diff --git a/bincio/auth/deps.py b/bincio/auth/deps.py
index aa590a1..92efbee 100644
--- a/bincio/auth/deps.py
+++ b/bincio/auth/deps.py
@@ -111,11 +111,28 @@ def _check_rate_limit(
 # ── Auth dependency functions ─────────────────────────────────────────────────
 
 def _decode_session(token: str) -> User | None:
-    """Decode JWT and return the live User, or None if invalid/suspended."""
-    try:
-        payload = decode_token(token, jwt_secret)
-    except _jwt.PyJWTError:
-        return None
+    """Decode JWT (RS256 or HS256) and return the live User, or None if invalid/suspended."""
+    payload = None
+
+    if oidc_private_key_pem:
+        try:
+            from cryptography.hazmat.primitives.serialization import load_pem_private_key
+            priv = load_pem_private_key(oidc_private_key_pem.encode(), password=None)
+            payload = _jwt.decode(
+                token,
+                priv.public_key(),
+                algorithms=["RS256"],
+                options={"verify_aud": False},
+            )
+        except Exception:
+            pass
+
+    if payload is None:
+        try:
+            payload = decode_token(token, jwt_secret)
+        except _jwt.PyJWTError:
+            return None
+
     handle = payload.get("sub")
     if not handle:
         return None