diff --git a/apps/link/app/_components/ZammadLoginProvider.tsx b/apps/link/app/_components/ZammadLoginProvider.tsx
index 71fe138..f1bf407 100644
--- a/apps/link/app/_components/ZammadLoginProvider.tsx
+++ b/apps/link/app/_components/ZammadLoginProvider.tsx
@@ -20,6 +20,9 @@ export const ZammadLoginProvider: FC<PropsWithChildren> = ({ children }) => {
 
         if (response.status !== 200) {
           window.location.href = "/zammad/auth/sso";
+        } else {
+          const token = response.headers.get("CSRF-Token");
+          update({ zammadCsrfToken: token });
         }
       }
     };
diff --git a/apps/link/app/_lib/authentication.ts b/apps/link/app/_lib/authentication.ts
index 79618ed..b907e98 100644
--- a/apps/link/app/_lib/authentication.ts
+++ b/apps/link/app/_lib/authentication.ts
@@ -118,14 +118,20 @@ export const authOptions: NextAuthOptions = {
     session: async ({ session, token }) => {
       // @ts-ignore
       session.user.roles = token.roles ?? [];
+      // @ts-ignore
+      session.user.zammadCsrfToken = token.zammadCsrfToken;
 
       return session;
     },
-    jwt: async ({ token, user }) => {
+    jwt: async ({ token, user, trigger, session }) => {
       if (user) {
         token.roles = (await getUserRoles(user.email)) ?? [];
       }
 
+      if (session && trigger === "update") {
+        token.zammadCsrfToken = session.zammadCsrfToken;
+      }
+
       return token;
     },
   },
diff --git a/apps/link/app/_lib/zammad.ts b/apps/link/app/_lib/zammad.ts
index cd2422d..c3fdbe9 100644
--- a/apps/link/app/_lib/zammad.ts
+++ b/apps/link/app/_lib/zammad.ts
@@ -8,6 +8,8 @@ const getHeaders = async () => {
     "Content-Type": "application/json",
     Accept: "application/json",
     "X-Browser-Fingerprint": `${session.expires}`,
+    // @ts-ignore
+    "X-CSRF-Token": session.user.zammadCsrfToken,
     Cookie: allCookies
       .map((cookie: any) => `${cookie.name}=${cookie.value}`)
       .join("; "),