diff --git a/packages/feature-flag-client/src/client.ts b/packages/feature-flag-client/src/client.ts
index ba95e790..98c2fe1f 100644
--- a/packages/feature-flag-client/src/client.ts
+++ b/packages/feature-flag-client/src/client.ts
@@ -194,7 +194,12 @@ export function createFeatureFlagClient(config: FeatureFlagClientConfig): Featur
       return;
     }
 
-    const url = `${baseUrl}/flags/stream`;
+    const parts = [`productId=${encodeURIComponent(productId)}`];
+    if (getAccessToken) {
+      const token = getAccessToken();
+      if (token) parts.push(`token=${encodeURIComponent(token)}`);
+    }
+    const url = `${baseUrl}/flags/stream?${parts.join('&')}`;
     eventSource = new globalThis.EventSource(url);
 
     eventSource.onmessage = event => {
diff --git a/services/platform-service/src/modules/flags/routes.ts b/services/platform-service/src/modules/flags/routes.ts
index 7b4b7f7a..c04fc933 100644
--- a/services/platform-service/src/modules/flags/routes.ts
+++ b/services/platform-service/src/modules/flags/routes.ts
@@ -524,6 +524,14 @@ export async function flagRoutes(app: FastifyInstance) {
   // ── SSE stream ────────────────────────────────────────────────────────
 
   app.get('/flags/stream', async (req, reply) => {
+    // EventSource cannot set custom headers, so accept productId + token from query string
+    const qs = req.query as { productId?: string; token?: string };
+    if (qs.productId && !req.headers['x-product-id']) {
+      (req.headers as Record<string, string>)['x-product-id'] = qs.productId;
+    }
+    if (qs.token && !req.headers['authorization']) {
+      (req.headers as Record<string, string>)['authorization'] = `Bearer ${qs.token}`;
+    }
     const productId = getRequestProductId(req);
 
     reply.raw.writeHead(200, {