diff --git a/.gitea/workflows/image_publish.yml b/.gitea/workflows/image_publish.yml
index 5fa9c392..9a4c2b75 100644
--- a/.gitea/workflows/image_publish.yml
+++ b/.gitea/workflows/image_publish.yml
@@ -175,7 +175,7 @@ jobs:
           WORKS_DRIVE_OAUTH_CLIENT_ID: ${{ secrets.WORKS_DRIVE_OAUTH_CLIENT_ID }}
           WORKS_DRIVE_OAUTH_CLIENT_SECRET: ${{ secrets.WORKS_OAUTH_CLIENT_SECRET }}
           WORKS_DRIVE_OAUTH_REFRESH_TOKEN: ${{ secrets.WORKS_DRIVE_REFRESH_TOKEN }}
-          WORKS_ADMIN_OAUTH_TOKEN_URL: ${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }}
+          WORKS_DRIVE_OAUTH_TOKEN_URL: ${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}
         run: |
           set -euo pipefail
 
@@ -189,7 +189,7 @@ jobs:
           elif [ -n "${WORKS_DRIVE_ACCESS_TOKEN_CMD:-}" ]; then
             access_token="$(sh -c "${WORKS_DRIVE_ACCESS_TOKEN_CMD}")"
           else
-            token_url="${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}"
+            token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}"
             response="$(curl -sS -w $'\n%{http_code}' -X POST \
               -H "Content-Type: application/x-www-form-urlencoded" \
               --data-urlencode "grant_type=refresh_token" \
@@ -230,7 +230,7 @@ jobs:
           WORKS_DRIVE_TARGET: sharedrive
           WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}
           WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }}
-          WORKS_ADMIN_API_BASE_URL: ${{ vars.WORKS_ADMIN_API_BASE_URL }}
+          WORKS_DRIVE_API_BASE_URL: ${{ vars.WORKS_DRIVE_API_BASE_URL }}
         run: |
           set -euo pipefail
 
diff --git a/.gitea/workflows/production_image_deploy.yml b/.gitea/workflows/production_image_deploy.yml
index 7bf0c189..e2075e19 100644
--- a/.gitea/workflows/production_image_deploy.yml
+++ b/.gitea/workflows/production_image_deploy.yml
@@ -109,8 +109,8 @@ jobs:
           WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}
           WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }}
           WORKS_DRIVE_DOCKER_IMAGE_DIR: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DIR || 'baron-sso' }}
-          WORKS_ADMIN_API_BASE_URL: ${{ vars.WORKS_ADMIN_API_BASE_URL }}
-          WORKS_ADMIN_OAUTH_TOKEN_URL: ${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }}
+          WORKS_DRIVE_API_BASE_URL: ${{ vars.WORKS_DRIVE_API_BASE_URL }}
+          WORKS_DRIVE_OAUTH_TOKEN_URL: ${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}
           WORKS_DRIVE_ACCESS_TOKEN_INPUT: ${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }}
           WORKS_DRIVE_ACCESS_TOKEN_FILE: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_FILE }}
           WORKS_DRIVE_ACCESS_TOKEN_CMD: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_CMD }}
diff --git a/.gitea/workflows/staging_image_deploy.yml b/.gitea/workflows/staging_image_deploy.yml
index 12656dec..b02a35b0 100644
--- a/.gitea/workflows/staging_image_deploy.yml
+++ b/.gitea/workflows/staging_image_deploy.yml
