diff --git a/src/cli/commands/invoke/action.ts b/src/cli/commands/invoke/action.ts
index 85169022..449738fc 100644
--- a/src/cli/commands/invoke/action.ts
+++ b/src/cli/commands/invoke/action.ts
@@ -104,6 +104,11 @@ export async function handleInvoke(context: InvokeContext, options: InvokeOption
           error: `CUSTOM_JWT agent requires a bearer token. Auto-fetch failed: ${err instanceof Error ? err.message : String(err)}\nProvide one manually with --bearer-token.`,
         };
       }
+    } else {
+      return {
+        success: false,
+        error: `Agent '${agentSpec.name}' is configured for CUSTOM_JWT but no bearer token is available.\nEither provide --bearer-token or re-add the agent with --client-id and --client-secret to enable auto-fetch.`,
+      };
     }
   }
 
diff --git a/src/cli/tui/screens/invoke/useInvokeFlow.ts b/src/cli/tui/screens/invoke/useInvokeFlow.ts
index 0047784b..2aeb083c 100644
--- a/src/cli/tui/screens/invoke/useInvokeFlow.ts
+++ b/src/cli/tui/screens/invoke/useInvokeFlow.ts
@@ -208,7 +208,10 @@ export function useInvokeFlow(options: InvokeFlowOptions = {}): InvokeFlowState
     // Check if credentials are set up before attempting fetch
     const canFetch = await canFetchRuntimeToken(agent.name);
     if (!canFetch) {
-      // No credential configured — silently skip, user can press T to enter manually
+      setTokenFetchState('error');
+      setTokenFetchError(
+        'No OAuth credentials configured for auto-fetch. Press T to enter a bearer token manually, or re-add the agent with --client-id and --client-secret.'
+      );
       return;
     }