diff --git a/src/daemon/admin/commands/create_new_token.ts b/src/daemon/admin/commands/create_new_token.ts
index df145a2..04588c4 100644
--- a/src/daemon/admin/commands/create_new_token.ts
+++ b/src/daemon/admin/commands/create_new_token.ts
@@ -7,15 +7,19 @@ export default async function createNewToken(admin: AdminInterface, req: NDKRpcR
 
     if (!clientName || !policyId) throw new Error("Invalid params");
 
-    const policy = await prisma.policy.findUnique({ where: { id: parseInt(policyId) }, include: { rules: true } });
+    const policyIdInt = parseInt(policyId);
+    const policy = await prisma.policy.findUnique({ where: { id: policyIdInt }, include: { rules: true } });
 
     if (!policy) throw new Error("Policy not found");
 
     console.log({clientName, policy, durationInHours});
 
     const token = [...Array(64)].map(() => Math.floor(Math.random() * 16).toString(16)).join('');
+    // policyId must be Int per the Prisma schema (Token.policyId references
+    // Policy.id which is autoincrement Int). Upstream passes the raw string
+    // from the wire — caught during aiolabs/nsecbunkerd#7 diagnosis 2026-05-27.
     const data: any = {
-        keyName, clientName, policyId,
+        keyName, clientName, policyId: policyIdInt,
         createdBy: req.pubkey,
         token
     };