diff --git a/bincio/auth/deps.py b/bincio/auth/deps.py
index b4d5d9a..aa590a1 100644
--- a/bincio/auth/deps.py
+++ b/bincio/auth/deps.py
@@ -68,7 +68,12 @@ def _issue_jwt(user: User) -> str:
 _ID_TOKEN_TTL = 3600  # 1 hour — short-lived; clients use refresh or re-auth
 
 
-def _issue_id_token(user: User, client_id: str, nonce: str | None = None) -> str:
+def _issue_id_token(
+    user: User,
+    client_id: str,
+    nonce: str | None = None,
+    ttl: int | None = None,
+) -> str:
     """Issue an RS256 OIDC id_token for the given user and client."""
     claims: dict = {
         "iss": oidc_issuer,
@@ -83,7 +88,7 @@ def _issue_id_token(user: User, client_id: str, nonce: str | None = None) -> str
     }
     if nonce:
         claims["nonce"] = nonce
-    return create_id_token(claims, oidc_private_key_pem, _ID_TOKEN_TTL)
+    return create_id_token(claims, oidc_private_key_pem, ttl if ttl is not None else _ID_TOKEN_TTL)
 
 
 # ── Rate limiting ─────────────────────────────────────────────────────────────
diff --git a/bincio/auth/routers/auth.py b/bincio/auth/routers/auth.py
index bbd58de..2a2eea3 100644
--- a/bincio/auth/routers/auth.py
+++ b/bincio/auth/routers/auth.py
@@ -40,7 +40,10 @@ async def login(body: LoginRequest, request: Request) -> JSONResponse:
     if not user:
         raise HTTPException(401, "Invalid credentials")
 
-    token = deps._issue_jwt(user)
+    if deps.oidc_private_key_pem:
+        token = deps._issue_id_token(user, client_id="bincio", ttl=deps._JWT_TTL)
+    else:
+        token = deps._issue_jwt(user)
     resp = JSONResponse({
         "ok": True,
         "handle": user.handle,