diff --git a/server/channels/api4/access_control.go b/server/channels/api4/access_control.go
index 078391032df..d5c28afe4d0 100644
--- a/server/channels/api4/access_control.go
+++ b/server/channels/api4/access_control.go
@@ -11,6 +11,7 @@ import (
 
 	"github.com/mattermost/mattermost/server/public/model"
 	"github.com/mattermost/mattermost/server/public/shared/mlog"
+	"github.com/mattermost/mattermost/server/v8/channels/app"
 )
 
 func (api *API) InitAccessControlPolicy() {
@@ -392,9 +393,11 @@ func updateActiveStatus(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	// CSRF barrier: only allow header-based auth (reject cookie-only sessions)
-	if r.Header.Get(model.HeaderAuth) == "" {
-		c.SetInvalidParam("Authorization")
+	// CSRF barrier: only allow header-based auth (reject cookie sessions)
+	token, tokenLocation := app.ParseAuthTokenFromRequest(r)
+	if token == "" || tokenLocation == app.TokenLocationCookie {
+		c.Err = model.NewAppError("updateActiveStatus", "api.context.session_cookie_not_allowed.app_error", nil,
+			"This endpoint requires header-based authentication", http.StatusUnauthorized)
 		return
 	}
 
diff --git a/server/i18n/en.json b/server/i18n/en.json
index 955201a9409..4f9c976f34d 100644
--- a/server/i18n/en.json
+++ b/server/i18n/en.json
@@ -1917,6 +1917,10 @@
     "id": "api.context.session_expired.app_error",
     "translation": "Invalid or expired session, please login again."
   },
+  {
+    "id": "api.context.session_cookie_not_allowed.app_error",
+    "translation": "Cookie-based authentication is not allowed for this endpoint. Please use header-based authentication."
+  },
   {
     "id": "api.context.token_provided.app_error",
     "translation": "Session is not OAuth but token was provided in the query string."