diff --git a/src/aegis_gitea_mcp/server.py b/src/aegis_gitea_mcp/server.py
index 8afba44..29bc139 100644
--- a/src/aegis_gitea_mcp/server.py
+++ b/src/aegis_gitea_mcp/server.py
@@ -830,7 +830,12 @@ async def _execute_tool_call(
         if not user_token:
             raise HTTPException(status_code=401, detail="Missing authenticated user token context")
 
-        async with GiteaClient(token=user_token) as gitea:
+        # In OAuth mode, Gitea OIDC access_tokens can't call the Gitea REST API
+        # (they only carry OIDC scopes).  If a service PAT is configured via
+        # GITEA_TOKEN, use that for API calls while OIDC handles identity/authz.
+        api_token = settings.gitea_token.strip() if settings.gitea_token.strip() else user_token
+
+        async with GiteaClient(token=api_token) as gitea:
             result = await handler(gitea, arguments)
 
         if settings.secret_detection_mode != "off":