1fa9ea496c
When a user logs in and has a Bearer token, use their actual identity instead of falling back to internal@system. This ensures logged-in users see their real email in the admin UI. Order of auth: 1. If Bearer token provided → use JWT/API token (real user identity) 2. If no token → check trusted origins (for API access like WordPress) 3. Otherwise → 401 unauthorized 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>