diff --git a/api/photo.php b/api/photo.php
index f80f4c7..054901d 100644
--- a/api/photo.php
+++ b/api/photo.php
@@ -34,9 +34,16 @@ require_once __DIR__.'/../lib/bericht.lib.php';
 
 // Support Token via Header ODER Query-String (für <img src> ohne Header)
 $token_str = '';
-$hdr = $_SERVER['HTTP_AUTHORIZATION'] ?? '';
+$hdr = $_SERVER['HTTP_AUTHORIZATION'] ?? ($_SERVER['REDIRECT_HTTP_AUTHORIZATION'] ?? '');
+if (!$hdr && function_exists('apache_request_headers')) {
+    $h = apache_request_headers();
+    foreach ($h as $k => $v) {
+        if (strcasecmp($k, 'Authorization') === 0) { $hdr = $v; break; }
+    }
+}
 if ($hdr && stripos($hdr, 'bearer ') === 0) $token_str = trim(substr($hdr, 7));
 if (!$token_str && !empty($_GET['jwt'])) $token_str = (string) $_GET['jwt'];
+if (!$token_str && !empty($_GET['token']) && preg_match('/^[A-Za-z0-9_.-]+$/', $_GET['token'])) $token_str = $_GET['token'];
 
 $payload = $token_str ? bericht_jwt_decode($token_str) : null;
 if (!$payload || empty($payload['sub'])) {