diff --git a/backend/internal/repository/claude_oauth_service.go b/backend/internal/repository/claude_oauth_service.go
index 433a4803..c27150ed 100644
--- a/backend/internal/repository/claude_oauth_service.go
+++ b/backend/internal/repository/claude_oauth_service.go
@@ -278,20 +278,20 @@ func createReqClient(proxyURL string) (*req.Client, error) {
 	}
 
 	client := req.C().
-		SetTimeout(15 * time.Second).
-		SetCookieJar(nil) // 禁用 CookieJar，确保每次授权都是干净的会话
+		SetTimeout(30 * time.Second).
+		SetCookieJar(nil). // 禁用 CookieJar，确保每次授权都是干净的会话
+		EnableForceHTTP1() // 强制 HTTP/1.1，避免 H2 升级与自定义 TLS dialer 冲突
 
-	trimmed, _, err := proxyurl.Parse(proxyURL)
+	trimmed, parsedProxy, err := proxyurl.Parse(proxyURL)
 	if err != nil {
 		return nil, err
 	}
 
-	if trimmed != "" {
-		parsedProxy, parseErr := url.Parse(trimmed)
-		if parseErr != nil {
-			return nil, fmt.Errorf("parse proxy URL: %w", parseErr)
-		}
+	logger.LegacyPrintf("repository.claude_oauth", "[OAuth] createReqClient: proxyURL=%q trimmed=%q", logredact.RedactProxyURL(proxyURL), logredact.RedactProxyURL(trimmed))
+
+	if trimmed != "" && parsedProxy != nil {
 		scheme := strings.ToLower(parsedProxy.Scheme)
+		logger.LegacyPrintf("repository.claude_oauth", "[OAuth] createReqClient: using proxy scheme=%s host=%s", scheme, parsedProxy.Hostname())
 		switch scheme {
 		case "socks5", "socks5h":
 			socks5Dialer := tlsfingerprint.NewSOCKS5ProxyDialer(profile, parsedProxy)
@@ -303,6 +303,7 @@ func createReqClient(proxyURL string) (*req.Client, error) {
 			client.SetProxyURL(trimmed)
 		}
 	} else {
+		logger.LegacyPrintf("repository.claude_oauth", "[OAuth] createReqClient: no proxy, using direct connection with utls")
 		dialer := tlsfingerprint.NewDialer(profile, nil)
 		client.SetDialTLS(dialer.DialTLSContext)
 	}