diff --git a/backend/app/api/auth.py b/backend/app/api/auth.py
index 8f2f77c..86aca7c 100644
--- a/backend/app/api/auth.py
+++ b/backend/app/api/auth.py
@@ -40,6 +40,10 @@ def token_required(f):
         if auth_header.startswith('Bearer '):
             token = auth_header[7:]
 
+        # Fallback: token as query parameter (for direct browser downloads)
+        if not token:
+            token = request.args.get('token', '')
+
         if not token:
             return jsonify({'error': 'Token fehlt'}), 401
 
diff --git a/frontend/src/stores/files.js b/frontend/src/stores/files.js
index 932abf8..89e8dee 100644
--- a/frontend/src/stores/files.js
+++ b/frontend/src/stores/files.js
@@ -1,6 +1,7 @@
 import { defineStore } from 'pinia'
 import { ref } from 'vue'
 import apiClient from '../api/client'
+import { useAuthStore } from './auth'
 
 export const useFilesStore = defineStore('files', () => {
   const files = ref([])
@@ -72,7 +73,8 @@ export const useFilesStore = defineStore('files', () => {
   }
 
   function downloadUrl(fileId) {
-    return `/api/files/${fileId}/download`
+    const auth = useAuthStore()
+    return `/api/files/${fileId}/download?token=${encodeURIComponent(auth.accessToken || '')}`
   }
 
   return {