diff --git a/apps/miniprogram/inject-auth.cjs b/apps/miniprogram/inject-auth.cjs
index d628997..1f1dbd0 100644
--- a/apps/miniprogram/inject-auth.cjs
+++ b/apps/miniprogram/inject-auth.cjs
@@ -35,8 +35,10 @@ async function main() {
   console.log('3. 写入 storage (明文模式)...');
   const result = await mp.evaluate((at, rt, ud, ur, tid, pid) => {
     try {
-      // 无加密密钥时 secureSet 走明文
-      // 但我们直接用 wx.setStorageSync 确保
+      // 清除 _es_ 前缀旧加密值，避免 secureGet 读到过期 token
+      ['access_token','refresh_token','user_data','user_roles','tenant_id','current_patient_id','current_patient','token_expires_at'].forEach(k => {
+        wx.removeStorageSync('_es_' + k);
+      });
       wx.setStorageSync('access_token', at);
       wx.setStorageSync('refresh_token', rt);
       wx.setStorageSync('user_data', ud);