diff --git a/src/main/java/de/avatic/lcc/config/SecurityConfig.java b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
index c3f7811..f49ea2f 100644
--- a/src/main/java/de/avatic/lcc/config/SecurityConfig.java
+++ b/src/main/java/de/avatic/lcc/config/SecurityConfig.java
@@ -4,6 +4,7 @@ import de.avatic.lcc.model.db.users.User;
 import de.avatic.lcc.repositories.users.GroupRepository;
 import de.avatic.lcc.repositories.users.UserRepository;
 import de.avatic.lcc.service.apps.JwtTokenService;
+import io.jsonwebtoken.Claims;
 import jakarta.servlet.FilterChain;
 import jakarta.servlet.ServletException;
 import jakarta.servlet.http.HttpServletRequest;
@@ -27,6 +28,7 @@ import org.springframework.security.oauth2.client.userinfo.OAuth2UserService;
 import org.springframework.security.oauth2.core.oidc.user.OidcUser;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
 import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
+import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
 import org.springframework.security.oauth2.server.resource.web.authentication.BearerTokenAuthenticationFilter;
 import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.HttpStatusEntryPoint;
@@ -76,6 +78,7 @@ public class SecurityConfig {
                         .defaultSuccessUrl("/", true)
                 )
                 .oauth2ResourceServer(oauth2 -> oauth2
+                        .bearerTokenResolver(bearerTokenResolver(jwtTokenService))
                         .jwt(jwt -> jwt
                                 .jwtAuthenticationConverter(jwtAuthenticationConverter())
                         )
@@ -280,6 +283,30 @@ public class SecurityConfig {
 
     }
 
+    @Bean
+    @Profile("!dev & !test")
+    public BearerTokenResolver bearerTokenResolver(JwtTokenService jwtTokenService) {
+        return request -> {
+            String authHeader = request.getHeader("Authorization");
+            if (authHeader != null && authHeader.startsWith("Bearer ")) {
+                String token = authHeader.substring(7);
+
+                try {
+                    Claims claims = jwtTokenService.validateToken(token);
+                    String tokenType = claims.get("token_type", String.class);
+                    if ("ext_app".equals(tokenType)) {
+                        return null; // SelfIssuedJwtFilter behandelt es
+                    }
+                } catch (Exception e) {
+                    // Kein selbst ausgestelltes Token, weiter zur OAuth2 Validierung
+                }
+
+                return token;
+            }
+            return null;
+        };
+    }
+
     public static final class LccCsrfTokenRequestHandler extends CsrfTokenRequestAttributeHandler {
         private final CsrfTokenRequestHandler delegate = new CsrfTokenRequestAttributeHandler();