diff --git a/.changeset/curvy-jeans-dream.md b/.changeset/curvy-jeans-dream.md
new file mode 100644
index 00000000000..0e396331d76
--- /dev/null
+++ b/.changeset/curvy-jeans-dream.md
@@ -0,0 +1,5 @@
+---
+"@atproto/pds": patch
+---
+
+Inspect bearer auth token on uploadBlob
diff --git a/packages/pds/src/auth-verifier.ts b/packages/pds/src/auth-verifier.ts
index 4e4473a3f26..bc23b2e6e69 100644
--- a/packages/pds/src/auth-verifier.ts
+++ b/packages/pds/src/auth-verifier.ts
@@ -249,11 +249,14 @@ export class AuthVerifier {
   accessOrUserServiceAuth =
     (opts: Partial<AccessOpts> = {}) =>
     async (ctx: ReqCtx): Promise<UserServiceAuthOutput | AccessOutput> => {
-      try {
-        return await this.accessStandard(opts)(ctx)
-      } catch {
-        return await this.userServiceAuth(ctx)
+      const token = bearerTokenFromReq(ctx.req)
+      if (token) {
+        const payload = jose.decodeJwt(token)
+        if (payload['lxm']) {
+          return this.userServiceAuth(ctx)
+        }
       }
+      return this.accessStandard(opts)(ctx)
     }
 
   modService = async (ctx: ReqCtx): Promise<ModServiceOutput> => {