diff --git a/frontend/pages/email/index.vue b/frontend/pages/email/index.vue
index 3681666..6b4bead 100644
--- a/frontend/pages/email/index.vue
+++ b/frontend/pages/email/index.vue
@@ -460,7 +460,7 @@ async function downloadAttachment(attachment: NonNullable<EmailMessage["attachme
     const apiBase = String(runtimeConfig.public.apiBase || "").replace(/\/$/, "")
     const path = `/api/email/attachments/${attachment.id}/download`
     const downloadUrl = new URL(apiBase ? `${apiBase}${path}` : path, window.location.origin)
-    const token = useCookie("token").value
+    const token = useCookie<string | null>("token", { path: "/" }).value
 
     if (token) {
       downloadUrl.searchParams.set("downloadToken", token)
diff --git a/frontend/plugins/api.ts b/frontend/plugins/api.ts
index be0137d..f42f0f7 100644
--- a/frontend/plugins/api.ts
+++ b/frontend/plugins/api.ts
@@ -8,7 +8,7 @@ export default defineNuxtPlugin(() => {
         credentials: "include",
 
         async onRequest({ options }) {
-            const token = useCookie("token").value
+            const token = useCookie<string | null>("token", { path: "/" }).value
 
             // Falls im Request explizit ein anderer JWT übergeben wird
             if (options.context?.jwt) {
diff --git a/frontend/stores/auth.ts b/frontend/stores/auth.ts
index fa7efc3..abf3708 100644
--- a/frontend/stores/auth.ts
+++ b/frontend/stores/auth.ts
@@ -30,6 +30,28 @@ export const useAuthStore = defineStore("auth", {
     }),
 
     actions: {
+        tokenCookie() {
+            return useCookie<string | null>("token", { path: "/" })
+        },
+
+        clearScopedTokenCookies() {
+            if (!process.client) return
+
+            const pathname = window.location.pathname || "/"
+            const pathParts = pathname.split("/").filter(Boolean)
+            const paths = new Set(["/"])
+
+            pathParts.reduce((path, part) => {
+                const nextPath = `${path === "/" ? "" : path}/${part}`
+                paths.add(nextPath)
+                return nextPath
+            }, "/")
+
+            paths.forEach((path) => {
+                document.cookie = `token=; Max-Age=0; path=${path}`
+            })
+        },
+
         decodeTokenExpiryMs(token: string) {
             try {
                 const parts = token.split(".")
@@ -91,7 +113,7 @@ export const useAuthStore = defineStore("auth", {
         scheduleSessionTimers(token?: string | null) {
             if (!process.client) return
 
-            const tokenToUse = token || useCookie("token").value
+            const tokenToUse = token || this.tokenCookie().value
 
             this.clearSessionTimers()
             this.sessionWarningVisible = false
@@ -127,7 +149,8 @@ export const useAuthStore = defineStore("auth", {
         },
 
         setToken(token: string | null) {
-            useCookie("token").value = token
+            this.clearScopedTokenCookies()
+            this.tokenCookie().value = token
 
             if (!token) {
                 this.clearSessionTimers()
@@ -150,7 +173,7 @@ export const useAuthStore = defineStore("auth", {
             console.log("Auth initStore")
 
             // 1. Check: Haben wir überhaupt ein Token?
-            const token = useCookie("token").value
+            const token = this.tokenCookie().value
 
             if (!token) {
                 // Kein Token -> Wir sind fertig, User ist Gast.
@@ -275,7 +298,7 @@ export const useAuthStore = defineStore("auth", {
             const tempStore = useTempStore()
 
             // Token aus Argument oder Cookie holen
-            const tokenToUse = jwt || useCookie("token").value
+            const tokenToUse = jwt || this.tokenCookie().value
 
             if (!tokenToUse) {
                 const wasSessionExpired = this.sessionExpired