diff --git a/src/mcpd/src/main.ts b/src/mcpd/src/main.ts
index 4f7ce38..71545fa 100644
--- a/src/mcpd/src/main.ts
+++ b/src/mcpd/src/main.ts
@@ -315,10 +315,13 @@ async function main(): Promise<void> {
   const backupService = new BackupService(serverRepo, projectRepo, secretRepo, userRepo, groupRepo, rbacDefinitionRepo, promptRepo, templateRepo);
   const restoreService = new RestoreService(serverRepo, projectRepo, secretRepo, userRepo, groupRepo, rbacDefinitionRepo, promptRepo, templateRepo);
 
-  // Auth middleware for global hooks
-  const authMiddleware = createAuthMiddleware({
-    findSession: (token) => authService.findSession(token),
-    findMcpToken: async (tokenHash) => {
+  // Shared auth dependencies. Both the global auth hook and the per-route
+  // preHandler on /api/v1/mcp/proxy must know how to resolve both session
+  // bearers AND mcpctl_pat_ bearers, or mcplocal→mcpd proxy calls with a
+  // McpToken will 401 at the route layer even though the global hook accepts them.
+  const authDeps = {
+    findSession: (token: string) => authService.findSession(token),
+    findMcpToken: async (tokenHash: string) => {
       const row = await mcpTokenRepo.findByHash(tokenHash);
       if (row === null) return null;
       return {
@@ -332,7 +335,8 @@ async function main(): Promise<void> {
         revokedAt: row.revokedAt,
       };
     },
-  });
+  };
+  const authMiddleware = createAuthMiddleware(authDeps);
 
   // Server
   const app = await createServer(config, {
@@ -436,7 +440,7 @@ async function main(): Promise<void> {
   registerMcpProxyRoutes(app, {
     mcpProxyService,
     auditLogService,
-    authDeps: { findSession: (token) => authService.findSession(token) },
+    authDeps,
   });
   registerRbacRoutes(app, rbacDefinitionService);
   registerUserRoutes(app, userService);