diff --git a/scripts/bootstrap-drone-oauth.sh b/scripts/bootstrap-drone-oauth.sh
index 609a27b..78137b3 100644
--- a/scripts/bootstrap-drone-oauth.sh
+++ b/scripts/bootstrap-drone-oauth.sh
@@ -33,16 +33,22 @@ curl -s -b "$cj" -c "$cj" -o /dev/null \
 # 2) Drone /login -> Gitea authorize URL.
 loc=$(curl -sk -c "$dj" -o /dev/null -D - "${RES[@]}" "$DRONE/login" \
   | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
-curl -sk -b "$cj" -c "$cj" -o "$az" "$loc"
+azh=$(mktemp); trap 'rm -f "$cj" "$dj" "$az" "$azh"' EXIT
+curl -sk -b "$cj" -c "$cj" -o "$az" -D "$azh" "$loc"
 
-# 3) Grant consent -> code callback -> complete Drone login (sets Drone session).
-acsrf=$(grep -oE 'name="_csrf" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
-state=$(grep -oE 'name="state" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
-cb=$(curl -sk -b "$cj" -c "$cj" -o /dev/null -D - \
-  --data-urlencode "_csrf=$acsrf" --data-urlencode "client_id=$CLIENT_ID" \
-  --data-urlencode "state=$state" --data-urlencode "scope=" --data-urlencode "nonce=" \
-  --data-urlencode "redirect_uri=$DRONE/login" --data-urlencode "granted=true" \
-  "$GITEA/login/oauth/grant" | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
+# 3) Either the OAuth app auto-approves (bot already granted it earlier => Gitea 302s straight to the
+#    code callback, no consent form) or it shows a consent form we must POST. Handle both.
+cb=$(awk 'tolower($1)=="location:"{print $2}' "$azh" | tr -d '\r')
+if [ -z "$cb" ]; then
+  acsrf=$(grep -oE 'name="_csrf" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
+  state=$(grep -oE 'name="state" value="[^"]*"' "$az" | head -1 | sed -E 's/.*value="([^"]*)".*/\1/')
+  cb=$(curl -sk -b "$cj" -c "$cj" -o /dev/null -D - \
+    --data-urlencode "_csrf=$acsrf" --data-urlencode "client_id=$CLIENT_ID" \
+    --data-urlencode "state=$state" --data-urlencode "scope=" --data-urlencode "nonce=" \
+    --data-urlencode "redirect_uri=$DRONE/login" --data-urlencode "granted=true" \
+    "$GITEA/login/oauth/grant" | awk 'tolower($1)=="location:"{print $2}' | tr -d '\r')
+fi
+# code callback -> complete Drone login (sets Drone session + persists the token in Drone's volume).
 curl -sk -b "$dj" -c "$dj" -o /dev/null -L "${RES[@]}" "$cb"
 
 # 4) Verify + sync + activate the repo.