diff --git a/bin/disinto b/bin/disinto
index 63cd497..aea40aa 100755
--- a/bin/disinto
+++ b/bin/disinto
@@ -2431,8 +2431,9 @@ disinto_hire_an_agent() {
     local user_token=""
     if [ "$user_exists" = true ]; then
       # Try to get token for the new user
+      # Note: user_pass was set in Step 1; for existing users this will fail (unknown password)
       user_token=$(curl -sf -X POST \
-        -u "${agent_name}:agent-pass" \
+        -u "${agent_name}:${user_pass}" \
         -H "Content-Type: application/json" \
         "${forge_url}/api/v1/users/${agent_name}/tokens" \
         -d "{\"name\":\".profile-repo-token\",\"scopes\":[\"repository\"]}" 2>/dev/null \
@@ -2441,7 +2442,7 @@ disinto_hire_an_agent() {
       if [ -z "$user_token" ]; then
         # Try listing existing tokens
         user_token=$(curl -sf \
-          -u "${agent_name}:agent-pass" \
+          -u "${agent_name}:${user_pass}" \
           "${forge_url}/api/v1/users/${agent_name}/tokens" 2>/dev/null \
           | jq -r '.[0].sha1 // empty') || user_token=""
       fi
@@ -2483,13 +2484,14 @@ disinto_hire_an_agent() {
   rm -rf "$clone_dir"
   mkdir -p "$clone_dir"
 
-  # Build clone URL
+  # Build clone URL (unauthenticated version for display)
   local clone_url="${forge_url}/${agent_name}/.profile.git"
   local auth_url
   auth_url=$(printf '%s' "$forge_url" | sed "s|://|://${agent_name}:${user_token:-${FORGE_TOKEN}}@|")
   clone_url="${auth_url}/.profile.git"
 
-  echo "  Cloning: ${clone_url}"
+  # Display unauthenticated URL (auth token only in actual git clone command)
+  echo "  Cloning: ${forge_url}/${agent_name}/.profile.git"
 
   if ! git clone --quiet "$clone_url" "$clone_dir" 2>/dev/null; then
     # Try without auth (might work for public repos or with FORGE_TOKEN)