diff --git a/public/js/dashboard.js b/public/js/dashboard.js
index 2702359..6a59d6f 100644
--- a/public/js/dashboard.js
+++ b/public/js/dashboard.js
@@ -190,8 +190,9 @@ const protocol = window.location.protocol === 'https:' ? 'wss:' : 'ws:';
 const wsUrl = protocol + '//' + window.location.host;
 let ws;
 function connectWS() {
-    const wsAuthUrl = wsUrl + '?key=' + encodeURIComponent(API_KEY || '');
-    ws = new WebSocket(wsAuthUrl);
+    // Browser WebSocket connections automatically include the dashboard's
+    // session cookie, so avoid echoing the long-lived access key into the URL.
+    ws = new WebSocket(wsUrl);
     ws.onopen = () => console.log('WS Connected');
     ws.onclose = () => setTimeout(connectWS, 3000);
     ws.onmessage = (event) => {
diff --git a/tests/websocket.test.js b/tests/websocket.test.js
index aee1b0a..8433a80 100644
--- a/tests/websocket.test.js
+++ b/tests/websocket.test.js
@@ -66,8 +66,10 @@ describe('WebSocket Authentication', () => {
         ws.on('error', done);
     });
 
-    test('correct x-claw-key in query string → connected (receives heartbeat)', done => {
-        const ws = new WebSocket(`ws://127.0.0.1:${port}?key=testkey123`);
+    test('correct x-claw-key header → connected (receives heartbeat)', done => {
+        const ws = new WebSocket(`ws://127.0.0.1:${port}`, {
+            headers: { 'x-claw-key': 'testkey123' },
+        });
         ws.on('message', (data) => {
             const msg = JSON.parse(data.toString());
             expect(msg).toHaveProperty('type', 'heartbeat');