diff --git a/LIVE-POC.md b/LIVE-POC.md
index 6319b46..fe2f4b5 100644
--- a/LIVE-POC.md
+++ b/LIVE-POC.md
@@ -61,3 +61,14 @@ Self-hosted on `backstage-wus2-v4` via Flux; vendor Helm chart **1.8.8**
   servers must be **registered** (run the server + dashboard "Add Server", type Arcade, URL + worker
   secret) — the tunnel pattern for local dev, or an in-cluster deploy for prod — not `arcade deploy`.
   Relevant to cat-4 (SDK/deploy), cat-8 (deployment), cat-9 (DX).
+- **Per-user Google OAuth: consent URL works, but token does NOT vault for the headless
+  `Arcade-User-ID`** (verified 2026-06-18, cat-2). `tools.authorize("GoogleDocs_CreateDocumentFromText",
+  user_id)` stays `status=pending` for both a real id (`ztaylor@servicetitan.com`) and a fresh id
+  (`gdoc-test-user`) even after completing the exact consent link in-browser (Google approval 200 →
+  coordinator callback 303 → dashboard 200, no visible error). Provider `google-docs-provider` is
+  configured (mints consent URLs; scopes userinfo.email/profile + drive.file; redirect via
+  `coordinator.arcade.st.dev`). Root cause TBD: (A) token exchange/storage fails server-side (Google
+  client secret / redirect-uri misconfig), or (B) browser consent in a dashboard-logged-in session
+  rebinds the token to the dashboard/account identity, not the headless user_id. Next: check
+  `arcade-coordinator` logs for the callback/token-exchange. **Blocks headless per-user execution for
+  OAuth tools.** (cat-1 `whoami` exec-proof uses no external OAuth, so it's unaffected.)