diff --git a/app/utils/api.js b/app/utils/api.js
index 6b631ee..2592365 100644
--- a/app/utils/api.js
+++ b/app/utils/api.js
@@ -44,14 +44,20 @@ async function apiFetch(endpoint, options = {}) {
 }
 
 /**
- * Auth fetch — no token attached, returns full { status, data, ok } for status-code handling
+ * Auth fetch — returns full { status, data, ok } for status-code handling
  */
-async function authFetch(endpoint, body) {
+async function authFetch(endpoint, body, token = null) {
   console.log('[Auth] Request:', `${API_BASE}${endpoint}`);
 
+  const headers = { 'Content-Type': 'application/json' };
+  if (token) {
+    headers['Authorization'] = `Bearer ${token}`;
+    console.log('[Auth] Sending with Bearer token');
+  }
+
   const res = await fetch(`${API_BASE}${endpoint}`, {
     method: 'POST',
-    headers: { 'Content-Type': 'application/json' },
+    headers,
     body: JSON.stringify(body),
   });
 
@@ -262,12 +268,14 @@ export async function sendPhoneOTP() {
 
 export async function verifyEmail(code) {
   console.log('[Auth] Verifying email with code:', code);
-  return authFetch(`/Auth/VerifyEmail?code=${encodeURIComponent(code)}`, {});
+  const token = typeof window !== 'undefined' ? localStorage.getItem('token') : null;
+  return authFetch(`/Auth/VerifyEmail?code=${encodeURIComponent(code)}`, {}, token);
 }
 
 export async function verifyPhone(code) {
   console.log('[Auth] Verifying phone with code:', code);
-  return authFetch(`/Auth/VerifyPhoneNumber?code=${encodeURIComponent(code)}`, {});
+  const token = typeof window !== 'undefined' ? localStorage.getItem('token') : null;
+  return authFetch(`/Auth/VerifyPhoneNumber?code=${encodeURIComponent(code)}`, {}, token);
 }
 
 // ─── Helpers ───