@@ -107,8 +107,8 @@ jobs:
           WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}
           WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID }}
           WORKS_DRIVE_DOCKER_IMAGE_DIR: ${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DIR || 'baron-sso' }}
-          WORKS_ADMIN_API_BASE_URL: ${{ vars.WORKS_ADMIN_API_BASE_URL }}
-          WORKS_ADMIN_OAUTH_TOKEN_URL: ${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }}
+          WORKS_DRIVE_API_BASE_URL: ${{ vars.WORKS_DRIVE_API_BASE_URL }}
+          WORKS_DRIVE_OAUTH_TOKEN_URL: ${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}
           WORKS_DRIVE_ACCESS_TOKEN_INPUT: ${{ secrets.WORKS_DRIVE_ACCESS_TOKEN }}
           WORKS_DRIVE_ACCESS_TOKEN_FILE: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_FILE }}
           WORKS_DRIVE_ACCESS_TOKEN_CMD: ${{ vars.WORKS_DRIVE_ACCESS_TOKEN_CMD }}
diff --git a/docs/works-drive-docker-image-archive.md b/docs/works-drive-docker-image-archive.md
index 28bb5654..3f25b14d 100644
--- a/docs/works-drive-docker-image-archive.md
+++ b/docs/works-drive-docker-image-archive.md
@@ -21,6 +21,8 @@ Gitea Actions의 shared image publish workflow는 `baron_sso/<service>:<image_ta
 - 선택 variable `WORKS_DRIVE_DOCKER_IMAGE_DIR=baron-sso`
 - variable `WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID`
 - 선택 variable `WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID`
+- 선택 variable `WORKS_DRIVE_API_BASE_URL`
+- 선택 variable `WORKS_DRIVE_OAUTH_TOKEN_URL`
 - secret `WORKS_DRIVE_ACCESS_TOKEN`, 또는 variable `WORKS_DRIVE_ACCESS_TOKEN_FILE`, 또는 variable `WORKS_DRIVE_ACCESS_TOKEN_CMD`, 또는 refresh-token 방식의 secret `WORKS_DRIVE_REFRESH_TOKEN`
 - refresh-token 방식을 쓸 경우 secret `WORKS_DRIVE_OAUTH_CLIENT_ID`, secret `WORKS_OAUTH_CLIENT_SECRET`
 
@@ -44,6 +46,15 @@ Refresh Token Rotation이 켜져 있으면 WORKS가 refresh 응답에 새 Refres
 - Rotation을 켠 경우 publish run에서 rotated refresh token 경고가 나오면 `WORKS_DRIVE_REFRESH_TOKEN` secret을 수동 갱신한다.
 - secret 자동 갱신이 필요하면 Gitea secret write 전용 token을 별도 설계로 추가한다.
 
+## 변수 분리 원칙
+
+WORKS Drive archive 접근용 변수와 서비스 런타임용 WORKS Admin 변수는 분리한다.
+
+- archive 업로드/다운로드: `WORKS_DRIVE_API_BASE_URL`, `WORKS_DRIVE_OAUTH_TOKEN_URL`
+- backend 런타임 설정: `STG_WORKS_ADMIN_API_BASE_URL`, `STG_WORKS_ADMIN_OAUTH_TOKEN_URL`, `PROD_WORKS_ADMIN_API_BASE_URL`, `PROD_WORKS_ADMIN_OAUTH_TOKEN_URL`
+
+archive script는 호환성을 위해 기존 `WORKS_ADMIN_API_BASE_URL`, `WORKS_ADMIN_OAUTH_TOKEN_URL`도 fallback으로 읽지만, Gitea image publish/deploy workflow에서는 `WORKS_DRIVE_*` 변수를 사용한다.
+
 ## 저장 구조
 
 기본 최상위 디렉터리는 다음 환경 변수로 지정한다.
@@ -117,6 +128,8 @@ scripts/docker-image/upload_works_drive.sh
 - `WORKS_DRIVE_TARGET=sharedrive`
 - `WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID`
 - 선택: `WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID`
+- 선택: `WORKS_DRIVE_API_BASE_URL`
+- 선택: `WORKS_DRIVE_OAUTH_TOKEN_URL`
 - `WORKS_DRIVE_ACCESS_TOKEN`, `WORKS_DRIVE_ACCESS_TOKEN_FILE`, `WORKS_DRIVE_ACCESS_TOKEN_CMD`, `WORKS_DRIVE_OAUTH_REFRESH_TOKEN`, 또는 서비스 계정 OAuth 변수
 
 업로드 전 packaging만 확인하려면 다음을 사용한다.
