diff --git a/bin/fernetkey b/bin/fernetkey
new file mode 100755
index 00000000..8bbac109
--- /dev/null
+++ b/bin/fernetkey
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# shellcheck source=bin/_config.sh
+source "$(dirname "${BASH_SOURCE[0]}")/_config.sh"
+
+_dc_run app-dev python -c 'from cryptography.fernet import Fernet;import sys; sys.stdout.write("\n" + Fernet.generate_key().decode() + "\n");'
diff --git a/env.d/development/common b/env.d/development/common
index eb5b0c54..839bc246 100644
--- a/env.d/development/common
+++ b/env.d/development/common
@@ -50,9 +50,12 @@ OIDC_REDIRECT_ALLOWED_HOSTS=["http://localhost:8083", "http://localhost:3000"]
 OIDC_AUTH_REQUEST_EXTRA_PARAMS={"acr_values": "eidas1"}
 
 # Store OIDC tokens in the session
-OIDC_STORE_ACCESS_TOKEN = True  # Store the access token in the session
-OIDC_STORE_REFRESH_TOKEN = True  # Store the encrypted refresh token in the session
-OIDC_STORE_REFRESH_TOKEN_KEY = ThisIsAnExampleKeyForDevPurposeOnly
+OIDC_STORE_ACCESS_TOKEN = True
+OIDC_STORE_REFRESH_TOKEN = True # Store the encrypted refresh token in the session.
+
+# Must be a valid Fernet key (32 url-safe base64-encoded bytes)
+# To create one, use the bin/fernetkey command.
+# OIDC_STORE_REFRESH_TOKEN_KEY="your-32-byte-encryption-key=="
 
 # AI
 AI_FEATURE_ENABLED=true
diff --git a/src/backend/core/tests/test_models_documents.py b/src/backend/core/tests/test_models_documents.py
index 48bda0cd..91f41707 100644
--- a/src/backend/core/tests/test_models_documents.py
+++ b/src/backend/core/tests/test_models_documents.py
@@ -1713,9 +1713,16 @@ def test_models_documents_post_save_indexer_deleted(mock_push, indexer_settings)
     user = factories.UserFactory()
 
     with transaction.atomic():
-        doc = factories.DocumentFactory()
-        doc_deleted = factories.DocumentFactory()
-        doc_ancestor_deleted = factories.DocumentFactory(parent=doc_deleted)
+        doc = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_deleted = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_ancestor_deleted = factories.DocumentFactory(
+            parent=doc_deleted,
+            link_reach=models.LinkReachChoices.AUTHENTICATED,
+        )
         doc_deleted.soft_delete()
         doc_ancestor_deleted.ancestors_deleted_at = doc_deleted.deleted_at
 
@@ -1768,9 +1775,16 @@ def test_models_documents_post_save_indexer_restored(mock_push, indexer_settings
     user = factories.UserFactory()
 
     with transaction.atomic():
-        doc = factories.DocumentFactory()
-        doc_deleted = factories.DocumentFactory()
-        doc_ancestor_deleted = factories.DocumentFactory(parent=doc_deleted)
+        doc = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_deleted = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_ancestor_deleted = factories.DocumentFactory(
+            parent=doc_deleted,
+            link_reach=models.LinkReachChoices.AUTHENTICATED,
+        )
         doc_deleted.soft_delete()
         doc_ancestor_deleted.ancestors_deleted_at = doc_deleted.deleted_at