"
+import { ZooCodeAuthBadge } from "./ZooCodeAuthBadge"
 import { usePromptHistory } from "./hooks/usePromptHistory"
 
 interface ChatTextAreaProps {
@@ -1342,6 +1343,7 @@ export const ChatTextArea = forwardRef<HTMLTextAreaElement, ChatTextAreaProps>(
 							</StandardTooltip>
 						)}
 						{!isEditMode ? <IndexingStatusBadge /> : null}
+						{!isEditMode ? <ZooCodeAuthBadge /> : null}
 					</div>
 				</div>
 			</div>
diff --git a/webview-ui/src/components/chat/ZooCodeAuthBadge.tsx b/webview-ui/src/components/chat/ZooCodeAuthBadge.tsx
new file mode 100644
index 00000000000..90db27cdfb7
--- /dev/null
+++ b/webview-ui/src/components/chat/ZooCodeAuthBadge.tsx
@@ -0,0 +1,167 @@
+import { useEffect, useRef, useState, type CSSProperties } from "react"
+import { useExtensionState } from "@src/context/ExtensionStateContext"
+import { getZooCodeAuthUrl } from "@src/oauth/urls"
+import { vscode } from "@src/utils/vscode"
+import { cn } from "@src/lib/utils"
+
+interface ZooCodeAuthBadgeProps {
+	className?: string
+}
+
+// Generate a deterministic color from email/name
+function getAvatarColor(str: string): string {
+	const colors = ["#ef4444", "#f97316", "#eab308", "#22c55e", "#06b6d4", "#8b5cf6", "#ec4899", "#6366f1"]
+	let hash = 0
+	for (let i = 0; i < str.length; i++) {
+		hash = str.charCodeAt(i) + ((hash << 5) - hash)
+	}
+	return colors[Math.abs(hash) % colors.length]
+}
+
+// Get proper initials from name or email
+function getInitials(name?: string, email?: string): string {
+	if (name) {
+		const parts = name.trim().split(" ")
+		if (parts.length >= 2) {
+			return (parts[0][0] + parts[parts.length - 1][0]).toUpperCase()
+		}
+		return name.slice(0, 2).toUpperCase()
+	}
+	if (email) {
+		return email.slice(0, 2).toUpperCase()
+	}
+	return "?"
+}
+
+export const ZooCodeAuthBadge: React.FC<ZooCodeAuthBadgeProps> = ({ className }) => {
+	const {
+		zooCodeIsAuthenticated,
+		zooCodeUserName,
+		zooCodeUserEmail,
+		zooCodeUserImage,
+		zooCodeBaseUrl,
+		uriScheme,
+		deviceName,
+	} = useExtensionState()
+	const [isOpen, setIsOpen] = useState(false)
+	const [imageError, setImageError] = useState(false)
+	const ref = useRef<HTMLDivElement>(null)
+
+	// Close on outside click
+	useEffect(() => {
+		const handler = (e: MouseEvent) => {
+			if (ref.current && !ref.current.contains(e.target as Node)) {
+				setIsOpen(false)
+			}
+		}
+		document.addEventListener("mousedown", handler)
+		return () => document.removeEventListener("mousedown", handler)
+	}, [])
+
+	// Reset image error when image URL changes
+	useEffect(() => {
+		setImageError(false)
+	}, [zooCodeUserImage])
+
+	const authUrl = getZooCodeAuthUrl(uriScheme, zooCodeBaseUrl, deviceName)
+
+	const showImage = zooCodeIsAuthenticated && zooCodeUserImage && !imageError
+	const avatarColor = getAvatarColor(zooCodeUserEmail || zooCodeUserName || "ZC")
+	const avatarButtonStyle: CSSProperties | undefined =
+		zooCodeIsAuthenticated && !showImage ? { backgroundColor: avatarColor } : undefined
+	const menuItemClasses =
+		"block cursor-pointer px-3.5 py-2.5 text-[13px] no-underline text-[var(--vscode-menu-foreground)] hover:bg-[var(--vscode-menu-selectionBackground)]"
+
+	const handleSignOut = () => {
+		vscode.postMessage({ type: "zooCodeSignOut" })
+		setIsOpen(false)
+	}
+
+	return (
+		<div ref={ref} className={cn("relative ml-2", className)}>
+			{/* The icon button */}
+			<button
+				onClick={() => setIsOpen(!isOpen)}
+				className={cn(
+					"flex size-5 items-center justify-center overflow-hidden rounded-full p-0 transition-all duration-150",
