diff --git a/.claude-plugin/plugin.json b/.claude-plugin/plugin.json
index 8679e38..ea90799 100644
--- a/.claude-plugin/plugin.json
+++ b/.claude-plugin/plugin.json
@@ -1,7 +1,7 @@
 {
   "name": "gitlab-mcp",
   "description": "GitLab MCP server with GraphQL discovery and team activity tools",
-  "version": "1.18.0",
+  "version": "1.18.1",
   "icon": "assets/logo.svg",
   "author": {
     "name": "Tim Pearson"
diff --git a/CHANGELOG.md b/CHANGELOG.md
index f87f4d8..cedb729 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.18.1] - 2026-05-21
+
+### Fixed
+- `list_my_todos` and `list_my_events` no longer reject the call when no per-request `userCredentials` are supplied. Both handlers had a guard that short-circuited the four-step token resolution in `getClient()`, so they failed with `requires user authentication — the to-do inbox is scoped to the caller` even when a valid `GITLAB_TOKEN` was configured. Same bug class as the 1.15.1 fix, which only patched the write tools. Reads now fall back to the env token like every other read tool. Per-call user credentials and HTTP `Authorization: Bearer` flows continue to work unchanged.
+
 ## [1.18.0] - 2026-05-21
 
 ### Fixed
diff --git a/package-lock.json b/package-lock.json
index 5b95735..8e8cfa4 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@ttpears/gitlab-mcp-server",
-  "version": "1.18.0",
+  "version": "1.18.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@ttpears/gitlab-mcp-server",
-      "version": "1.18.0",
+      "version": "1.18.1",
       "license": "MIT",
       "dependencies": {
         "@modelcontextprotocol/sdk": "^1.26.0",
diff --git a/package.json b/package.json
index e4ae39f..5bfbf8f 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@ttpears/gitlab-mcp-server",
-  "version": "1.18.0",
+  "version": "1.18.1",
   "description": "GitLab MCP Server with GraphQL discovery",
   "main": "dist/index.js",
   "module": "./src/index.ts",
diff --git a/src/tools.ts b/src/tools.ts
index ab35c96..0748bab 100644
--- a/src/tools.ts
+++ b/src/tools.ts
@@ -1867,9 +1867,6 @@ const listMyTodosTool: Tool = {
   })),
   handler: async (input, client, userConfig) => {
     const credentials = input.userCredentials ? validateUserConfig(input.userCredentials) : userConfig;
-    if (!credentials) {
-      throw new Error('list_my_todos requires user authentication — the to-do inbox is scoped to the caller.');
-    }
     const groupPath = input.groupPath?.trim();
     const projectPath = input.projectPath?.trim();
     if (input.groupPath !== undefined && !groupPath) {
@@ -2012,9 +2009,6 @@ const listMyEventsTool: Tool = {
   })),
   handler: async (input, client, userConfig) => {
     const credentials = input.userCredentials ? validateUserConfig(input.userCredentials) : userConfig;
-    if (!credentials) {
-      throw new Error('list_my_events requires user authentication — the feed is scoped to the caller.');
-    }
     const { userCredentials, ...params } = input;
     return client.listMyEvents(params, credentials);
   },