diff --git a/apis/file.go b/apis/file.go
index 6b321fffd..c868fb73a 100644
--- a/apis/file.go
+++ b/apis/file.go
@@ -28,7 +28,7 @@ func bindFileApi(app core.App, rg *echo.Group) {
 	api := fileApi{app: app}
 
 	subGroup := rg.Group("/files", ActivityLogger(app))
-	subGroup.POST("/token", api.fileToken, RequireAdminOrRecordAuth())
+	subGroup.POST("/token", api.fileToken)
 	subGroup.HEAD("/:collection/:recordId/:filename", api.download, LoadCollectionContext(api.app))
 	subGroup.GET("/:collection/:recordId/:filename", api.download, LoadCollectionContext(api.app))
 }
@@ -50,7 +50,7 @@ func (api *fileApi) fileToken(c echo.Context) error {
 	}
 
 	handlerErr := api.app.OnFileBeforeTokenRequest().Trigger(event, func(e *core.FileTokenEvent) error {
-		if e.Token == "" {
+		if e.Model == nil || e.Token == "" {
 			return NewBadRequestError("Failed to generate file token.", nil)
 		}
 
diff --git a/apis/file_test.go b/apis/file_test.go
index 727da25c2..0fbe35613 100644
--- a/apis/file_test.go
+++ b/apis/file_test.go
@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	"github.com/labstack/echo/v5"
+	"github.com/pocketbase/pocketbase/core"
 	"github.com/pocketbase/pocketbase/daos"
 	"github.com/pocketbase/pocketbase/tests"
 	"github.com/pocketbase/pocketbase/tools/types"
@@ -20,8 +21,32 @@ func TestFileToken(t *testing.T) {
 			Name:            "unauthorized",
 			Method:          http.MethodPost,
 			Url:             "/api/files/token",
-			ExpectedStatus:  401,
+			ExpectedStatus:  400,
 			ExpectedContent: []string{`"data":{}`},
+			ExpectedEvents: map[string]int{
+				"OnFileBeforeTokenRequest": 1,
+			},
+		},
+		{
+			Name:   "unauthorized with model and token via hook",
+			Method: http.MethodPost,
+			Url:    "/api/files/token",
+			BeforeTestFunc: func(t *testing.T, app *tests.TestApp, e *echo.Echo) {
+				app.OnFileBeforeTokenRequest().Add(func(e *core.FileTokenEvent) error {
+					record, _ := app.Dao().FindAuthRecordByEmail("users", "test@example.com")
+					e.Model = record
+					e.Token = "test"
+					return nil
+				})
+			},
+			ExpectedStatus: 200,
+			ExpectedContent: []string{
+				`"token":"test"`,
+			},
+			ExpectedEvents: map[string]int{
+				"OnFileBeforeTokenRequest": 1,
+				"OnFileAfterTokenRequest":  1,
+			},
 		},
 		{
 			Name:   "auth record",