diff --git a/src/main/java/org/tkit/onecx/permission/common/services/TokenService.java b/src/main/java/org/tkit/onecx/permission/common/services/TokenService.java
index 1180357..77da83b 100644
--- a/src/main/java/org/tkit/onecx/permission/common/services/TokenService.java
+++ b/src/main/java/org/tkit/onecx/permission/common/services/TokenService.java
@@ -2,7 +2,6 @@
 
 import java.util.List;
 
-import io.quarkus.oidc.common.runtime.OidcConstants;
 import jakarta.enterprise.context.ApplicationScoped;
 import jakarta.inject.Inject;
 
@@ -11,6 +10,7 @@
 import org.tkit.quarkus.rs.context.token.TokenParserRequest;
 import org.tkit.quarkus.rs.context.token.TokenParserService;
 
+import io.quarkus.oidc.common.runtime.OidcConstants;
 import lombok.extern.slf4j.Slf4j;
 
 @Slf4j
diff --git a/src/test/java/org/tkit/onecx/permission/rs/external/v1/PermissionRestControllerTest.java b/src/test/java/org/tkit/onecx/permission/rs/external/v1/PermissionRestControllerTest.java
index afa0a2d..a05ee5d 100644
--- a/src/test/java/org/tkit/onecx/permission/rs/external/v1/PermissionRestControllerTest.java
+++ b/src/test/java/org/tkit/onecx/permission/rs/external/v1/PermissionRestControllerTest.java
@@ -5,11 +5,9 @@
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.jboss.resteasy.reactive.RestResponse.Status.*;
 
-import java.net.URI;
 import java.util.List;
 import java.util.stream.Stream;
 
-import org.eclipse.microprofile.config.ConfigProvider;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.Arguments;
@@ -31,6 +29,7 @@ class PermissionRestControllerTest extends AbstractTest {
     @Test
     void getApplicationPermissionsTest() {
 
+        // bearer prefix
         var accessToken = createTokenBearer(List.of("n3"));
 
         var dto = given()
@@ -46,6 +45,22 @@ void getApplicationPermissionsTest() {
         assertThat(dto.getPermissions()).isNotNull().hasSize(1);
         assertThat(dto.getPermissions().get("o1")).isNotNull().hasSize(1).containsExactly("a3");
 
+        // without bearer prefix
+        accessToken = createToken(null, List.of("n3"));
+
+        dto = given()
+                .contentType(APPLICATION_JSON)
+                .body(new PermissionRequestDTOV1().token(accessToken))
+                .post("app1")
+                .then()
+                .statusCode(OK.getStatusCode())
+                .extract()
+                .body().as(ApplicationPermissionsDTOV1.class);
+
+        assertThat(dto).isNotNull();
+        assertThat(dto.getPermissions()).isNotNull().hasSize(1);
+        assertThat(dto.getPermissions().get("o1")).isNotNull().hasSize(1).containsExactly("a3");
+
     }
 
     private static Stream<Arguments> badRequestData() {