diff --git a/chat/server.js b/chat/server.js
index 3c2d764..06279fa 100644
--- a/chat/server.js
+++ b/chat/server.js
@@ -8476,7 +8476,15 @@ async function sendOllamaChat({ messages, model }) {
   const targetModel = model || OLLAMA_DEFAULT_MODEL || '';
   const endpoint = `${String(urlBase).replace(/\/$/, '')}/api/generate`;
   const headers = { 'Content-Type': 'application/json' };
-  if (OLLAMA_API_KEY) headers['Authorization'] = `Bearer ${OLLAMA_API_KEY}`;
+  
+  // Always include Authorization header if API key is configured
+  // Some Ollama servers require authentication even if the key is empty
+  if (OLLAMA_API_KEY) {
+    headers['Authorization'] = `Bearer ${OLLAMA_API_KEY}`;
+  } else {
+    console.log('[OLLAMA] Warning: No API key configured. Server may reject request.');
+  }
+  
   const payload = { model: targetModel, prompt };
 
   const res = await fetch(endpoint, { method: 'POST', headers, body: JSON.stringify(payload) });
@@ -11096,11 +11104,9 @@ async function handleFeatureRequestUpvote(req, res, id) {
 }
 
 async function handleContactMessagesList(req, res) {
-  const session = getUserSession(req);
-  const userId = session?.userId || '';
-  const isAdmin = session?.isAdmin || false;
+  const session = getAdminSession(req);
 
-  if (!isAdmin) {
+  if (!session) {
     return sendJson(res, 403, { error: 'Admin access required' });
   }
 
@@ -11165,10 +11171,9 @@ async function handleContactMessageCreate(req, res) {
 }
 
 async function handleContactMessageMarkRead(req, res, id) {
-  const session = getUserSession(req);
-  const isAdmin = session?.isAdmin || false;
+  const session = getAdminSession(req);
 
-  if (!isAdmin) {
+  if (!session) {
     return sendJson(res, 403, { error: 'Admin access required' });
   }
 
@@ -11182,10 +11187,9 @@ async function handleContactMessageMarkRead(req, res, id) {
 }
 
 async function handleContactMessageDelete(req, res, id) {
-  const session = getUserSession(req);
-  const isAdmin = session?.isAdmin || false;
+  const session = getAdminSession(req);
 
-  if (!isAdmin) {
+  if (!session) {
     return sendJson(res, 403, { error: 'Admin access required' });
   }