diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeyFilter.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeyFilter.java
index 491d521483..e05085fd36 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeyFilter.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/ApiKeyFilter.java
@@ -20,9 +20,12 @@ public class ApiKeyFilter extends AnonymousFilter {
         // 不是apikey的通过
         if (!ApiKeyHandler.isApiKeyCall(httpRequest) && !SecurityUtils.getSubject().isAuthenticated()) {
             // sso 带了token的
-            String userId = SSOSessionHandler.validate(httpRequest);
-            if (StringUtils.isNotBlank(userId)) {
-                SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, SSOSessionHandler.random));
+            String token = httpRequest.getHeader(SessionConstants.SSO_TOKEN);
+            if (StringUtils.isNotBlank(token)) {
+                String userId = SSOSessionHandler.validate(httpRequest);
+                if (StringUtils.isNotBlank(userId)) {
+                    SecurityUtils.getSubject().login(new UsernamePasswordToken(userId, SSOSessionHandler.random));
+                }
             }
             return true;
         }
diff --git a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/SSOSessionHandler.java b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/SSOSessionHandler.java
index 5bf639b4d8..a8341532e2 100644
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/SSOSessionHandler.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/security/SSOSessionHandler.java
@@ -7,6 +7,8 @@ import io.metersphere.commons.utils.LogUtil;
 import org.apache.commons.lang3.StringUtils;
 
 import jakarta.servlet.http.HttpServletRequest;
+
+import java.util.Arrays;
 import java.util.UUID;
 
 public class SSOSessionHandler {
@@ -30,6 +32,7 @@ public class SSOSessionHandler {
         csrfToken = CodingUtil.aesDecrypt(csrfToken, SessionUser.secret, SessionUser.iv);
         String[] signatureArray = StringUtils.split(StringUtils.trimToNull(csrfToken), "|");
         if (signatureArray.length != 4) {
+            LogUtil.error("invalid token: {}", signatureArray);
             throw new RuntimeException("invalid token");
         }
         return signatureArray[0];