diff --git a/frontend/src/app/pages/check-in-placeholder-page.component.ts b/frontend/src/app/pages/check-in-placeholder-page.component.ts
index a86c582..af5e587 100644
--- a/frontend/src/app/pages/check-in-placeholder-page.component.ts
+++ b/frontend/src/app/pages/check-in-placeholder-page.component.ts
@@ -170,7 +170,7 @@ type BarcodeDetectorConstructor = new (options?: { formats?: string[] }) => Barc
             <p class="error-message" aria-live="assertive">This reservation is already checked in.</p>
           }
           @if (state() === 'unauthorized') {
-            <p class="error-message" aria-live="assertive">You are not authorized. Log into <code>/admin</code> with a staff account, then retry this check-in.</p>
+            <p class="error-message" aria-live="assertive">You are not authorized. Log into <code>/admin</code> with a staff account, let the page reload with that session, then retry this check-in.</p>
           }
           @if (state() === 'error') {
             <p class="error-message" aria-live="assertive">Something went wrong. Please try again.</p>
diff --git a/frontend/src/app/services/shows-api.service.ts b/frontend/src/app/services/shows-api.service.ts
index 328683e..8f5c381 100644
--- a/frontend/src/app/services/shows-api.service.ts
+++ b/frontend/src/app/services/shows-api.service.ts
@@ -1,5 +1,5 @@
 import { inject, Injectable } from '@angular/core';
-import { HttpClient } from '@angular/common/http';
+import { HttpClient, HttpHeaders } from '@angular/common/http';
 import { Observable } from 'rxjs';
 
 import { API_BASE_URL } from './api-config.token';
@@ -118,7 +118,7 @@ export class ShowsApiService {
     return this.http.post<CheckInPreviewResponse>(
       `${this.apiBaseUrl}/check-ins/preview/`,
       { token },
-      { withCredentials: true },
+      this.buildStaffRequestOptions(),
     );
   }
 
@@ -126,7 +126,32 @@ export class ShowsApiService {
     return this.http.post<CheckInConfirmResponse>(
       `${this.apiBaseUrl}/check-ins/confirm/`,
       { token },
-      { withCredentials: true },
+      this.buildStaffRequestOptions(),
     );
   }
+
+  private buildStaffRequestOptions(): { headers?: HttpHeaders; withCredentials: true } {
+    const csrfToken = this.readCookie('csrftoken');
+
+    return {
+      withCredentials: true,
+      headers: csrfToken ? new HttpHeaders({ 'X-CSRFToken': csrfToken }) : undefined,
+    };
+  }
+
+  private readCookie(name: string): string {
+    if (typeof document === 'undefined' || !document.cookie) {
+      return '';
+    }
+
+    const cookiePrefix = `${name}=`;
+    for (const cookie of document.cookie.split(';')) {
+      const trimmedCookie = cookie.trim();
+      if (trimmedCookie.startsWith(cookiePrefix)) {
+        return decodeURIComponent(trimmedCookie.slice(cookiePrefix.length));
+      }
+    }
+
+    return '';
+  }
 }