diff --git a/src/app/api/gis/me/route.ts b/src/app/api/gis/me/route.ts
new file mode 100644
index 0000000..f31b1f4
--- /dev/null
+++ b/src/app/api/gis/me/route.ts
@@ -0,0 +1,37 @@
+import { NextResponse } from "next/server";
+import { getAuthSession } from "@/core/auth/require-auth";
+import { gisApi, GisApiError } from "@/lib/gis-api-client";
+
+export const runtime = "nodejs";
+export const dynamic = "force-dynamic";
+
+// Diagnostic proxy → gis-api /api/v1/me. Returns the claims Authentik
+// minted into the access_token, as gis-api sees them. Useful for
+// verifying that the Beletage LDAP group → enrichment_scope=full mapping
+// is actually firing for the pilot user.
+export async function GET() {
+  const session = await getAuthSession();
+  if (!session) {
+    return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
+  }
+  try {
+    const data = await gisApi.me();
+    console.log(
+      "[gis-me] claims=%s",
+      JSON.stringify((data as { claims?: unknown }).claims ?? data).slice(0, 500),
+    );
+    return NextResponse.json(data);
+  } catch (err) {
+    if (err instanceof GisApiError) {
+      return NextResponse.json(
+        { error: err.code, status: err.status, body: err.body },
+        { status: err.status },
+      );
+    }
+    const msg = err instanceof Error ? err.message : String(err);
+    return NextResponse.json(
+      { error: "internal_error", hint: msg.slice(0, 200) },
+      { status: 500 },
+    );
+  }
+}