diff --git a/scripts/deploy/upload_and_run_image_deploy.sh b/scripts/deploy/upload_and_run_image_deploy.sh
index c59548c6..cebc3ca0 100755
--- a/scripts/deploy/upload_and_run_image_deploy.sh
+++ b/scripts/deploy/upload_and_run_image_deploy.sh
@@ -28,7 +28,7 @@ refresh_works_drive_access_token() {
   [[ -n "${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}" ]] || die "WORKS_DRIVE_OAUTH_CLIENT_SECRET is required when using WORKS_DRIVE_OAUTH_REFRESH_TOKEN."
   [[ -n "${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}" ]] || die "WORKS_DRIVE_OAUTH_REFRESH_TOKEN is required for refresh-token mode."
 
-  local token_url="${WORKS_ADMIN_OAUTH_TOKEN_URL:-${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}}"
+  local token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}}"
   local response
   local access_token
   local rotated_refresh_token
@@ -96,7 +96,7 @@ printf '%s\n' "$works_drive_access_token" | ssh "${DEPLOY_USER}@${DEPLOY_HOST}"
    export WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID='${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID}'; \
    export WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID='${WORKS_DRIVE_DOCKER_IMAGE_PARENT_FILE_ID:-}'; \
    export WORKS_DRIVE_DOCKER_IMAGE_DIR='${WORKS_DRIVE_DOCKER_IMAGE_DIR:-baron-sso}'; \
-   export WORKS_ADMIN_API_BASE_URL='${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}'; \
+   export WORKS_DRIVE_API_BASE_URL='${WORKS_DRIVE_API_BASE_URL:-${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}}'; \
    echo '==> Validating image deploy compose config'; \
    docker compose --env-file .env -f docker-compose.yml config >/dev/null; \
    echo '==> Downloading and loading WORKS Drive application images'; \
diff --git a/scripts/docker-image/download_works_drive.sh b/scripts/docker-image/download_works_drive.sh
index 7f53b2bf..badbaac1 100755
--- a/scripts/docker-image/download_works_drive.sh
+++ b/scripts/docker-image/download_works_drive.sh
@@ -136,7 +136,7 @@ load_image_archive() {
 image_tag="${IMAGE_TAG:-$(dotenv_value IMAGE_TAG)}"
 drive_id="${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID:-${WORKS_DRIVE_SHARED_DRIVE_ID:-}}"
 access_token="${WORKS_DRIVE_ACCESS_TOKEN:-}"
-api_base_url="${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}"
+api_base_url="${WORKS_DRIVE_API_BASE_URL:-${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}}"
 curl_bin="${WORKS_DRIVE_CURL_BIN:-curl}"
 image_root_dir="${WORKS_DRIVE_DOCKER_IMAGE_DIR:-${WORKS_SHAREDRIVE_DOCKER_IMAGE_DIR:-baron-sso}}"
 download_root="${WORKS_DOCKER_IMAGE_DOWNLOAD_DIR:-/tmp/baron-sso-docker-image-download}"
diff --git a/scripts/docker-image/upload_works_drive.sh b/scripts/docker-image/upload_works_drive.sh
index be9e7fc1..c51f19c1 100755
--- a/scripts/docker-image/upload_works_drive.sh
+++ b/scripts/docker-image/upload_works_drive.sh
@@ -23,6 +23,8 @@ if [[ -f "$repo_root/.env" ]]; then
     WORKS_DRIVE_ACCESS_TOKEN_FILE
     WORKS_DRIVE_ACCESS_TOKEN_CMD
     WORKS_DRIVE_OAUTH_SCOPE
+    WORKS_DRIVE_API_BASE_URL
+    WORKS_DRIVE_OAUTH_TOKEN_URL
     WORKS_DRIVE_OVERWRITE
     WORKS_DRIVE_DRY_RUN
     WORKS_DRIVE_CURL_BIN
@@ -72,7 +74,7 @@ folder_cache_file="${WORKS_DOCKER_IMAGE_FOLDER_CACHE_FILE:-${archive_root}/.work
