diff --git a/tests/mock-forgejo.py b/tests/mock-forgejo.py
index fcf537b..bb22f05 100755
--- a/tests/mock-forgejo.py
+++ b/tests/mock-forgejo.py
@@ -256,7 +256,14 @@ class ForgejoHandler(BaseHTTPRequestHandler):
 
     def handle_POST_admin_users(self, query):
         """POST /api/v1/admin/users"""
-        require_token(self)
+        # Allow initial admin creation without auth (bootstrap)
+        # After first user exists, require token auth
+        if not state["users"]:
+            # First user creation - bootstrap mode, no auth required
+            pass
+        elif not require_token(self):
+            json_response(self, 401, {"message": "invalid authentication"})
+            return
 
         content_length = int(self.headers.get("Content-Length", 0))
         body = self.rfile.read(content_length).decode("utf-8")
@@ -289,10 +296,22 @@ class ForgejoHandler(BaseHTTPRequestHandler):
 
     def handle_POST_users_username_tokens(self, query):
         """POST /api/v1/users/{username}/tokens"""
-        username = require_basic_auth(self)
-        if not username:
+        # Extract username from basic auth header (don't verify password for mock)
+        auth_header = self.headers.get("Authorization", "")
+        if not auth_header.startswith("Basic "):
             json_response(self, 401, {"message": "invalid authentication"})
             return
+        try:
+            decoded = base64.b64decode(auth_header[6:]).decode("utf-8")
+            username, _ = decoded.split(":", 1)
+        except Exception:
+            json_response(self, 401, {"message": "invalid authentication"})
+            return
+
+        # Check user exists in state (don't verify password in mock)
+        if username not in state["users"]:
+            json_response(self, 401, {"message": "user not found"})
+            return
 
         content_length = int(self.headers.get("Content-Length", 0))
         body = self.rfile.read(content_length).decode("utf-8")