diff --git a/deploy/docker/docker-compose.yml b/deploy/docker/docker-compose.yml
index e0ef571..c31413d 100644
--- a/deploy/docker/docker-compose.yml
+++ b/deploy/docker/docker-compose.yml
@@ -118,6 +118,8 @@ services:
     restart: unless-stopped
     ports:
       - "13002:3002"
+    volumes:
+      - ${HOME}/.claude:/root/.claude:ro
     environment:
       - DB_HOST=postgres
       - DB_PORT=5432
@@ -127,7 +129,7 @@ services:
       - REDIS_URL=redis://redis:6379
       - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
       - ANTHROPIC_BASE_URL=${ANTHROPIC_BASE_URL}
-      - AGENT_ENGINE_TYPE=claude_api
+      - AGENT_ENGINE_TYPE=claude_agent_sdk
       - AGENT_SERVICE_PORT=3002
     healthcheck:
       test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3002/',r=>{process.exit(r.statusCode<500?0:1)}).on('error',()=>process.exit(1))\""]
diff --git a/packages/services/agent-service/src/infrastructure/engines/claude-agent-sdk/claude-agent-sdk-engine.ts b/packages/services/agent-service/src/infrastructure/engines/claude-agent-sdk/claude-agent-sdk-engine.ts
index 7acc0d1..d2def58 100644
--- a/packages/services/agent-service/src/infrastructure/engines/claude-agent-sdk/claude-agent-sdk-engine.ts
+++ b/packages/services/agent-service/src/infrastructure/engines/claude-agent-sdk/claude-agent-sdk-engine.ts
@@ -50,7 +50,7 @@ export class ClaudeAgentSdkEngine implements AgentEnginePort {
     const tenantId = TenantContextService.getTenantId();
     const tenantConfig = await this.tenantConfigService.findByTenantId(tenantId);
 
-    // Build environment — subscription mode uses inherited CLI auth, api_key mode overrides
+    // Build environment — subscription mode uses OAuth from ~/.claude/.credentials.json
     const env: Record<string, string> = { ...process.env } as Record<string, string>;
     // Disable TLS verification for proxy endpoints (self-signed certs)
     const baseURL = this.configService.get<string>('ANTHROPIC_BASE_URL');
@@ -59,12 +59,16 @@ export class ClaudeAgentSdkEngine implements AgentEnginePort {
       env.ANTHROPIC_BASE_URL = baseURL;
     }
     if (tenantConfig?.billingMode === 'api_key') {
+      // Tenant uses their own API key
       try {
         env.ANTHROPIC_API_KEY = this.tenantConfigService.decryptApiKey(tenantConfig);
       } catch (err) {
         yield { type: 'error', message: 'Tenant API key not configured or invalid', code: 'API_KEY_ERROR' };
         return;
       }
+    } else {
+      // Subscription mode: remove API key so SDK uses OAuth credentials
+      delete env.ANTHROPIC_API_KEY;
     }
 
     // Create approval gate with tenant-configurable timeout
@@ -244,6 +248,8 @@ export class ClaudeAgentSdkEngine implements AgentEnginePort {
         yield { type: 'error', message: 'Tenant API key invalid', code: 'API_KEY_ERROR' };
         return;
       }
+    } else {
+      delete env.ANTHROPIC_API_KEY;
     }
 
     const timeoutSec = tenantConfig?.approvalTimeoutSeconds ?? 120;