diff --git a/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java b/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java
index 8ce1219d..8377a78a 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/auth/AuthService.java
@@ -75,6 +75,7 @@ public class AuthService {
     }
 
     public int revokeOtherSessions(String currentSessionId, String principalName) {
+        if (sessionRepository == null) return 0;
         int count = 0;
         for (String id : sessionRepository.findByPrincipalName(principalName).keySet()) {
             if (!id.equals(currentSessionId)) {
@@ -86,6 +87,7 @@ public class AuthService {
     }
 
     public int revokeAllSessions(String principalName) {
+        if (sessionRepository == null) return 0;
         var sessions = sessionRepository.findByPrincipalName(principalName);
         sessions.keySet().forEach(sessionRepository::deleteById);
         return sessions.size();
diff --git a/backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java b/backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java
index 3dc4d018..1366dbc5 100644
--- a/backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/auth/AuthServiceTest.java
@@ -214,4 +214,24 @@ class AuthServiceTest {
         verify(sessionRepository).deleteById("session-1");
         verify(sessionRepository).deleteById("session-2");
     }
+
+    // ─── null-guard when sessionRepository is unavailable ────────────────────
+
+    @Test
+    void revokeAllSessions_returns_zero_when_sessionRepository_is_null() {
+        ReflectionTestUtils.setField(authService, "sessionRepository", null);
+
+        int count = authService.revokeAllSessions("user@test.de");
+
+        assertThat(count).isEqualTo(0);
+    }
+
+    @Test
+    void revokeOtherSessions_returns_zero_when_sessionRepository_is_null() {
+        ReflectionTestUtils.setField(authService, "sessionRepository", null);
+
+        int count = authService.revokeOtherSessions("session-keep", "user@test.de");
+
+        assertThat(count).isEqualTo(0);
+    }
 }