diff --git a/agent-node/bootstrap_installer.py b/agent-node/bootstrap_installer.py
index eed5f12..b14ebeb 100644
--- a/agent-node/bootstrap_installer.py
+++ b/agent-node/bootstrap_installer.py
@@ -108,7 +108,7 @@
     _print("Dependencies installed.")
 
 
-def _write_config(install_dir: str, node_id: str, hub_url: str, token: str, grpc_endpoint: str):
+def _write_config(install_dir: str, node_id: str, hub_url: str, token: str, grpc_endpoint: str, secret_key: str = None):
     """Writes an agent_config.yaml into the install directory."""
     import yaml
     config = {
@@ -116,6 +116,8 @@
         "hub_url": hub_url,
         "grpc_endpoint": grpc_endpoint,
         "auth_token": token,
+        "invite_token": token,
+        "secret_key": secret_key,
         "auto_update": True,
         "update_check_interval": 300,
     }
@@ -191,19 +193,24 @@
 
     hub_url   = args.hub   or existing_config.get("hub_url", DEFAULT_HUB)
     
-    # NEW: The update endpoint requires the hub's secret key, not the node's specific invite/auth token
-    token = args.token or existing_config.get("secret_key") or existing_config.get("auth_token") or os.getenv("AGENT_AUTH_TOKEN", "")
+    # 1. Token for Hub HTTP API (fetching versions, downloading code)
+    # This MUST be the hub's global SECRET_KEY.
+    hub_token = args.token or existing_config.get("secret_key") or existing_config.get("auth_token") or os.getenv("AGENT_AUTH_TOKEN", "")
     
+    # 2. Token for Node gRPC Authentication (handshake/registration)
+    # This is the node-specific invite_token.
+    node_token = args.token or existing_config.get("auth_token") or os.getenv("AGENT_AUTH_TOKEN", "")
+
     node_id   = args.node_id or existing_config.get("node_id", "cortex-node-001")
     grpc      = args.grpc or existing_config.get("grpc_endpoint") or hub_url.replace("https://", "").replace("http://", "") + ":50051"
     install_dir = args.install_dir
 
-    if not token:
+    if not hub_token:
         _print("ERROR: --token is required (or set AGENT_AUTH_TOKEN env var)")
         sys.exit(1)
 
     _print(f"Hub: {hub_url}")
-    remote_version = _fetch_version(hub_url, token)
+    remote_version = _fetch_version(hub_url, hub_token)
     _print(f"Remote agent version: {remote_version}")
 
     # Check if already installed and up to date
@@ -218,9 +225,9 @@
 
         _print(f"Updating {local_version} → {remote_version}")
 
-    _install(hub_url, token, install_dir)
+    _install(hub_url, hub_token, install_dir)
     _install_deps(install_dir)
-    _write_config(install_dir, node_id, hub_url, token, grpc)
+    _write_config(install_dir, node_id, hub_url, node_token, grpc, secret_key=hub_token)
 
     if args.update_only:
         _print(f"✅ Updated to v{remote_version}. Not launching (--update-only).")