diff --git a/scripts/acceptance/import_remote43_provider.sh b/scripts/acceptance/import_remote43_provider.sh
index 32f43cca..6e803924 100755
--- a/scripts/acceptance/import_remote43_provider.sh
+++ b/scripts/acceptance/import_remote43_provider.sh
@@ -29,6 +29,9 @@ SUBSCRIPTION_DAYS="${SUBSCRIPTION_DAYS:-30}"
 SUBSCRIPTION_NOTES="${SUBSCRIPTION_NOTES:-hermes remote subscription validation}"
 ARTIFACT_SECURITY_MODE="${ARTIFACT_SECURITY_MODE:-safe}"
 ARTIFACT_INCLUDE_SECRETS="${ARTIFACT_INCLUDE_SECRETS:-0}"
+CRM_COOKIE_JAR="${CRM_COOKIE_JAR:-}"
+CRM_ADMIN_USERNAME="${CRM_ADMIN_USERNAME:-}"
+CRM_ADMIN_PASSWORD="${CRM_ADMIN_PASSWORD:-}"
 mkdir -p "$ART"
 
 artifact_redact_key_json() {
@@ -232,17 +235,59 @@ crm_curl_json() {
   local method="$1"
   local path="$2"
   local payload="${3:-}"
-  if [[ -n "$payload" ]]; then
-    curl -fsS -X "$method" \
-      -H "Authorization: Bearer $crm_token" \
-      -H 'Content-Type: application/json' \
-      "${CRM_BASE}${path}" \
-      -d "$payload"
+  local -a curl_args
+  curl_args=(-fsS -X "$method")
+  if [[ -n "${crm_token:-}" ]]; then
+    curl_args+=(-H "Authorization: Bearer $crm_token")
+  elif [[ -n "${crm_cookie_jar:-}" ]]; then
+    curl_args+=(-b "$crm_cookie_jar" -c "$crm_cookie_jar")
   else
-    curl -fsS -X "$method" \
-      -H "Authorization: Bearer $crm_token" \
-      "${CRM_BASE}${path}"
+    echo "missing CRM auth: set CRM_ADMIN_TOKEN or CRM_COOKIE_JAR/CRM_ADMIN_USERNAME+CRM_ADMIN_PASSWORD" >&2
+    exit 2
   fi
+  if [[ -n "$payload" ]]; then
+    curl_args+=(
+      -H 'Content-Type: application/json'
+      "${CRM_BASE}${path}"
+      -d "$payload"
+    )
+  else
+    curl_args+=("${CRM_BASE}${path}")
+  fi
+  curl "${curl_args[@]}"
+}
+
+ensure_crm_session_cookie() {
+  if [[ -n "$CRM_COOKIE_JAR" ]]; then
+    crm_cookie_jar="$CRM_COOKIE_JAR"
+  else
+    crm_cookie_jar="/tmp/$(basename "$ART")-crm-cookie.jar"
+  fi
+  rm -f "$crm_cookie_jar"
+
+  if [[ -z "$CRM_ADMIN_USERNAME" || -z "$CRM_ADMIN_PASSWORD" ]]; then
+    echo "CRM admin username/password are required when CRM_ADMIN_TOKEN is unavailable" >&2
+    exit 2
+  fi
+
+  local login_payload
+  login_payload="$(python3 - "$CRM_ADMIN_USERNAME" "$CRM_ADMIN_PASSWORD" <<'PY'
+import json, sys
+username, password = sys.argv[1:3]
+print(json.dumps({
+  'username': username,
+  'password': password,
+}, ensure_ascii=False))
+PY
+)"
+
+  curl -fsS -c "$crm_cookie_jar" -b "$crm_cookie_jar" \
+    -H 'Content-Type: application/json' \
+    -X POST \
+    "${CRM_BASE}/api/admin/session/login" \
+    -d "$login_payload" > /dev/null
+
+  crm_curl_json GET "/api/admin/session" > /dev/null
 }
 
 fetch_remote_host_bearer_token() {
@@ -343,8 +388,7 @@ PY
 
 crm_token="${CRM_ADMIN_TOKEN:-}"
 if [[ -z "$crm_token" ]]; then
-  crm_token="$(ssh_cmd "grep ^SUB2API_CRM_ADMIN_TOKEN= /home/ubuntu/sub2api-cn-relay-manager/.env.remote | cut -d= -f2-")"
-  crm_token="${crm_token##*$'\n'}"
+  ensure_crm_session_cookie
 fi
 host_bearer_token="${HOST_BEARER_TOKEN:-}"
 if [[ -z "$host_bearer_token" ]]; then