diff --git a/main.go b/main.go
index 6167e15..27149c3 100644
--- a/main.go
+++ b/main.go
@@ -24,18 +24,46 @@ func run() error {
 		return fmt.Errorf("load config: %w", err)
 	}
 
-	creds, err := config.LoadCredentials(cfg)
+	// Load credentials from ~/.claude/.credentials.json
+	creds, err := config.LoadDefaultCredentials()
 	if err != nil {
 		return fmt.Errorf("load credentials: %w", err)
 	}
 
-	if len(creds) == 0 {
-		return fmt.Errorf("no credentials found")
+	var cred *auth.Credential
+	if len(creds) > 0 {
+		cred = creds[0]
+		// If token is expired, try refresh first
+		if !cred.ExpiresAt.IsZero() && time.Now().After(cred.ExpiresAt) {
+			log.Printf("token expired, attempting refresh...")
+			refreshCtx, refreshCancel := context.WithTimeout(context.Background(), 15*time.Second)
+			refreshErr := auth.RefreshToken(refreshCtx, cred)
+			refreshCancel()
+			if refreshErr != nil {
+				log.Printf("refresh failed: %v — initiating login", refreshErr)
+				cred = nil // fall through to login
+			} else {
+				log.Printf("token refreshed successfully")
+			}
+		}
 	}
 
-	log.Printf("loaded %d credentials", len(creds))
+	if cred == nil {
+		// Non-TTY check: if stdin is not a terminal, can't do interactive login
+		fi, statErr := os.Stdin.Stat()
+		if statErr == nil && (fi.Mode()&os.ModeCharDevice) == 0 {
+			return fmt.Errorf("no valid credentials found; run the proxy interactively for initial login")
+		}
+		log.Printf("no valid credentials found, starting OAuth login flow...")
+		cred, err = auth.Login(context.Background())
+		if err != nil {
+			return fmt.Errorf("login failed: %w", err)
+		}
+	}
 
-	pool := auth.NewPool(creds)
+	log.Printf("loaded credential for %s", cred.Email)
+
+	pool := auth.NewPool([]*auth.Credential{cred})
 
 	ctx, cancel := context.WithCancel(context.Background())
 	defer cancel()