diff --git a/src/commands/auth.rs b/src/commands/auth.rs
index b6fd93c..9f9305e 100644
--- a/src/commands/auth.rs
+++ b/src/commands/auth.rs
@@ -94,8 +94,10 @@ async fn do_refresh(session: &Session, pds: &str) -> Result<Session> {
 /// Refresh access token (OAuth-aware: tries OAuth first, falls back to legacy)
 pub async fn refresh_session() -> Result<Session> {
     if oauth::has_oauth_session(false) {
-        let (_oauth, session) = oauth::refresh_oauth_session(false).await?;
-        return Ok(session);
+        match oauth::refresh_oauth_session(false).await {
+            Ok((_oauth, session)) => return Ok(session),
+            Err(_) => { /* OAuth failed, fall back to legacy */ }
+        }
     }
 
     let session = token::load_session()?;
@@ -110,8 +112,10 @@ pub async fn refresh_session() -> Result<Session> {
 /// Refresh bot access token (OAuth-aware)
 pub async fn refresh_bot_session() -> Result<Session> {
     if oauth::has_oauth_session(true) {
-        let (_oauth, session) = oauth::refresh_oauth_session(true).await?;
-        return Ok(session);
+        match oauth::refresh_oauth_session(true).await {
+            Ok((_oauth, session)) => return Ok(session),
+            Err(_) => { /* OAuth failed, fall back to legacy */ }
+        }
     }
 
     let session = token::load_bot_session()?;
diff --git a/src/commands/oauth.rs b/src/commands/oauth.rs
index 1592d60..5d2d67b 100644
--- a/src/commands/oauth.rs
+++ b/src/commands/oauth.rs
@@ -636,7 +636,6 @@ fn save_oauth_session(session: &OAuthSession, is_bot: bool) -> Result<()> {
     let path = config_dir.join(filename);
     let content = serde_json::to_string_pretty(session)?;
     std::fs::write(&path, content)?;
-    println!("OAuth session saved to {:?}", path);
     Ok(())
 }
 
diff --git a/src/xrpc.rs b/src/xrpc.rs
index 5382de6..5334c08 100644
--- a/src/xrpc.rs
+++ b/src/xrpc.rs
@@ -203,13 +203,15 @@ impl XrpcClient {
     async fn dpop_request_with_retry_proxy<B: Serialize, T: DeserializeOwned>(
         &self,
         oauth: &OAuthSession,
-        token: &str,
+        _token: &str,
         method: &str,
         url: &str,
         full_url: &str,
         body: Option<&B>,
         proxy: Option<&str>,
     ) -> Result<T> {
+        // Use OAuth access_token for Authorization (must match DPoP ath)
+        let auth_token = &oauth.access_token;
         let mut dpop_nonce: Option<String> = None;
 
         for _attempt in 0..2 {
@@ -237,7 +239,7 @@ impl XrpcClient {
             }
 
             let res = builder
-                .header("Authorization", format!("DPoP {}", token))
+                .header("Authorization", format!("DPoP {}", auth_token))
                 .header("DPoP", dpop_proof)
                 .send()
                 .await
@@ -270,12 +272,13 @@ impl XrpcClient {
     async fn dpop_no_response_with_retry<B: Serialize>(
         &self,
         oauth: &OAuthSession,
-        token: &str,
+        _token: &str,
         method: &str,
         url: &str,
         full_url: &str,
         body: &B,
     ) -> Result<()> {
+        let auth_token = &oauth.access_token;
         let mut dpop_nonce: Option<String> = None;
 
         for _attempt in 0..2 {
@@ -290,7 +293,7 @@ impl XrpcClient {
                 .inner
                 .post(url)
                 .json(body)
-                .header("Authorization", format!("DPoP {}", token))
+                .header("Authorization", format!("DPoP {}", auth_token))
                 .header("DPoP", dpop_proof)
                 .send()
                 .await