diff --git a/core/Auth/JwtService.php b/core/Auth/JwtService.php
index 11e980b..36a0f40 100644
--- a/core/Auth/JwtService.php
+++ b/core/Auth/JwtService.php
@@ -259,9 +259,13 @@ class JwtService
             $nonce     = $_SERVER['HTTP_X_NONCE'] ?? '';
             $body      = file_get_contents('php://input') ?: '';
 
+            // نشتق مفتاح الـ HMAC الخاص بهذا المستخدم (نفس المعادلة في login.php)
+            $derivedSecret = hash_hmac('sha256', (string)$userId, $this->hmacSecret);
+
             // التوقيع يضم الـ Body + Timestamp + Nonce لمنع التكرار والتلاعب
             $payloadToSign = $body . $timestamp . $nonce;
-            $expectedHmac  = hash_hmac('sha256', $payloadToSign, $this->hmacSecret);
+            $expectedHmac  = hash_hmac('sha256', $payloadToSign, $derivedSecret);
+
 
             if (!hash_equals($expectedHmac, $hmacHeader)) {
                 error_log("[SECURITY] HMAC mismatch | user: $userId | IP: " . ($_SERVER['REMOTE_ADDR'] ?? '?'));