 image_root_dir="${WORKS_DRIVE_DOCKER_IMAGE_DIR:-${WORKS_SHAREDRIVE_DOCKER_IMAGE_DIR:-baron-sso}}"
 dry_run="${WORKS_DRIVE_DRY_RUN:-false}"
 target="${WORKS_DRIVE_TARGET:-sharedrive}"
-api_base_url="${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}"
+api_base_url="${WORKS_DRIVE_API_BASE_URL:-${WORKS_ADMIN_API_BASE_URL:-https://www.worksapis.com}}"
 curl_bin="${WORKS_DRIVE_CURL_BIN:-curl}"
 overwrite="${WORKS_DRIVE_OVERWRITE:-true}"
 upload_scope="${WORKS_DRIVE_OAUTH_SCOPE:-file}"
@@ -266,7 +268,7 @@ build_jwt_assertion() {
 request_service_account_token() {
   local client_id="${WORKS_DRIVE_OAUTH_CLIENT_ID:-}"
   local client_secret="${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}"
-  local token_url="${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}"
+  local token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}}"
   local assertion
   local response
   local response_body
@@ -296,7 +298,7 @@ request_refresh_access_token() {
   local client_id="${WORKS_DRIVE_OAUTH_CLIENT_ID:-}"
   local client_secret="${WORKS_DRIVE_OAUTH_CLIENT_SECRET:-}"
   local refresh_token="${WORKS_DRIVE_OAUTH_REFRESH_TOKEN:-}"
-  local token_url="${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}"
+  local token_url="${WORKS_DRIVE_OAUTH_TOKEN_URL:-${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}}"
   local response
   local response_body
   local http_status
diff --git a/test/production_image_workflows_policy_test.sh b/test/production_image_workflows_policy_test.sh
index 3637b2cc..59b69d2e 100644
--- a/test/production_image_workflows_policy_test.sh
+++ b/test/production_image_workflows_policy_test.sh
@@ -68,8 +68,12 @@ grep -Fq "WORKS_DRIVE_OAUTH_CLIENT_SECRET: \${{ secrets.WORKS_OAUTH_CLIENT_SECRE
   || fail "publish workflow must use the Gitea-compatible WORKS OAuth client secret name."
 grep -Fq "WORKS_DRIVE_OAUTH_REFRESH_TOKEN: \${{ secrets.WORKS_DRIVE_REFRESH_TOKEN }}" "$publish_workflow" \
   || fail "publish workflow must support WORKS Drive refresh-token auth."
+grep -Fq "WORKS_DRIVE_OAUTH_TOKEN_URL: \${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}" "$publish_workflow" \
+  || fail "publish workflow must use the WORKS Drive OAuth token URL variable for archive access."
 grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$publish_workflow" \
   || fail "publish workflow must use the Docker-image-specific WORKS Drive ID variable."
+grep -Fq "WORKS_DRIVE_API_BASE_URL: \${{ vars.WORKS_DRIVE_API_BASE_URL }}" "$publish_workflow" \
+  || fail "publish workflow must use the WORKS Drive API base URL variable for archive access."
 grep -Fq 'WORKS_DRIVE_SHARED_DRIVE_ID="${WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID}"' "$publish_workflow" \
   || fail "publish workflow must map WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID into the shared upload script."
 grep -Fq "Resolve WORKS Drive access token" "$publish_workflow" \
@@ -104,8 +108,10 @@ grep -Fq "scripts/deploy/upload_and_run_image_deploy.sh" "$staging_deploy_workfl
   || fail "staging deploy workflow must use the shared remote deploy script."
 grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$staging_deploy_workflow" \
   || fail "staging deploy workflow must pass the Docker-image-specific WORKS Drive ID variable."
