diff --git a/app/auto_login.py b/app/auto_login.py
index 54155d9..8059fbd 100644
--- a/app/auto_login.py
+++ b/app/auto_login.py
@@ -129,6 +129,37 @@ class AutoLoginManager:
                         f"debug={debug_file}"
                     )
 
+                # Wait and validate the core login API response.
+                login_resp = None
+                try:
+                    login_resp = await page.wait_for_response(
+                        lambda r: "/users/ajax/login" in r.url and r.request.method == "POST",
+                        timeout=20000,
+                    )
+                except PlaywrightTimeoutError:
+                    login_resp = None
+
+                if login_resp is None:
+                    debug_file = await self._dump_debug_page(page)
+                    raise RuntimeError(f"login API not captured, debug={debug_file}")
+
+                try:
+                    payload = await login_resp.json()
+                except Exception:
+                    payload = None
+
+                api_ok = bool(
+                    login_resp.status == 200
+                    and isinstance(payload, dict)
+                    and payload.get("need_login") is False
+                )
+                if not api_ok:
+                    debug_file = await self._dump_debug_page(page)
+                    raise RuntimeError(
+                        "login API did not return success "
+                        f"(status={login_resp.status}, payload={payload}), debug={debug_file}"
+                    )
+
                 # Wait for redirect / callback activity.
                 while time.time() < deadline:
                     url = page.url