diff --git a/CHANGELOG.md b/CHANGELOG.md
index cd68553d..e3f41707 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Release Notes
 
+## 2.6.1 (2023-06-24)
+
+- Fix api token checking
+
 ## 2.6.0 (2023-06-21)
 
 - Try to auto-generate meaningful linked content preview if display setting is missing
diff --git a/bootstrap.php b/bootstrap.php
index 16d60333..c8943a45 100644
--- a/bootstrap.php
+++ b/bootstrap.php
@@ -1,6 +1,6 @@
 <?php
 
-const APP_VERSION = '2.6.0';
+const APP_VERSION = '2.6.1';
 
 if (!defined('APP_START_TIME')) define('APP_START_TIME', microtime(true));
 if (!defined('APP_ADMIN')) define('APP_ADMIN', false);
diff --git a/modules/App/api.php b/modules/App/api.php
index f3acd70c..31eed76e 100644
--- a/modules/App/api.php
+++ b/modules/App/api.php
@@ -40,27 +40,23 @@
         'role' => null
     ];
 
-    if ($token != 'public') {
+    if ($token != 'public' && preg_match('/^USR-/', $token)) {
 
-        if (preg_match('/^USR-/', $token)) {
+        $user = $this->dataStorage->findOne('system/users', ['apiKey' => $token]);
 
-            $user = $this->dataStorage->findOne('system/users', ['apiKey' => $token]);
-
-            if (!$user) {
-                $this->response->status = 412;
-                return ['error' => 'Authentication failed'];
-            }
+        if (!$user) {
+            $this->response->status = 412;
+            return ['error' => 'Authentication failed'];
+        }
 
-            $apiUser['user'] = $user['user'];
-            $apiUser['role'] = $user['role'];
+        $apiUser['user'] = $user['user'];
+        $apiUser['role'] = $user['role'];
 
-        // is jwt token?
-        } elseif (preg_match('/^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$/', $token)) {
+    // is jwt token?
+    } elseif ($token != 'public' && preg_match('/^[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]*$/', $token)) {
 
             // todo
 
-        }
-
     } else {
 
         $key = $this->helper('api')->getKey($token);