diff --git a/scripts/bootstrap/bootstrap-local.sh b/scripts/bootstrap/bootstrap-local.sh
index 75b311ad1..38f25b758 100755
--- a/scripts/bootstrap/bootstrap-local.sh
+++ b/scripts/bootstrap/bootstrap-local.sh
@@ -263,32 +263,52 @@ phase_3_forgejo() {
     fi
 
     require_env FORGEJO_ADMIN_TOKEN \
-        "create at $FORGEJO_API_URL/-/user/settings/applications (scopes: write:admin, write:repository, write:package)"
+        "create at $FORGEJO_API_URL/-/user/settings/applications (scopes: write:repository + write:package, optionally write:admin to auto-create registry tokens)"
 
-    info "checking Forgejo API reachability"
-    if ! curl -fsSL --max-time 10 \
-            -H "Authorization: token $FORGEJO_ADMIN_TOKEN" \
-            "$FORGEJO_API_URL/api/v1/user" >/dev/null 2>&1; then
-        TALAS_HINT="check FORGEJO_API_URL ($FORGEJO_API_URL) ; if no DNS yet, try FORGEJO_API_URL=http://10.0.20.105:3000"
-        die "Forgejo API unreachable or token invalid"
+    local insecure=()
+    [[ "${FORGEJO_INSECURE:-0}" == "1" ]] && insecure=(-k)
+
+    info "checking Forgejo API reachability (no-auth /version probe)"
+    if ! curl -fsSL "${insecure[@]}" --max-time 10 \
+            "$FORGEJO_API_URL/api/v1/version" >/dev/null 2>&1; then
+        TALAS_HINT="check FORGEJO_API_URL ($FORGEJO_API_URL) ; for self-signed certs set FORGEJO_INSECURE=1 in .env ; verify WireGuard if URL is on the LAN"
+        die "Forgejo API unreachable"
     fi
-    ok "Forgejo API reachable, token valid"
+    ok "Forgejo API reachable"
 
-    info "checking repo $FORGEJO_OWNER/$FORGEJO_REPO exists"
+    info "checking repo $FORGEJO_OWNER/$FORGEJO_REPO + token has write access"
     if ! forgejo_api GET "/repos/$FORGEJO_OWNER/$FORGEJO_REPO" >/dev/null 2>&1; then
-        TALAS_HINT="set FORGEJO_OWNER + FORGEJO_REPO env vars (currently $FORGEJO_OWNER/$FORGEJO_REPO)"
-        die "repo $FORGEJO_OWNER/$FORGEJO_REPO not found"
+        TALAS_HINT="verify FORGEJO_OWNER + FORGEJO_REPO (currently $FORGEJO_OWNER/$FORGEJO_REPO) ; verify token scope includes read:repository"
+        die "repo $FORGEJO_OWNER/$FORGEJO_REPO not found or token lacks read:repository"
     fi
+    ok "repo + token OK"
 
-    # Create a long-lived registry token via the API.
-    info "creating a registry token (write:package)"
-    local registry_token
-    registry_token=$(forgejo_api POST "/users/$FORGEJO_OWNER/tokens" \
-            --data "$(jq -nc --arg n "veza-deploy-registry-$(date +%s)" \
-                                --argjson s '["write:package", "read:package"]' \
-                                '{name: $n, scopes: $s}')" \
-            | jq -er '.sha1 // empty') \
-        || die "could not create registry token via API ; create one manually at $FORGEJO_API_URL/-/user/settings/applications and re-run with FORGEJO_REGISTRY_TOKEN env var set"
+    # Try to auto-create a registry token. Falls back to asking the operator
+    # for one if the admin token doesn't have write:admin scope.
+    local registry_token=""
+    if [[ -n "${FORGEJO_REGISTRY_TOKEN:-}" ]]; then
+        info "using FORGEJO_REGISTRY_TOKEN from environment (skipping auto-create)"
+        registry_token="$FORGEJO_REGISTRY_TOKEN"
+    else
+        info "trying to auto-create a registry token (needs write:admin scope on admin token)"
+        local resp
+        resp=$(forgejo_api POST "/users/$FORGEJO_OWNER/tokens" \
+                --data "$(jq -nc --arg n "veza-deploy-registry-$(date +%s)" \
+                                    --argjson s '["write:package", "read:package"]' \
+                                    '{name: $n, scopes: $s}')" 2>/dev/null \
+            || true)
+        registry_token=$(echo "$resp" | jq -r '.sha1 // empty' 2>/dev/null || true)
+        if [[ -z "$registry_token" ]]; then
+            warn "auto-create failed (admin token lacks write:admin or sudo)"
+            warn "create the token manually :"
+            warn "  $FORGEJO_API_URL/-/user/settings/applications"
+            warn "  → 'Generate New Token' → name 'veza-deploy-registry'"
+            warn "  → scopes: write:package, read:package"
+            prompt_password registry_token "paste the token value (input hidden)"
+        else
+            ok "auto-created registry token (${#registry_token} chars)"
+        fi
+    fi
 
     forgejo_set_secret "$FORGEJO_OWNER" "$FORGEJO_REPO" FORGEJO_REGISTRY_TOKEN "$registry_token"
     forgejo_set_secret "$FORGEJO_OWNER" "$FORGEJO_REPO" ANSIBLE_VAULT_PASSWORD "$(cat "$VAULT_PASS")"
diff --git a/scripts/bootstrap/verify-local.sh b/scripts/bootstrap/verify-local.sh
index e9583c7d1..f3fe427ee 100755
--- a/scripts/bootstrap/verify-local.sh
+++ b/scripts/bootstrap/verify-local.sh
@@ -120,8 +120,9 @@ if [[ -n "${FORGEJO_ADMIN_TOKEN:-}" ]]; then
     _CURL_OPTS=()
     [[ "${FORGEJO_INSECURE:-0}" == "1" ]] && _CURL_OPTS+=(-k)
 
+    # /version is auth-free → reachability only ; /repos/.. tests auth + scope.
     check_with_hint "Forgejo API reachable" \
-        "curl -fsSL ${_CURL_OPTS[*]} --max-time 10 -H 'Authorization: token $FORGEJO_ADMIN_TOKEN' $FORGEJO_API_URL/api/v1/user" \
+        "curl -fsSL ${_CURL_OPTS[*]} --max-time 10 $FORGEJO_API_URL/api/v1/version" \
         "set FORGEJO_API_URL ; for self-signed certs, set FORGEJO_INSECURE=1 in .env"
     check_with_hint "repo $FORGEJO_OWNER/$FORGEJO_REPO exists" \
         "curl -fsSL ${_CURL_OPTS[*]} -H 'Authorization: token $FORGEJO_ADMIN_TOKEN' $FORGEJO_API_URL/api/v1/repos/$FORGEJO_OWNER/$FORGEJO_REPO" \