diff --git a/.npm/run.js b/.npm/run.js
old mode 100644
new mode 100755
diff --git a/internal/client/client.go b/internal/client/client.go
index 6fdd47f..495af7c 100644
--- a/internal/client/client.go
+++ b/internal/client/client.go
@@ -27,12 +27,16 @@ import (
 //   - X-CIO-Agent: 1 — set only when the CIO_AGENT env var is "1". The
 //     sandbox that runs the CLI on behalf of an AI agent sets this so
 //     downstream metrics can attribute traffic to the agent.
+//   - X-CIO-Capability-Grant — forwarded from $X_CIO_CAPABILITY_GRANT so the env carries a session-scoped grant without a CLI flag.
 func setStandardHeaders(req *http.Request) {
 	req.Header.Set("User-Agent", useragent.Get())
 	req.Header.Set("X-Validate", "strict")
 	if os.Getenv("CIO_AGENT") == "1" {
 		req.Header.Set("X-CIO-Agent", "1")
 	}
+	if grant := os.Getenv("X_CIO_CAPABILITY_GRANT"); grant != "" {
+		req.Header.Set("X-CIO-Capability-Grant", grant)
+	}
 }
 
 const (
diff --git a/internal/client/client_test.go b/internal/client/client_test.go
index 095f6c7..4a54294 100644
--- a/internal/client/client_test.go
+++ b/internal/client/client_test.go
@@ -796,3 +796,46 @@ func TestClient_Do_AgentHeader(t *testing.T) {
 		})
 	}
 }
+
+func TestClient_Do_CapabilityGrantHeader(t *testing.T) {
+	cases := []struct {
+		name     string
+		envValue string
+		envSet   bool
+		want     string
+	}{
+		{"env unset", "", false, ""},
+		{"env empty", "", true, ""},
+		{"env set", "grant-jwt-abc", true, "grant-jwt-abc"},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			if tc.envSet {
+				t.Setenv("X_CIO_CAPABILITY_GRANT", tc.envValue)
+			} else {
+				t.Setenv("X_CIO_CAPABILITY_GRANT", "")
+				_ = os.Unsetenv("X_CIO_CAPABILITY_GRANT")
+			}
+
+			var got string
+			server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				got = r.Header.Get("X-CIO-Capability-Grant")
+				_, _ = w.Write([]byte(`{"ok":true}`))
+			}))
+			defer server.Close()
+
+			c := New(Config{
+				BaseURL:     server.URL,
+				AccessToken: "test-jwt",
+				RetryConfig: &RetryConfig{MaxRetries: 0, SleepFn: ContextSleep},
+			})
+			if _, err := c.Do(context.Background(), "GET", "/test", nil, nil); err != nil {
+				t.Fatalf("unexpected error: %v", err)
+			}
+			if got != tc.want {
+				t.Errorf("X-CIO-Capability-Grant: got %q, want %q", got, tc.want)
+			}
+		})
+	}
+}