diff --git a/src/app/api/auth/debug/route.ts b/src/app/api/auth/debug/route.ts
new file mode 100644
index 0000000..6e97b8d
--- /dev/null
+++ b/src/app/api/auth/debug/route.ts
@@ -0,0 +1,26 @@
+import { NextResponse } from "next/server";
+import { sql } from "@/db";
+import { cookies } from "next/headers";
+
+export async function GET() {
+  const sessionToken = (await cookies()).get("tia_session")?.value;
+
+  if (!sessionToken) {
+    return NextResponse.json({ error: "no cookie" });
+  }
+
+  // Debug: show what's in sessions and family_members
+  const sessions = await sql.unsafe(
+    `SELECT s.user_id, s.session_token, fm.family_id as fm_family, fm.user_id as fm_user
+     FROM sessions s
+     LEFT JOIN family_members fm ON fm.user_id::text = s.user_id::text
+     WHERE s.session_token = $1`,
+    [sessionToken]
+  );
+
+  return NextResponse.json({
+    cookie: sessionToken?.slice(0, 20) + "...",
+    sessionsFound: sessions?.length,
+    sessions
+  });
+}
\ No newline at end of file
diff --git a/src/middleware.ts b/src/middleware.ts
index cc50a44..2cc183f 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -10,6 +10,7 @@ const publicRoutes = [
   "/api/admin/auth",
   "/api/onboarding",
   "/api/ai",
+  "/api/auth/debug",
 ];
 
 // Protected API routes that need authentication