diff --git a/server/internal/cli/client.go b/server/internal/cli/client.go
index d4a5d6065..de6e11474 100644
--- a/server/internal/cli/client.go
+++ b/server/internal/cli/client.go
@@ -14,11 +14,8 @@ import (
 )
 
 // APIClient is a REST client for the Multica server API.
-// Used by ctrl subcommands (agent, runtime, status, etc.).
-//
-// TODO: Add Authorization header support. Agent routes (/api/agents/...)
-// require JWT auth via middleware.Auth, but this client currently sends
-// no auth token. CLI agent commands will fail with 401 until this is added.
+// Used by ctrl subcommands (agent, runtime, status, etc.). Requests
+// automatically include auth and execution context headers when configured.
 type APIClient struct {
 	BaseURL     string
 	WorkspaceID string
diff --git a/server/internal/cli/client_test.go b/server/internal/cli/client_test.go
index 7fbe933c8..a6560de17 100644
--- a/server/internal/cli/client_test.go
+++ b/server/internal/cli/client_test.go
@@ -84,17 +84,25 @@ func TestPostJSON(t *testing.T) {
 		}
 	})
 
-	t.Run("workspace header", func(t *testing.T) {
+	t.Run("workspace and agent context headers", func(t *testing.T) {
 		srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 			if ws := r.Header.Get("X-Workspace-ID"); ws != "ws-abc" {
 				t.Errorf("expected X-Workspace-ID ws-abc, got %s", ws)
 			}
+			if agent := r.Header.Get("X-Agent-ID"); agent != "agent-123" {
+				t.Errorf("expected X-Agent-ID agent-123, got %s", agent)
+			}
+			if task := r.Header.Get("X-Task-ID"); task != "task-456" {
+				t.Errorf("expected X-Task-ID task-456, got %s", task)
+			}
 			w.Header().Set("Content-Type", "application/json")
 			json.NewEncoder(w).Encode(respBody{ID: "456"})
 		}))
 		defer srv.Close()
 
 		client := NewAPIClient(srv.URL, "ws-abc", "test-token")
+		client.AgentID = "agent-123"
+		client.TaskID = "task-456"
 		var out respBody
 		err := client.PostJSON(context.Background(), "/test", reqBody{}, &out)
 		if err != nil {