diff --git a/src/creds/tokencredentials.cpp b/src/creds/tokencredentials.cpp
index 7e9a56238..613dbd808 100644
--- a/src/creds/tokencredentials.cpp
+++ b/src/creds/tokencredentials.cpp
@@ -88,7 +88,10 @@ protected:
         QByteArray credHash = QByteArray(_cred->user().toUtf8()+":"+_cred->password().toUtf8()).toBase64();
         req.setRawHeader(QByteArray("Authorization"), QByteArray("Basic ") + credHash);
 
-        req.setRawHeader("Cookie", _cred->_token.toUtf8()); // analogous to neon in syncContextPreStart
+        if (!req.hasRawHeader("Cookie")) {
+            // Only use our token if the request doesn't have a cookie already (e.g. because of direct download URL)
+            req.setRawHeader("Cookie", _cred->_token.toUtf8()); // analogous to neon in syncContextPreStart
+        }
 
         return MirallAccessManager::createRequest(op, req, outgoingData);
     }