diff --git a/CHANGELOG.md b/CHANGELOG.md
index 73beaeb..7373ecc 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -5,6 +5,7 @@
 * Support direct-access mode on AQT devices (#164)
 * Support up to 2000 shots per circuit on cloud resources (#165)
 * Fix result timeout propagation in direct-access mode (#171)
+* Don't propagate empty access tokens in direct-access mode (#172)
 
 ## qiskit-aqt-provider v1.5.0
 
diff --git a/qiskit_aqt_provider/api_models.py b/qiskit_aqt_provider/api_models.py
index 712dece..6436f25 100644
--- a/qiskit_aqt_provider/api_models.py
+++ b/qiskit_aqt_provider/api_models.py
@@ -57,7 +57,10 @@ def http_client(*, base_url: str, token: str) -> httpx.Client:
         base_url: base URL of the server
         token: access token for the remote service.
     """
-    headers = {"Authorization": f"Bearer {token}", "User-Agent": USER_AGENT}
+    headers = {"User-Agent": USER_AGENT}
+    if token:
+        headers["Authorization"] = f"Bearer {token}"
+
     return httpx.Client(headers=headers, base_url=base_url, timeout=10.0, follow_redirects=True)
 
 
diff --git a/test/test_resource.py b/test/test_resource.py
index ee7be47..1dffb83 100644
--- a/test/test_resource.py
+++ b/test/test_resource.py
@@ -528,9 +528,9 @@ def handle_result(request: httpx.Request) -> httpx.Response:
         assert job.status() is JobStatus.ERROR
 
 
-def test_direct_access_mocked_successful_transaction(httpx_mock: HTTPXMock) -> None:
+@pytest.mark.parametrize("token", [str(uuid.uuid4()), ""])
+def test_direct_access_mocked_successful_transaction(token: str, httpx_mock: HTTPXMock) -> None:
     """Mock a successful single-circuit transaction on a direct-access resource."""
-    token = str(uuid.uuid4())
     backend = DummyDirectAccessResource(token)
     backend.options.with_progress_bar = False
 
@@ -539,8 +539,15 @@ def test_direct_access_mocked_successful_transaction(httpx_mock: HTTPXMock) -> N
 
     expected_job_id = str(uuid.uuid4())
 
+    def assert_valid_token(headers: httpx.Headers) -> None:
+        if token:
+            assert headers["authorization"] == f"Bearer {token}"
+        else:
+            assert "authorization" not in headers
+
     def handle_submit(request: httpx.Request) -> httpx.Response:
         assert request.headers["user-agent"] == USER_AGENT
+        assert_valid_token(request.headers)
 
         data = api_models.QuantumCircuit.model_validate_json(request.content.decode("utf-8"))
         assert data.repetitions == shots
@@ -552,6 +559,7 @@ def handle_submit(request: httpx.Request) -> httpx.Response:
 
     def handle_result(request: httpx.Request) -> httpx.Response:
         assert request.headers["user-agent"] == USER_AGENT
+        assert_valid_token(request.headers)
 
         _, job_id = request.url.path.rsplit("/", maxsplit=1)
         assert job_id == expected_job_id