diff --git a/tests/mock-forgejo.py b/tests/mock-forgejo.py
index d30e3cc..839b064 100755
--- a/tests/mock-forgejo.py
+++ b/tests/mock-forgejo.py
@@ -259,7 +259,6 @@ class ForgejoHandler(BaseHTTPRequestHandler):
 
         username = data.get("username")
         email = data.get("email")
-        password = data.get("password", "")
 
         if not username or not email:
             json_response(self, 400, {"message": "username and email are required"})
@@ -278,7 +277,6 @@ class ForgejoHandler(BaseHTTPRequestHandler):
             "login_name": data.get("login_name", username),
             "visibility": data.get("visibility", "public"),
             "avatar_url": f"https://seccdn.libravatar.org/avatar/{hashlib.md5(email.encode()).hexdigest()}",
-            "password": password,  # Store password for mock verification
         }
 
         state["users"][username] = user
@@ -300,36 +298,23 @@ class ForgejoHandler(BaseHTTPRequestHandler):
 
     def handle_POST_users_username_tokens(self, query):
         """POST /api/v1/users/{username}/tokens"""
-        # Extract username and password from basic auth header
+        # Extract username from basic auth header (don't verify password for mock)
         auth_header = self.headers.get("Authorization", "")
         if not auth_header.startswith("Basic "):
             json_response(self, 401, {"message": "invalid authentication"})
             return
         try:
             decoded = base64.b64decode(auth_header[6:]).decode("utf-8")
-            username, password = decoded.split(":", 1)
+            username, _ = decoded.split(":", 1)
         except Exception:
             json_response(self, 401, {"message": "invalid authentication"})
             return
 
-        # Check user exists in state
+        # Check user exists in state (don't verify password in mock)
         if username not in state["users"]:
             json_response(self, 401, {"message": "user not found"})
             return
 
-        # Verify password (for mock, accept any non-empty password if user exists)
-        user = state["users"][username]
-        # For test users (disinto-admin, johba, dev-bot, review-bot), accept any password
-        # This allows the smoke test to use a fixed password
-        test_users = {"disinto-admin", "johba", "dev-bot", "review-bot"}
-        if username in test_users:
-            if not password:
-                json_response(self, 401, {"message": "invalid authentication"})
-                return
-        elif not password or user.get("password") != password:
-            json_response(self, 401, {"message": "invalid authentication"})
-            return
-
         content_length = int(self.headers.get("Content-Length", 0))
         body = self.rfile.read(content_length).decode("utf-8")
         data = json.loads(body) if body else {}