diff --git a/docs/AUTHENTIK-SETUP.md b/docs/AUTHENTIK-SETUP.md
index cf7871a..f304947 100644
--- a/docs/AUTHENTIK-SETUP.md
+++ b/docs/AUTHENTIK-SETUP.md
@@ -42,9 +42,19 @@ Each Dezky service that uses SSO needs an OIDC provider configured in Authentik.
      https://files.dezky.local/oidc-callback
      ```
    - **Signing Key:** `authentik Self-signed Certificate`
-   - **Scopes:** openid, profile, email
+   - **Scopes:** openid, profile, email, **offline_access**
+   - **Advanced → Token validity:**
+     - Access token: `hours=1` (default `minutes=5` is too short and causes frequent silent refreshes)
+     - Refresh token: `days=30`
 5. Save
 
+> **Why offline_access + token validity:** without `offline_access` the OCIS web
+> client gets no refresh token, so when the short-lived access token expires the
+> session can't renew and the user is logged out (and the upload UI shows "no
+> permission"). With it, the SPA silently refreshes for up to the 30-day refresh
+> window. OCIS must also request the scope — set on the `ocis` service in
+> docker-compose: `WEB_OIDC_SCOPE: openid profile email offline_access`.
+
 ### 3.2 Create OCIS application
 
 1. Go to **Applications** → **Applications**
diff --git a/infrastructure/docker-compose/configs/ocis/web-core/index.html b/infrastructure/docker-compose/configs/ocis/web-core/index.html
index 4cf106d..36d9719 100644
--- a/infrastructure/docker-compose/configs/ocis/web-core/index.html
+++ b/infrastructure/docker-compose/configs/ocis/web-core/index.html
@@ -79,7 +79,7 @@
     <link rel="modulepreload" crossorigin="" href="./js/chunks/NoContentMessage-BpxTDAzR.mjs"/>
     <link rel="modulepreload" crossorigin="" href="./js/chunks/SearchBarFilter-On9swWiz.mjs"/>
     <link rel="stylesheet" crossorigin="" href="./assets/style-D1bLdTZ9.css"/>
-  <style id="dezky-overrides">.versions{display:none!important}</style></head>
+  <style id="dezky-overrides">.versions{display:none!important}.oc-background-primary-gradient,.oc-button-primary-filled{background:var(--oc-color-swatch-primary-gradient)!important}.oc-background-primary-gradient:hover:not([disabled]),.oc-background-primary-gradient:focus:not([disabled]),.oc-button-primary-filled:hover:not([disabled]),.oc-button-primary-filled:focus:not([disabled]){background:var(--oc-color-swatch-primary-gradient-hover)!important}</style></head>
   <body>
     <div id="splash-incompatible" class="splash-banner splash-hide">
       <div class="oc-card oc-border oc-rounded oc-width-large oc-text-center">
diff --git a/infrastructure/docker-compose/docker-compose.yml b/infrastructure/docker-compose/docker-compose.yml
index 05fc0f5..fb6ec25 100644
--- a/infrastructure/docker-compose/docker-compose.yml
+++ b/infrastructure/docker-compose/docker-compose.yml
@@ -326,6 +326,11 @@ services:
       PROXY_TLS: "false"  # Traefik terminates TLS; OCIS speaks plain HTTP internally
       OCIS_OIDC_ISSUER: https://auth.dezky.local/application/o/ocis/
       WEB_OIDC_CLIENT_ID: ocis-web
+      # Request offline_access so the web client gets a refresh token and renews
+      # silently instead of dropping the session (no surprise logouts). The
+      # ocis-provider already has the offline_access scope mapping + a 30-day
+      # refresh validity; default scope is "openid profile email".
+      WEB_OIDC_SCOPE: openid profile email offline_access
       PROXY_AUTOPROVISION_ACCOUNTS: "true"
       PROXY_USER_OIDC_CLAIM: preferred_username
       PROXY_USER_CS3_CLAIM: username