diff --git a/src/core/auth/auth-options.ts b/src/core/auth/auth-options.ts
index d949b55..0a35617 100644
--- a/src/core/auth/auth-options.ts
+++ b/src/core/auth/auth-options.ts
@@ -7,10 +7,23 @@ export const authOptions: NextAuthOptions = {
       clientId: process.env.AUTHENTIK_CLIENT_ID || "",
       clientSecret: process.env.AUTHENTIK_CLIENT_SECRET || "",
       issuer: process.env.AUTHENTIK_ISSUER || "",
+      authorization: {
+        params: {
+          scope:
+            process.env.AUTHENTIK_SCOPES ||
+            "openid email profile enrichment",
+        },
+      },
     }),
   ],
   callbacks: {
-    async jwt({ token, user, profile }) {
+    async jwt({ token, user, profile, account }) {
+      // First sign-in: capture Authentik OIDC access_token so api.gis.ac
+      // calls can forward it. Carries enrichment_scope + is_beletage_group
+      // claims (mapped server-side in Authentik from LDAP group Arhitecti).
+      if (account?.access_token) {
+        token.accessToken = account.access_token;
+      }
       if (user) {
         token.id = user.id;
       }
@@ -41,6 +54,7 @@ export const authOptions: NextAuthOptions = {
         (session.user as any).role = token.role || "user";
         (session.user as any).company = token.company || "group";
       }
+      (session as any).accessToken = token.accessToken;
       return session;
     },
   },