-grep -Fq "WORKS_ADMIN_OAUTH_TOKEN_URL: \${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }}" "$staging_deploy_workflow" \
-  || fail "staging deploy workflow must pass the WORKS OAuth token URL into the remote image deploy step."
+grep -Fq "WORKS_DRIVE_API_BASE_URL: \${{ vars.WORKS_DRIVE_API_BASE_URL }}" "$staging_deploy_workflow" \
+  || fail "staging deploy workflow must pass the WORKS Drive API base URL into the remote image deploy step."
+grep -Fq "WORKS_DRIVE_OAUTH_TOKEN_URL: \${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}" "$staging_deploy_workflow" \
+  || fail "staging deploy workflow must pass the WORKS Drive OAuth token URL into the remote image deploy step."
 
 grep -Fq "name: Deploy Baron SSO Production Images" "$deploy_workflow" \
   || fail "deploy workflow must have the expected name."
@@ -127,8 +133,10 @@ grep -Fq "scripts/deploy/upload_and_run_image_deploy.sh" "$deploy_workflow" \
   || fail "production deploy workflow must use the shared remote deploy script."
 grep -Fq "WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID: \${{ vars.WORKS_DRIVE_DOCKER_IMAGE_DRIVE_ID }}" "$deploy_workflow" \
   || fail "production deploy workflow must pass the Docker-image-specific WORKS Drive ID variable."
-grep -Fq "WORKS_ADMIN_OAUTH_TOKEN_URL: \${{ vars.WORKS_ADMIN_OAUTH_TOKEN_URL }}" "$deploy_workflow" \
-  || fail "production deploy workflow must pass the WORKS OAuth token URL into the remote image deploy step."
+grep -Fq "WORKS_DRIVE_API_BASE_URL: \${{ vars.WORKS_DRIVE_API_BASE_URL }}" "$deploy_workflow" \
+  || fail "production deploy workflow must pass the WORKS Drive API base URL into the remote image deploy step."
+grep -Fq "WORKS_DRIVE_OAUTH_TOKEN_URL: \${{ vars.WORKS_DRIVE_OAUTH_TOKEN_URL }}" "$deploy_workflow" \
+  || fail "production deploy workflow must pass the WORKS Drive OAuth token URL into the remote image deploy step."
 grep -Fq "Same image tag contract as staging" "$deploy_workflow" \
   || fail "production deploy workflow must document that it uses the same image tag as staging."
 grep -Fq "TRAEFIK_PUBLIC_NETWORK=traefik-public" "$bundle_script" \
@@ -137,8 +145,8 @@ grep -Fq "scripts/docker-image/download_works_drive.sh" "$remote_deploy_script"
   || fail "shared remote deploy script must load requested image archives from WORKS Drive before running."
 grep -Fq "refresh_works_drive_access_token" "$remote_deploy_script" \
   || fail "shared remote deploy script must refresh WORKS Drive access tokens when a refresh token is available."
-grep -Fq 'WORKS_ADMIN_OAUTH_TOKEN_URL:-${WORKS_DRIVE_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}' "$remote_deploy_script" \
-  || fail "shared remote deploy script must honor WORKS_ADMIN_OAUTH_TOKEN_URL for refresh-token grants."
+grep -Fq 'WORKS_DRIVE_OAUTH_TOKEN_URL:-${WORKS_ADMIN_OAUTH_TOKEN_URL:-https://auth.worksmobile.com/oauth2/v2.0/token}' "$remote_deploy_script" \
+  || fail "shared remote deploy script must prefer WORKS_DRIVE_OAUTH_TOKEN_URL for refresh-token grants."
 grep -Fq "docker compose --env-file .env -f docker-compose.yml config" "$remote_deploy_script" \
   || fail "shared remote deploy script must validate the remote compose config before running."
 grep -Fq "docker compose --env-file .env -f docker-compose.yml pull --ignore-pull-failures" "$remote_deploy_script" \