diff --git a/config.json b/config.json
index 970af4c..8490de6 100644
--- a/config.json
+++ b/config.json
@@ -8,7 +8,7 @@
 	},
 	"jwt": {
 		"secret": "@S2!q@@wXz$dCQ8JoVsHLpzaJ6JCfB",
-		"expiresIn": 3600
+		"expiresIn": 36000
 	},
 	"auth": {
 		"admin": { "password": "A-InnoHUB_2025!", "admin": true },
diff --git a/src/lib/helper/getCode.js b/src/lib/helper/getCode.js
new file mode 100644
index 0000000..74d9262
--- /dev/null
+++ b/src/lib/helper/getCode.js
@@ -0,0 +1,10 @@
+export default async function get_code(case_no) {
+	let url = `/api/list/${case_no}/code`;
+	const response = await fetch(url);
+
+	if (response.status == 200) {
+		return response.text();
+	} else {
+		return -1;
+	}
+}
diff --git a/src/routes/(angemeldet)/upload/+page.svelte b/src/routes/(angemeldet)/upload/+page.svelte
index 7e44f8d..b639246 100644
--- a/src/routes/(angemeldet)/upload/+page.svelte
+++ b/src/routes/(angemeldet)/upload/+page.svelte
@@ -158,19 +158,22 @@
 		}
 	}
 
-	// return true or false
+	///(angemeldet)/view return true or false
 	async function case_exists(case_no) {
-		// ping `/(angemeldet)/view` with caseNumber in POST body
+		// ping `` with caseNumber in POST body
 		let url = '/view';
 		let data = new FormData();
 		data.append('caseNumber', case_no);
 
+		console.log('--- case exist_func', case_no)
+
 		// fetch code in parallel
 		const code = get_code(case_no);
 
 		const response = await fetch(url, { method: 'POST', body: data });
 
 		const res_json = await response.json();
+		console.log(`+++ ${res_json.data}`)
 		const status = res_json.status;
 
 		// aktualisiere Zugangscode mit
@@ -195,6 +198,7 @@
 	}
 
 	async function get_code(case_no) {
+
 		if (case_no == '') return;
 
 		let url = `/api/list/${case_no}/code`;
diff --git a/src/routes/(angemeldet)/view/+page.server.js b/src/routes/(angemeldet)/view/+page.server.js
index 6d9df2d..d4e5129 100644
--- a/src/routes/(angemeldet)/view/+page.server.js
+++ b/src/routes/(angemeldet)/view/+page.server.js
@@ -1,11 +1,13 @@
 import caseNumberOccupied from '$lib/helper/caseNumberOccupied';
 import { fail, redirect } from '@sveltejs/kit';
+import { client } from '$lib/minio';
 
 /** @type {import('./$types').Actions} */
 export const actions = {
 	default: async ({ request }) => {
 		const data = await request.formData();
 		const caseNumber = data.get('caseNumber');
+		const user_token = data.get('token');
 
 		if (!caseNumber) {
 			return fail(400, {
@@ -22,6 +24,64 @@ export const actions = {
 				error: { caseNumber: 'Die Vorgangsnummer existiert in dieser Anwendung nicht.' }
 			});
 		}
+
+		//
+		// Ab hier ist Vorgang vorhanden
+		//
+
+		// Jetzt prüfen, ob Code vorhanden ist und
+		// dem eingegebenen Code entspricht
+
+		const token = await codex(caseNumber);
+		console.log(`xxx ${token}, ${user_token}`);
+
+		if (token && token != user_token) {
+			console.log(`ooo token check`);
+			return fail(400, {
+				success: false,
+				caseNumber,
+				error: { token: 'Der Token ist falsch.' }
+			});
+		}
+
+		// if (token != -1 && user_token != token) {
+		// 	console.log('ooo Fehler');
+		// 	redirect(303, `/view`);
+		// }
+		// if (token != -1 && user_token != token) {
+		// 	console.log('ooo Fehler');
+		// 	return fail(400, {
+		// 		success: false,
+		// 		caseNumber,
+		// 		error: { token: 'Der Zugangscode ist falsch.' }
+		// 	});
+		// }
+
 		redirect(303, `/list/${caseNumber}`);
 	}
 };
+
+// returns `code` oder `null`
+
+async function codex(vorg) {
+	const code_name = '__perm__';
+	const obj_path = `${vorg}/${code_name}`;
+
+	let resp = null;
+	let code_saved = '';
+
+	try {
+		resp = await client.getObject('tatort', obj_path);
+		code_saved = await new Response(resp).text();
+	} catch (error) {
+		if (error.name == 'S3Error') {
+			resp = null;
+		}
+	}
+
+	if (resp != null) {
+		return code_saved;
+	} else {
+		return null;
+	}
+}
diff --git a/src/routes/(angemeldet)/view/+page.svelte b/src/routes/(angemeldet)/view/+page.svelte
index 997ba49..50145bd 100644
--- a/src/routes/(angemeldet)/view/+page.svelte
+++ b/src/routes/(angemeldet)/view/+page.svelte
@@ -8,6 +8,7 @@
 	import Exclamation from '$lib/icons/Exclamation.svelte';
 
 	export let form;
+	let token = 'TOKEN-$$$';
 </script>
 
 <div class="mx-auto max-w-2xl">
@@ -50,6 +51,34 @@
 							<p class="block text-sm leading-6 text-red-900 mt-2">{form.error.caseNumber}</p>
 						{/if}
 					</div>
+
+					<div>
+						<label for="token" class="block text-sm font-medium leading-6 text-gray-900"
+							><span class="flex"
+								>
+								Zugangscode</span
+							></label
+						>
+						<div class="mt-2 w-full">
+							<div
+								class="flex w-full rounded-md shadow-sm ring-1 ring-inset ring-gray-300 focus-within:ring-2 focus-within:ring-inset focus-within:ring-indigo-600"
+							>
+								<input
+									value={token || false}
+									placeholder="optional"
+									type="text"
+									name="token"
+									id="token"
+									class="block w-full flex-1 border-0 bg-transparent py-1.5 pl-1 text-gray-900 placeholder:text-gray-400 focus:ring-0 sm:text-sm sm:leading-6"
+								/>
+							</div>
+						</div>
+						{#if form?.error?.token}
+							<p class="block text-sm leading-6 text-red-900 mt-2">{form.error.token}</p>
+						{/if}
+					</div>
+
+
 				</div>
 			</div>
 			<div class="mt-6 flex items-center justify-end gap-x-6">