diff --git a/DysonNetwork.Pass/Auth/Auth.cs b/DysonNetwork.Pass/Auth/Auth.cs
index 30c26d5..d182c73 100644
--- a/DysonNetwork.Pass/Auth/Auth.cs
+++ b/DysonNetwork.Pass/Auth/Auth.cs
@@ -70,7 +70,7 @@ public class DysonTokenAuthHandler(
             };
 
             // Add scopes as claims
-            session.Challenge.Scopes.ForEach(scope => claims.Add(new Claim("scope", scope)));
+            session.Challenge?.Scopes.ForEach(scope => claims.Add(new Claim("scope", scope)));
 
             // Add superuser claim if applicable
             if (session.Account.IsSuperuser)
diff --git a/DysonNetwork.Pass/Auth/TokenAuthService.cs b/DysonNetwork.Pass/Auth/TokenAuthService.cs
index c139f0e..849431e 100644
--- a/DysonNetwork.Pass/Auth/TokenAuthService.cs
+++ b/DysonNetwork.Pass/Auth/TokenAuthService.cs
@@ -22,6 +22,7 @@ public class TokenAuthService(
     /// then cache and return.
     /// </summary>
     /// <param name="token">Incoming token string</param>
+    /// <param name="ipAddress">Client IP address, for logging purposes</param>
     /// <returns>(Valid, Session, Message)</returns>
     public async Task<(bool Valid, AuthSession? Session, string? Message)> AuthenticateTokenAsync(string token, string? ipAddress = null)
     {