diff --git a/.github/workflows/claude-pr-review.yml b/.github/workflows/claude-pr-review.yml
index 27bd4df257..62c69d7b24 100644
--- a/.github/workflows/claude-pr-review.yml
+++ b/.github/workflows/claude-pr-review.yml
@@ -18,6 +18,7 @@ jobs:
           && github.event.pull_request.user.type != 'Bot' }}
     permissions:
       contents: read
+      id-token: write
       pull-requests: write
     steps:
       # SECURITY: do not pass `ref:` here. `pull_request_target` checks out the