+					"focus:outline-none focus-visible:ring-1 focus-visible:ring-vscode-focusBorder",
+					!zooCodeIsAuthenticated &&
+						"border border-vscode-descriptionForeground/50 bg-transparent text-vscode-descriptionForeground hover:border-vscode-descriptionForeground",
+					zooCodeIsAuthenticated &&
+						!showImage &&
+						"text-[9px] font-semibold text-[var(--vscode-button-foreground,#ffffff)]",
+				)}
+				style={avatarButtonStyle}
+				title={zooCodeIsAuthenticated ? `Zoo Code: ${zooCodeUserEmail || "Connected"}` : "Sign in to Zoo Code"}>
+				{zooCodeIsAuthenticated ? (
+					showImage ? (
+						<img
+							src={zooCodeUserImage}
+							alt="avatar"
+							className="size-full rounded-full object-cover"
+							onError={() => setImageError(true)}
+						/>
+					) : (
+						<span>{getInitials(zooCodeUserName, zooCodeUserEmail)}</span>
+					)
+				) : (
+					// Person icon SVG
+					<svg
+						width="10"
+						height="10"
+						viewBox="0 0 24 24"
+						fill="none"
+						stroke="currentColor"
+						strokeWidth="2.5"
+						strokeLinecap="round"
+						strokeLinejoin="round">
+						<circle cx="12" cy="8" r="4" />
+						<path d="M4 20c0-4 3.6-7 8-7s8 3 8 7" />
+					</svg>
+				)}
+			</button>
+
+			{/* Popover */}
+			{isOpen && (
+				<div
+					className={cn(
+						"absolute bottom-[calc(100%+8px)] right-0 z-[9999] min-w-[180px] overflow-hidden rounded-md shadow-lg",
+						"border border-[var(--vscode-menu-border,var(--vscode-widget-border,#3c3c3c))]",
+						"bg-[var(--vscode-menu-background)]",
+					)}>
+					{!zooCodeIsAuthenticated ? (
+						<a href={authUrl} onClick={() => setIsOpen(false)} className={menuItemClasses}>
+							Sign in to Zoo Code
+						</a>
+					) : (
+						<>
+							{zooCodeUserEmail && (
+								<div
+									className={cn(
+										"pointer-events-none select-none px-3.5 pb-1.5 pt-2 text-[11px] text-vscode-descriptionForeground",
+										"border-b border-[var(--vscode-menu-separatorBackground,var(--vscode-widget-border,#3c3c3c))]",
+									)}>
+									{zooCodeUserEmail}
+								</div>
+							)}
+							<a
+								href={`${zooCodeBaseUrl || "https://www.zoocode.dev"}/dashboard`}
+								onClick={() => setIsOpen(false)}
+								className={menuItemClasses}>
+								Go to Dashboard
+							</a>
+							<button
+								onClick={handleSignOut}
+								className={cn(
+									menuItemClasses,
+									"w-full border-none bg-transparent text-left text-vscode-errorForeground",
+								)}>
+								Sign out
+							</button>
+						</>
+					)}
+				</div>
+			)}
+		</div>
+	)
+}
diff --git a/webview-ui/src/oauth/urls.ts b/webview-ui/src/oauth/urls.ts
index 38acb839c43..8d5f7208f3b 100644
--- a/webview-ui/src/oauth/urls.ts
+++ b/webview-ui/src/oauth/urls.ts
@@ -11,3 +11,14 @@ export function getOpenRouterAuthUrl(uriScheme?: string) {
 export function getRequestyAuthUrl(uriScheme?: string) {
 	return `https://app.requesty.ai/oauth/authorize?callback_url=${getCallbackUrl("requesty", uriScheme)}`
 }
+
+const ZOO_CODE_DEFAULT_BASE_URL = "https://www.zoocode.dev"
+
+export function getZooCodeAuthUrl(uriScheme?: string, baseUrl?: string, deviceName?: string) {
+	const resolvedBaseUrl = baseUrl || ZOO_CODE_DEFAULT_BASE_URL
+	const callbackUri = getCallbackUrl("auth-callback", uriScheme)
+	const resolvedDeviceName = encodeURIComponent(deviceName || "VS Code")
+	const editor = encodeURIComponent("VS Code")
+	const version = Package.version
+	return `${resolvedBaseUrl}/dashboard/connect?device=${resolvedDeviceName}&editor=${editor}&version=${version}&callback_uri=${callbackUri}`
+}