diff --git a/scripts/api-test.sh b/scripts/api-test.sh
index dd15d78..4fa9a91 100644
--- a/scripts/api-test.sh
+++ b/scripts/api-test.sh
@@ -195,14 +195,14 @@ else
 fi
 
 # ══════════════════════════════════════════════════════════════════════════════
-section "14. Users — List (tenant admin via /api/v1/auth/users)"
+section "14. Users — List (platform admin via /api/v1/auth/users)"
 
-if [[ -n "$TOKEN" ]]; then
+if [[ -n "${ADMIN_TOKEN:-}" ]]; then
   STATUS=$(get_status "${BASE}/api/v1/auth/users" \
-    -H "Authorization: Bearer ${TOKEN}")
+    -H "Authorization: Bearer ${ADMIN_TOKEN}")
   [[ "$STATUS" == "200" ]] && ok "GET /api/v1/auth/users → 200" || fail "GET /api/v1/auth/users → ${STATUS}"
 else
-  info "Skipped — no token"
+  info "Skipped — no platform admin token"
 fi
 
 # ══════════════════════════════════════════════════════════════════════════════
@@ -221,7 +221,9 @@ section "16. Billing — Subscription (JWT required)"
 if [[ -n "$TOKEN" ]]; then
   STATUS=$(get_status "${BASE}/api/v1/billing/subscription" \
     -H "Authorization: Bearer ${TOKEN}")
-  [[ "$STATUS" == "200" ]] && ok "GET /api/v1/billing/subscription → 200" \
+  # 200 = has subscription, 404 = new tenant with no subscription yet (both acceptable)
+  [[ "$STATUS" == "200" || "$STATUS" == "404" ]] \
+    && ok "GET /api/v1/billing/subscription → ${STATUS} (200=active, 404=no subscription)" \
     || fail "GET /api/v1/billing/subscription → ${STATUS}"
 fi
 
@@ -307,10 +309,11 @@ fi
 # ══════════════════════════════════════════════════════════════════════════════
 section "24. Invite flow — Create + validate invite"
 
-if [[ -n "${ADMIN_TOKEN:-}" && -n "${TENANT_ID:-}" ]]; then
+# Uses TOKEN (tenant admin, 'admin' role) to create invite for their own tenant
+if [[ -n "${TOKEN:-}" && -n "${TENANT_ID:-}" ]]; then
   INVITE_EMAIL="invite_${TS}@example.com"
   RESP=$(post_json "${BASE}/api/v1/admin/tenants/${TENANT_ID}/invites" \
-    -H "Authorization: Bearer ${ADMIN_TOKEN}" \
+    -H "Authorization: Bearer ${TOKEN}" \
     -d "{\"email\":\"${INVITE_EMAIL}\",\"role\":\"viewer\"}")
   STATUS=$(echo "$RESP" | grep -o '__STATUS__[0-9]*' | sed 's/__STATUS__//')
   BODY=$(echo "$RESP" | sed 's/__STATUS__[0-9]*//')
@@ -326,7 +329,7 @@ if [[ -n "${ADMIN_TOKEN:-}" && -n "${TENANT_ID:-}" ]]; then
     fail "POST /api/v1/admin/tenants/:id/invites → ${STATUS}: ${BODY}"
   fi
 else
-  info "Skipped invite flow — need admin token + tenantId"
+  info "Skipped invite flow — need token + tenantId"
 fi
 
 # ══════════════════════════════════════════════════════════════════════════════