diff --git a/app/controllers/api/v2/base_controller.rb b/app/controllers/api/v2/base_controller.rb
index 0c43862ed..8a8ff9509 100644
--- a/app/controllers/api/v2/base_controller.rb
+++ b/app/controllers/api/v2/base_controller.rb
@@ -1,15 +1,15 @@
 class API::V2::BaseController < ApplicationController
   # Disable forgery protection for API controllers when the request is authenticated
   # with a bearer token. Otherwise the session will be nullified and we'll lose curent_user
-  protect_from_forgery with: :null_session, unless: :token?
+  skip_forgery_protection if: -> { request.headers.key?('HTTP_AUTHORIZATION') }
   skip_before_action :setup_tracking
-  prepend_before_action :authenticate_administrateur_from_token
+  before_action :authenticate_from_token
 
   private
 
   def context
-    if api_token.present?
-      api_token.context
+    if @api_token.present?
+      @api_token.context
     # web interface (/graphql) give current_administrateur
     elsif current_administrateur.present?
       {
@@ -20,32 +20,14 @@ class API::V2::BaseController < ApplicationController
     end
   end
 
-  def token?
-    authorization_bearer_token.present?
-  end
+  private
 
-  def authenticate_administrateur_from_token
-    if api_token.present?
-      @current_user = api_token.administrateur.user
-    end
-  end
+  def authenticate_from_token
+    @api_token = authenticate_with_http_token { |t, _o| APIToken.authenticate(t) }
 
-  def api_token
-    if @api_token.nil?
-      @api_token = APIToken
-        .authenticate(authorization_bearer_token)
-        &.tap { _1.touch(:last_v2_authenticated_at) } || false
-    end
-    @api_token
-  end
-
-  def authorization_bearer_token
-    @authorization_bearer_token ||= begin
-      received_token = nil
-      authenticate_with_http_token do |token, _options|
-        received_token = token
-      end
-      received_token
+    if @api_token.present?
+      @api_token.touch(:last_v2_authenticated_at)
+      @current_user = @api_token.administrateur.user
     end
   end
 end