diff --git a/src/core/auth/auth-options.ts b/src/core/auth/auth-options.ts
index b5b4898..14ab33d 100644
--- a/src/core/auth/auth-options.ts
+++ b/src/core/auth/auth-options.ts
@@ -43,7 +43,14 @@ async function refreshAuthentikToken(token: JWT): Promise<JWT> {
       if (!issuer || !clientId || !clientSecret) {
         throw new Error("refresh_prerequisites_missing");
       }
-      const url = `${issuer.replace(/\/$/, "")}/token/`;
+      // Authentik exposes the token endpoint at the SHARED path, not per
+      // provider. The per-provider `{issuer}/token/` returns HTTP 405 with
+      // an empty body — which then explodes our JSON.parse with
+      // "Unexpected end of JSON input". The OIDC discovery doc at
+      // {issuer}/.well-known/openid-configuration declares the correct
+      // endpoint as `https://auth.beletage.ro/application/o/token/`.
+      const issuerOrigin = new URL(issuer).origin;
+      const url = `${issuerOrigin}/application/o/token/`;
       const res = await fetch(url, {
         method: "POST",
         headers: { "Content-Type": "application/x-www-form-urlencoded" },