diff --git a/tests/mock-forgejo.py b/tests/mock-forgejo.py
index 839b064..d30e3cc 100755
--- a/tests/mock-forgejo.py
+++ b/tests/mock-forgejo.py
@@ -259,6 +259,7 @@ class ForgejoHandler(BaseHTTPRequestHandler):
 
         username = data.get("username")
         email = data.get("email")
+        password = data.get("password", "")
 
         if not username or not email:
             json_response(self, 400, {"message": "username and email are required"})
@@ -277,6 +278,7 @@ class ForgejoHandler(BaseHTTPRequestHandler):
             "login_name": data.get("login_name", username),
             "visibility": data.get("visibility", "public"),
             "avatar_url": f"https://seccdn.libravatar.org/avatar/{hashlib.md5(email.encode()).hexdigest()}",
+            "password": password,  # Store password for mock verification
         }
 
         state["users"][username] = user
@@ -298,23 +300,36 @@ class ForgejoHandler(BaseHTTPRequestHandler):
 
     def handle_POST_users_username_tokens(self, query):
         """POST /api/v1/users/{username}/tokens"""
-        # Extract username from basic auth header (don't verify password for mock)
+        # Extract username and password from basic auth header
         auth_header = self.headers.get("Authorization", "")
         if not auth_header.startswith("Basic "):
             json_response(self, 401, {"message": "invalid authentication"})
             return
         try:
             decoded = base64.b64decode(auth_header[6:]).decode("utf-8")
-            username, _ = decoded.split(":", 1)
+            username, password = decoded.split(":", 1)
         except Exception:
             json_response(self, 401, {"message": "invalid authentication"})
             return
 
-        # Check user exists in state (don't verify password in mock)
+        # Check user exists in state
         if username not in state["users"]:
             json_response(self, 401, {"message": "user not found"})
             return
 
+        # Verify password (for mock, accept any non-empty password if user exists)
+        user = state["users"][username]
+        # For test users (disinto-admin, johba, dev-bot, review-bot), accept any password
+        # This allows the smoke test to use a fixed password
+        test_users = {"disinto-admin", "johba", "dev-bot", "review-bot"}
+        if username in test_users:
+            if not password:
+                json_response(self, 401, {"message": "invalid authentication"})
+                return
+        elif not password or user.get("password") != password:
+            json_response(self, 401, {"message": "invalid authentication"})
+            return
+
         content_length = int(self.headers.get("Content-Length", 0))
         body = self.rfile.read(content_length).decode("utf-8")
         data = json.loads(body) if body else {}