diff --git a/app/main.py b/app/main.py
index f7540f9..8874042 100644
--- a/app/main.py
+++ b/app/main.py
@@ -74,6 +74,10 @@ OPENCODE_PROVIDER = os.environ.get("OPENCODE_PROVIDER", "ollama")
 if not PREVIEW_MODE and not OPENCODE_PASSWORD:
     raise RuntimeError("OPENCODE_PASSWORD not set (set PREVIEW_MODE=1 to bypass)")
 
+# Token auth: GET /auth/token?t=<TOKEN> sets a session without OAuth.
+# For headless/automated access. Token = OPENCODE_PASSWORD by default.
+AUTH_TOKEN = os.environ.get("AUTH_TOKEN", OPENCODE_PASSWORD)
+
 # -------------------------------------------------------------------------- persona config
 
 # Canonical persona definitions.  slug → {voice, backend, system_prompt_override?}
@@ -555,6 +559,21 @@ async def index(request: Request) -> Any:
     )
 
 
+@app.get("/auth/token")
+async def token_login(request: Request, t: str = "") -> Any:
+    """Token-based login for headless/automated access."""
+    if not t or t != AUTH_TOKEN:
+        raise HTTPException(status_code=403, detail="invalid token")
+    email = request.query_params.get("email", "adam.ladachowski@gmail.com")
+    request.session["user"] = {
+        "email": email,
+        "name": email.split("@")[0],
+        "picture": None,
+    }
+    log.info("token login ok: %s", email)
+    return RedirectResponse("/", status_code=302)
+
+
 @app.get("/auth/login")
 async def login(request: Request) -> Any:
     if PREVIEW_MODE: