diff --git a/pallas/multimodal_server.py b/pallas/multimodal_server.py
index 8683b0e..0707e4f 100644
--- a/pallas/multimodal_server.py
+++ b/pallas/multimodal_server.py
@@ -39,13 +39,20 @@ logger = get_logger(__name__)
 
 
 def _get_request_bearer_token() -> str | None:
-    """Return the authenticated bearer token for the current MCP request."""
-    try:
-        from fastmcp.server.dependencies import get_access_token
+    """Return the raw bearer token from the current MCP request's Authorization header.
 
-        access_token = get_access_token()
-        if access_token is not None:
-            return access_token.token
+    Reads the header directly rather than going through get_access_token() because
+    Pallas runs without FastMCP auth middleware — there is no AuthenticatedUser in
+    the request scope, so get_access_token() always returns None here. The token
+    is an opaque string forwarded to opted-in downstream servers by _fastagent_patch.
+    """
+    try:
+        from fastmcp.server.dependencies import get_http_request
+
+        request = get_http_request()
+        auth = request.headers.get("authorization", "")
+        if auth.lower().startswith("bearer "):
+            return auth[7:]
     except Exception:
         pass
     return None