diff --git a/app.py b/app.py
index 11a549e..931d6d1 100755
--- a/app.py
+++ b/app.py
@@ -782,9 +782,15 @@ def serve_file(subpath):
     root, *relative_parts = subpath.split('/')
 
     dltoken = request.args.get('dltoken')
+    token_payload = None
     if dltoken:
         as_attachment = True
-        full_path = auth.decode_token(dltoken)['filename']
+        try:
+            token_payload = auth.decode_token(dltoken)
+            full_path = token_payload['filename']
+        except Exception as e:
+            app.logger.warning(f"Invalid dltoken: {e}")
+            return jsonify({'Unauthorized': 'Invalid token'}), 403
     else:
         as_attachment = False
         base_path = session['folders'].get(root)
@@ -811,6 +817,8 @@ def serve_file(subpath):
     user_agent = request.headers.get('User-Agent')
     range_header = request.headers.get('Range', '')
     req_id = request.args.get('req') or request.headers.get('X-Request-Id')
+    token_device_id = token_payload.get('device_id') if token_payload else None
+    device_id = token_device_id or session.get('device_id')
 
     def is_range_prefetch(header, ua):
         """
@@ -932,7 +940,7 @@ def serve_file(subpath):
                     mime,
                     ip_address,
                     user_agent,
-                    session['device_id'],
+                    device_id,
                     cached_hit,
                     request.method
                 )
@@ -995,7 +1003,7 @@ def serve_file(subpath):
                 mime,
                 ip_address,
                 user_agent,
-                session['device_id'],
+                device_id,
                 cached_hit,
                 request.method
             )
@@ -1145,6 +1153,11 @@ def create_dltoken(subpath):
     root, *relative_parts = subpath.split('/')
     base_path = session['folders'].get(root)
     full_path = os.path.join(base_path or '', *relative_parts)
+
+    device_id = session.get('device_id')
+    if not device_id:
+        device_id = os.urandom(32).hex()
+        session['device_id'] = device_id
     
     try:
         full_path = check_path(full_path)
@@ -1158,7 +1171,8 @@ def create_dltoken(subpath):
     validity_date = datetime.now().strftime('%d.%m.%Y')
     data = {
         "validity": validity_date,
-        "filename": str(full_path)
+        "filename": str(full_path),
+        "device_id": device_id
     }
     
     token = auth.generate_token(data)
diff --git a/auth.py b/auth.py
index 747e4a4..06a0230 100644
--- a/auth.py
+++ b/auth.py
@@ -354,6 +354,8 @@ KEY_MAP = {
     "folders":     "f",
     "foldername":  "n",
     "folderpath":  "p",
+    "filename":    "fn",
+    "device_id":   "d",
 }
 # Build the inverse map automatically
 INV_KEY_MAP = {short: long for long, short in KEY_MAP.items()}