diff --git a/scripts/setup-section0-docs.sh b/scripts/setup-section0-docs.sh
index ae4209a..a999d6e 100755
--- a/scripts/setup-section0-docs.sh
+++ b/scripts/setup-section0-docs.sh
@@ -48,6 +48,7 @@ section0-docs - helper for Section 0 shared Markdown docs
 
 Commands:
   auth login  open Authentik and install Git credentials
+  auth finish finish login from a printed device code
   auth status show current saved login
   configure set Git author name/email for this repo
   doctor    check clone, author, remote, and read access
@@ -61,6 +62,7 @@ Commands:
 
 Examples:
   section0-docs auth login
+  section0-docs auth finish DEVICE_CODE
   section0-docs auth status
   section0-docs doctor
   section0-docs configure
@@ -135,6 +137,10 @@ auth_login() {
   }
   echo "Opening Authentik login:"
   echo "  \$auth_url"
+  echo "Device code:"
+  echo "  \$code"
+  echo "Token check:"
+  echo "  \$SERVER_URL/device/\$code/token"
   open_url "\$auth_url"
   echo "Waiting for login..."
   token_json=""
@@ -155,8 +161,34 @@ auth_login() {
   printf "\n"
   [ -n "\${access_token:-}" ] || {
     echo "timed out waiting for Authentik login" >&2
+    echo "If the browser says login succeeded, run:" >&2
+    echo "  section0-docs auth finish \$code" >&2
     exit 1
   }
+  complete_login "\$token_json" "\$access_token"
+}
+
+auth_finish() {
+  need_python
+  mkdir -p "\$SESSION_DIR"
+  code="\${1:-}"
+  [ -n "\$code" ] || {
+    echo "usage: section0-docs auth finish DEVICE_CODE" >&2
+    exit 1
+  }
+  token_json="\$(http_json "\$SERVER_URL/device/\$code/token")"
+  access_token="\$(printf "%s" "\$token_json" | json_get accessToken 2>/dev/null || true)"
+  [ -n "\$access_token" ] || {
+    echo "No completed login token for code: \$code" >&2
+    printf "%s\n" "\$token_json" >&2
+    exit 1
+  }
+  complete_login "\$token_json" "\$access_token"
+}
+
+complete_login() {
+  token_json="\$1"
+  access_token="\$2"
   echo "Login accepted; requesting Section 0 Git access..."
   access_json="\$(http_json -X POST -H "Authorization: Bearer \$access_token" "\$SERVER_URL/section0/git/access")"
   ok="\$(printf "%s" "\$access_json" | json_get ok)"
@@ -203,6 +235,9 @@ case "\${1:-help}" in
       login)
         auth_login
         ;;
+      finish)
+        auth_finish "\${3:-}"
+        ;;
       status)
         if [ -f "\$SESSION_PATH" ]; then
           cat "\$SESSION_PATH"