diff --git a/advanced/lighttpd.conf.debian b/advanced/lighttpd.conf.debian
index a58b5a88..cf728e19 100644
--- a/advanced/lighttpd.conf.debian
+++ b/advanced/lighttpd.conf.debian
@@ -85,8 +85,8 @@ $HTTP["url"] =~ "^/admin/\.(.*)" {
     url.access-deny = ("")
 }
 
-# allow teleporter iframe on settings page
-$HTTP["url"] =~ "/teleporter\.php$" {
+# allow teleporter and API qr code iframe on settings page
+$HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
     $HTTP["referer"] =~ "/admin/settings\.php" {
         setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
     }
diff --git a/advanced/lighttpd.conf.fedora b/advanced/lighttpd.conf.fedora
index ad336a93..626a3d8d 100644
--- a/advanced/lighttpd.conf.fedora
+++ b/advanced/lighttpd.conf.fedora
@@ -93,8 +93,8 @@ $HTTP["url"] =~ "^/admin/\.(.*)" {
     url.access-deny = ("")
 }
 
-# allow teleporter iframe on settings page
-$HTTP["url"] =~ "/teleporter\.php$" {
+# allow teleporter and API qr code iframe on settings page
+$HTTP["url"] =~ "/(teleporter|api_token)\.php$" {
     $HTTP["referer"] =~ "/admin/settings\.php" {
         setenv.add-response-header = ( "X-Frame-Options" => "SAMEORIGIN" )
     }