diff --git a/workspace-server/internal/router/router.go b/workspace-server/internal/router/router.go
index 4b6e8aeb..c636bf87 100644
--- a/workspace-server/internal/router/router.go
+++ b/workspace-server/internal/router/router.go
@@ -376,7 +376,13 @@ func Setup(hub *ws.Hub, broadcaster *events.Broadcaster, prov *provisioner.Provi
 	// (dev / self-hosted without GITHUB_APP_ID).
 	{
 		ghTokH := handlers.NewGitHubTokenHandler(wh.TokenRegistry())
+		// #1068: moved from AdminAuth to allow any authenticated workspace to
+		// refresh its GitHub token. The credential helper in containers calls
+		// this endpoint with a workspace bearer token — AdminAuth (PR #729)
+		// rejects those, breaking token refresh after 60 min.
+		// Keep the old path as an alias for backward compat.
 		r.GET("/admin/github-installation-token", middleware.AdminAuth(db.DB), ghTokH.GetInstallationToken)
+		wsAuth.GET("/github-installation-token", ghTokH.GetInstallationToken)
 	}
 
 	// Terminal — shares Docker client with provisioner
diff --git a/workspace/scripts/molecule-git-token-helper.sh b/workspace/scripts/molecule-git-token-helper.sh
index e2a519a4..4b7a8cca 100755
--- a/workspace/scripts/molecule-git-token-helper.sh
+++ b/workspace/scripts/molecule-git-token-helper.sh
@@ -53,7 +53,14 @@ set -euo pipefail
 PLATFORM_URL="${PLATFORM_URL:-http://platform:8080}"
 CONFIGS_DIR="${CONFIGS_DIR:-/configs}"
 TOKEN_FILE="${CONFIGS_DIR}/.auth_token"
-ENDPOINT="${PLATFORM_URL}/admin/github-installation-token"
+# #1068: use workspace-scoped path (WorkspaceAuth) instead of admin path
+# (AdminAuth rejects workspace bearer tokens since PR #729).
+WORKSPACE_ID="${WORKSPACE_ID:-}"
+if [ -n "$WORKSPACE_ID" ]; then
+    ENDPOINT="${PLATFORM_URL}/workspaces/${WORKSPACE_ID}/github-installation-token"
+else
+    ENDPOINT="${PLATFORM_URL}/admin/github-installation-token"
+fi
 
 # _fetch_token — internal helper; also callable directly from cron.
 # Outputs the raw token string on success; exits non-zero on failure.