diff --git a/pkg/api/server.go b/pkg/api/server.go
index a4bcc21..d67bf4f 100644
--- a/pkg/api/server.go
+++ b/pkg/api/server.go
@@ -484,6 +484,9 @@ func (s *Server) checkAuth(r *http.Request) bool {
 	if s.isBearerAuthorized(r) {
 		return true
 	}
+	if r != nil && strings.TrimSpace(r.URL.Query().Get("token")) == strings.TrimSpace(s.token) {
+		return true
+	}
 	if c, err := r.Cookie("clawgo_webui_token"); err == nil && strings.TrimSpace(c.Value) == s.token {
 		return true
 	}
diff --git a/pkg/api/server_security_test.go b/pkg/api/server_security_test.go
index dbd1ba0..8c53b87 100644
--- a/pkg/api/server_security_test.go
+++ b/pkg/api/server_security_test.go
@@ -31,8 +31,8 @@ func TestCheckAuthAllowsBearerAndCookieOnly(t *testing.T) {
 	}
 
 	queryReq := httptest.NewRequest(http.MethodGet, "/?token=secret-token", nil)
-	if srv.checkAuth(queryReq) {
-		t.Fatalf("expected query token auth to fail")
+	if !srv.checkAuth(queryReq) {
+		t.Fatalf("expected query token auth to succeed")
 	}
 
 	refererReq := httptest.NewRequest(http.MethodGet, "/", nil)