diff --git a/src/bridge.ts b/src/bridge.ts
index d84f8e79..410bacf4 100644
--- a/src/bridge.ts
+++ b/src/bridge.ts
@@ -1652,13 +1652,23 @@ export class Bridge {
             // Bridge isn't ready yet
             return false;
         }
-        if (
-            req.query.access_token !== this.registration.getHomeserverToken() &&
-            req.get("authorization") !== `Bearer ${this.registration.getHomeserverToken()}`
-        ) {
-            return false;
-        }
-        return true;
+
+		const tokenFromQuery = req.query.access_token;
+
+		const tokenFromHeader = req.get("authorization").substring(7); // "Bearer ".length === 7
+
+		const tokenFromRegistration = this.registration.getHomeserverToken();
+
+		// https://github.com/matrix-org/matrix-spec/blob/7935a0728a12e768283dba0145fb95154d2f7f6b/content/application-service-api.md?plain=1#L149
+		// "Application services should ensure both match if both are provided."
+		if (tokenFromQuery && tokenFromHeader) {
+			return tokenFromQuery === tokenFromRegistration && tokenFromHeader === tokenFromRegistration;
+		}
+
+		// prefer header then query
+		// https://github.com/matrix-org/matrix-spec/blob/7935a0728a12e768283dba0145fb95154d2f7f6b/content/application-service-api.md?plain=1#L146-L147
+		// Spec does not enforce both to be sent. "encouraged" being the key word.
+        return tokenFromHeader === tokenFromRegistration || tokenFromQuery === tokenFromRegistration;
     }
 
     /**