diff --git a/api/tests/cryptographic-failures.runtime.test.ts b/api/tests/cryptographic-failures.runtime.test.ts
index e244e43..b33e210 100644
--- a/api/tests/cryptographic-failures.runtime.test.ts
+++ b/api/tests/cryptographic-failures.runtime.test.ts
@@ -1,5 +1,5 @@
 import { createHmac } from "node:crypto";
-import { afterAll, beforeAll, describe, expect, it } from "vitest";
+import { afterAll, beforeAll, describe, expect, it, vi } from "vitest";
 import request from "supertest";
 import type { FastifyInstance } from "fastify";
 import { buildApp } from "../src/server";
@@ -122,17 +122,14 @@ describe("A04 Cryptographic Failures (runtime adversarial checks)", () => {
   });
 
   it("accepts token with correct signature, issuer, and audience", async () => {
-    const user = await app.prisma.user.create({
-      data: {
-        email: `jwt-runtime-${Date.now()}@test.dev`,
-        emailVerified: true,
-      },
-      select: { id: true },
-    });
+    const userId = `valid-${Date.now()}`;
+    const findUniqueMock = vi
+      .spyOn((app as any).prisma.user, "findUnique")
+      .mockResolvedValue({ id: userId, passwordChangedAt: null });
     const nowSeconds = Math.floor(Date.now() / 1000);
     const token = signHs256Token(
       {
-        sub: user.id,
+        sub: userId,
         iss: "skymoney-api",
         aud: "skymoney-web",
         iat: nowSeconds,
@@ -148,7 +145,6 @@ describe("A04 Cryptographic Failures (runtime adversarial checks)", () => {
 
     expect(res.status).toBe(200);
     expect(res.body.ok).toBe(true);
-
-    await app.prisma.user.delete({ where: { id: user.id } });
+    findUniqueMock.mockRestore();
   });
 });