diff --git a/scripts/bootstrap/bootstrap-local.sh b/scripts/bootstrap/bootstrap-local.sh
index 54bbad5e4..f273f7471 100755
--- a/scripts/bootstrap/bootstrap-local.sh
+++ b/scripts/bootstrap/bootstrap-local.sh
@@ -246,11 +246,24 @@ phase_4_ansible() {
 
     require_env FORGEJO_ADMIN_TOKEN
 
-    # Fetch a runner registration token.
+    # Try to auto-fetch a runner registration token. The /actions/runners/
+    # registration-token endpoint sometimes hangs or 404s depending on the
+    # Forgejo version + token scope. On failure, fall back to a manual
+    # prompt (operator generates a token in the UI).
     info "fetching runner registration token from Forgejo"
     local reg_token
-    reg_token=$(forgejo_get_runner_token "$FORGEJO_OWNER" "$FORGEJO_REPO") \
-        || die "runner registration token fetch failed"
+    if reg_token=$(forgejo_get_runner_token "$FORGEJO_OWNER" "$FORGEJO_REPO"); then
+        ok "got runner registration token (${#reg_token} chars)"
+    else
+        warn "auto-fetch failed (timeout or scope) — falling back to manual prompt"
+        warn ""
+        warn "Generate the token at :"
+        warn "  $FORGEJO_API_URL/$FORGEJO_OWNER/$FORGEJO_REPO/settings/actions/runners"
+        warn "  → 'Create new runner' → copy the token (looks like a 40-char hex)"
+        warn ""
+        prompt_password reg_token "paste runner registration token (input hidden)"
+        [[ -n "$reg_token" ]] || die "no token provided"
+    fi
 
     cd "$REPO_ROOT/infra/ansible"
 
diff --git a/scripts/bootstrap/bootstrap-r720.sh b/scripts/bootstrap/bootstrap-r720.sh
index 0340922f0..2e486b5df 100755
--- a/scripts/bootstrap/bootstrap-r720.sh
+++ b/scripts/bootstrap/bootstrap-r720.sh
@@ -153,8 +153,14 @@ phase_4_ansible() {
 
     info "fetching runner registration token from Forgejo"
     local reg_token
-    reg_token=$(forgejo_get_runner_token "$FORGEJO_OWNER" "$FORGEJO_REPO") \
-        || die "runner registration token fetch failed"
+    if reg_token=$(forgejo_get_runner_token "$FORGEJO_OWNER" "$FORGEJO_REPO"); then
+        ok "got runner registration token (${#reg_token} chars)"
+    else
+        warn "auto-fetch failed — generate manually at :"
+        warn "  $FORGEJO_API_URL/$FORGEJO_OWNER/$FORGEJO_REPO/settings/actions/runners"
+        prompt_password reg_token "paste runner registration token (input hidden)"
+        [[ -n "$reg_token" ]] || die "no token provided"
+    fi
 
     cd "$REPO_ROOT/infra/ansible"
 
diff --git a/scripts/bootstrap/lib.sh b/scripts/bootstrap/lib.sh
index 964f0e816..d50517b71 100755
--- a/scripts/bootstrap/lib.sh
+++ b/scripts/bootstrap/lib.sh
@@ -208,9 +208,28 @@ forgejo_set_var() {
     fi
 }
 
+# Try to fetch a per-repo runner registration token. Returns the token
+# on stdout if successful ; returns empty + non-zero if the endpoint
+# hangs / 404s / requires a higher scope. Caller should fall back to
+# prompting the operator for a manually-generated token.
+#
+# NB: --max-time 10 (down from forgejo_api's default 30) — this
+# endpoint is sometimes slow on the Forgejo side ; we'd rather fail
+# fast and prompt than wait 30s on every bootstrap re-run.
 forgejo_get_runner_token() {
-    local owner=$1 repo=$2
-    forgejo_api GET "/repos/$owner/$repo/actions/runners/registration-token" \
-        | jq -er '.token // empty' \
-        || die "failed to fetch runner registration token (admin scope ?)"
+    local owner=$1 repo=$2 token=""
+    local insecure=()
+    [[ "${FORGEJO_INSECURE:-0}" == "1" ]] && insecure=(-k)
+
+    token=$(curl -fsSL "${insecure[@]}" --max-time 10 \
+        -H "Authorization: token ${FORGEJO_ADMIN_TOKEN:?}" \
+        -H "Accept: application/json" \
+        "$FORGEJO_API_URL/api/v1/repos/$owner/$repo/actions/runners/registration-token" 2>/dev/null \
+            | jq -r '.token // empty' 2>/dev/null || true)
+
+    if [[ -n "$token" ]]; then
+        printf '%s' "$token"
+        return 0
+    fi
+    return 1
 }