diff --git a/pkg/api/bearer_oidc.go b/pkg/api/bearer_oidc.go
index ea3db08a..a2f314fe 100644
--- a/pkg/api/bearer_oidc.go
+++ b/pkg/api/bearer_oidc.go
@@ -140,7 +140,7 @@ func (a *OIDCBearerAuthorizer) verifyAudience(token *oidc.IDToken) bool {
 // extractUsername extracts the username from token claims based on claim mapping configuration.
 func (a *OIDCBearerAuthorizer) extractUsername(claims map[string]any) string {
 	// Default claim to use for username
-	claimName := "sub"
+	claimName := "sub" //nolint:goconst // "sub" is the standard OIDC claim name
 
 	// Use configured claim mapping if available
 	if a.claimMapping != nil && a.claimMapping.Username != "" {
diff --git a/pkg/api/bearer_oidc_test.go b/pkg/api/bearer_oidc_test.go
index 50605b7c..0d231101 100644
--- a/pkg/api/bearer_oidc_test.go
+++ b/pkg/api/bearer_oidc_test.go
@@ -161,7 +161,7 @@ func TestOIDCBearerAuthorizer(t *testing.T) {
 			})
 
 			Convey("Valid token with default claims", func() {
-				subject := "test-user"
+				subject := "test-user" //nolint:goconst // test data
 				token, err := createTestOIDCToken(privKey, issuer, audience, subject, nil)
 				So(err, ShouldBeNil)