diff --git a/cmd/credential-helper/main.go b/cmd/credential-helper/main.go
index 2894006..bf8087d 100644
--- a/cmd/credential-helper/main.go
+++ b/cmd/credential-helper/main.go
@@ -541,12 +541,16 @@ func isTerminal(f *os.File) bool {
 
 // validateCredentials checks if the credentials are still valid by making a test request
 func validateCredentials(appViewURL, handle, deviceSecret string) bool {
-	// Make a request to /v2/ which requires authentication
+	// Call /auth/token to validate device secret and get JWT
+	// This is the proper way to validate credentials - /v2/ requires JWT, not Basic Auth
 	client := &http.Client{
 		Timeout: 5 * time.Second,
 	}
 
-	req, err := http.NewRequest("GET", appViewURL+"/v2/", nil)
+	// Build /auth/token URL with minimal scope (just access to /v2/)
+	tokenURL := appViewURL + "/auth/token?service=" + appViewURL
+
+	req, err := http.NewRequest("GET", tokenURL, nil)
 	if err != nil {
 		return false
 	}