diff --git a/caddytest/spec/http/forward_auth/spec.hurl b/caddytest/spec/http/forward_auth/spec.hurl
new file mode 100644
index 000000000..e863c9e9a
--- /dev/null
+++ b/caddytest/spec/http/forward_auth/spec.hurl
@@ -0,0 +1,132 @@
+# Configure Caddy with forward_auth directive
+POST http://localhost:2019/load
+Content-Type: text/caddyfile
+```
+{
+	skip_install_trust
+	http_port     9080
+	https_port    9443
+	local_certs
+}
+localhost {
+	forward_auth localhost:9080 {
+		uri /auth
+	}
+	respond "Protected content"
+}
+http://localhost:9080 {
+	handle /auth {
+		respond 200
+	}
+}
+```
+
+# forward_auth allows request when auth endpoint returns 2xx
+GET https://localhost:9443
+[Options]
+delay: 500ms
+insecure: true
+HTTP 200
+[Asserts]
+body == "Protected content"
+
+
+# Configure Caddy with forward_auth rejecting
+POST http://localhost:2019/load
+Content-Type: text/caddyfile
+```
+{
+	skip_install_trust
+	http_port     9080
+	https_port    9443
+	local_certs
+}
+localhost {
+	forward_auth localhost:9080 {
+		uri /auth
+	}
+	respond "Protected content"
+}
+http://localhost:9080 {
+	handle /auth {
+		respond 401
+	}
+}
+```
+
+# forward_auth blocks request when auth endpoint returns 4xx
+GET https://localhost:9443
+[Options]
+delay: 500ms
+insecure: true
+HTTP 401
+
+
+# Configure Caddy with forward_auth copying headers
+POST http://localhost:2019/load
+Content-Type: text/caddyfile
+```
+{
+	skip_install_trust
+	http_port     9080
+	https_port    9443
+	local_certs
+}
+localhost {
+	forward_auth localhost:9080 {
+		uri /auth
+		copy_headers X-User-ID X-User-Email
+	}
+	respond "User: {header.X-User-ID}, Email: {header.X-User-Email}"
+}
+http://localhost:9080 {
+	handle /auth {
+		header X-User-ID "user123"
+		header X-User-Email "user@example.com"
+		respond 200
+	}
+}
+```
+
+# forward_auth copies specified headers from auth response
+GET https://localhost:9443
+[Options]
+delay: 500ms
+insecure: true
+HTTP 200
+[Asserts]
+body == "User: user123, Email: user@example.com"
+
+
+# Configure Caddy with forward_auth and custom headers
+POST http://localhost:2019/load
+Content-Type: text/caddyfile
+```
+{
+	skip_install_trust
+	http_port     9080
+	https_port    9443
+	local_certs
+}
+localhost {
+	forward_auth localhost:9080 {
+		uri /auth
+		header_up X-Original-URL {uri}
+	}
+	respond "OK"
+}
+http://localhost:9080 {
+	handle /auth {
+		respond "{header.X-Original-URL}"
+	}
+}
+```
+
+# forward_auth can send custom headers to auth endpoint
+GET https://localhost:9443/test/path
+[Options]
+delay: 500ms
+insecure: true
+HTTP 200
+[Asserts]
+body == "OK"