diff --git a/tests/e2e/test_api.sh b/tests/e2e/test_api.sh
index 5eb4d3bf..0936e123 100644
--- a/tests/e2e/test_api.sh
+++ b/tests/e2e/test_api.sh
@@ -86,16 +86,20 @@ R=$(acurl "$BASE/workspaces/$ECHO_ID")
 check "GET /workspaces/:id" '"name":"Echo Agent"' "$R"
 check "GET /workspaces/:id (agent_card null)" '"agent_card":null' "$R"
 
-# Test 7: Register echo — use acurl because the workspace may already
-# have a token from the provisioner's auto-registration (C18 re-register
-# protection requires bearer when tokens exist).
-R=$(acurl -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
+# Test 7: Register echo — use workspace-specific token (from test-token
+# endpoint), not the admin token. C18 requires a token issued TO THIS
+# workspace, not just any valid token.
+ECHO_WS_TOKEN=$(curl -s "$BASE/admin/workspaces/$ECHO_ID/test-token" | python3 -c "import sys,json; print(json.load(sys.stdin).get('auth_token',''))" 2>/dev/null || echo "")
+R=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
+  ${ECHO_WS_TOKEN:+-H "Authorization: Bearer $ECHO_WS_TOKEN"} \
   -d "{\"id\":\"$ECHO_ID\",\"url\":\"http://localhost:8001\",\"agent_card\":{\"name\":\"Echo Agent\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"}]}}")
 check "POST /registry/register (echo)" '"status":"registered"' "$R"
 ECHO_TOKEN=$(echo "$R" | e2e_extract_token)
 
-# Test 8: Register summarizer
-R=$(acurl -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
+# Test 8: Register summarizer — same pattern: workspace-specific token
+SUM_WS_TOKEN=$(curl -s "$BASE/admin/workspaces/$SUM_ID/test-token" | python3 -c "import sys,json; print(json.load(sys.stdin).get('auth_token',''))" 2>/dev/null || echo "")
+R=$(curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
+  ${SUM_WS_TOKEN:+-H "Authorization: Bearer $SUM_WS_TOKEN"} \
   -d "{\"id\":\"$SUM_ID\",\"url\":\"http://localhost:8002\",\"agent_card\":{\"name\":\"Summarizer\",\"skills\":[{\"id\":\"summarize\",\"name\":\"Summarize\"}]}}")
 check "POST /registry/register (summarizer)" '"status":"registered"' "$R"
 SUM_TOKEN=$(echo "$R" | e2e_extract_token)
@@ -168,7 +172,8 @@ curl -s -X POST "$BASE/registry/heartbeat" -H "Content-Type: application/json" -
   -d "{\"workspace_id\":\"$ECHO_ID\",\"error_rate\":0.0,\"sample_error\":\"\",\"active_tasks\":0,\"uptime_seconds\":180}" > /dev/null
 
 # Re-register to force online status in case liveness expired
-acurl -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
+curl -s -X POST "$BASE/registry/register" -H "Content-Type: application/json" \
+  -H "Authorization: Bearer $ECHO_TOKEN" \
   -d "{\"id\":\"$ECHO_ID\",\"url\":\"http://localhost:8001\",\"agent_card\":{\"name\":\"Echo Agent v2\",\"skills\":[{\"id\":\"echo\",\"name\":\"Echo\"},{\"id\":\"repeat\",\"name\":\"Repeat\"}]}}" > /dev/null
 
 # Now send high error rate to trigger degraded