diff --git a/uploader.py b/uploader.py
index d067024..9d4b25c 100644
--- a/uploader.py
+++ b/uploader.py
@@ -47,6 +47,11 @@ class CalibreClient:
         if resp.url.rstrip("/").endswith("/login"):
             raise RuntimeError("Calibre-Web authentication failed — check credentials")
         self._authenticated = True
+        # The CSRF token is session-scoped in Flask-WTF — reuse the login token for uploads.
+        # Also try to extract a fresh one from the landing page (/).
+        self._upload_csrf = _extract_csrf(resp.text) or csrf
+        log.debug("Upload CSRF token from login: %s",
+                  self._upload_csrf[:12] + "…" if self._upload_csrf else "NOT FOUND")
         log.info("Authenticated to Calibre-Web at %s", self._cfg.url)
 
     def upload(self, book_path: Path, zip_source: str) -> str:
@@ -60,10 +65,6 @@ class CalibreClient:
 
         try:
             self._ensure_auth()
-            if not self._upload_csrf:
-                page = self._session.get(f"{self._cfg.url}/upload", timeout=30)
-                self._upload_csrf = _extract_csrf(page.text)
-                log.debug("Upload CSRF token: %s", self._upload_csrf[:12] + "…" if self._upload_csrf else "NOT FOUND")
 
             mime = MIME_TYPES.get(book_path.suffix.lower(), "application/octet-stream")
             with book_path.open("rb") as fh: