diff --git a/app/zabbix.py b/app/zabbix.py
index e9adcb7..7007212 100644
--- a/app/zabbix.py
+++ b/app/zabbix.py
@@ -37,9 +37,14 @@ class ZabbixClient:
     def _call(self, method, params):
         self._id += 1
         payload = {'jsonrpc': '2.0', 'method': method, 'params': params, 'id': self._id}
-        if self._auth:
+        headers = {}
+        if ZABBIX_API_TOKEN:
+            # Zabbix 6.4+: API tokens go in the Authorization header, not the payload
+            headers['Authorization'] = f'Bearer {ZABBIX_API_TOKEN}'
+        elif self._auth:
+            # Zabbix < 6.4 / user+password sessions: auth goes in the JSON-RPC payload
             payload['auth'] = self._auth
-        resp = requests.post(self._url, json=payload, timeout=30)
+        resp = requests.post(self._url, json=payload, headers=headers, timeout=30)
         resp.raise_for_status()
         body = resp.json()
         if 'error' in body:
@@ -48,7 +53,7 @@ class ZabbixClient:
 
     def login(self):
         if ZABBIX_API_TOKEN:
-            self._auth = ZABBIX_API_TOKEN   # API token used directly — no session needed
+            pass  # token is sent via Authorization header in every _call — no login needed
         else:
             self._auth = self._call('user.login', {'user': ZABBIX_USER, 'password': ZABBIX_PASSWORD})