diff --git a/backend/elena_app.py b/backend/elena_app.py
index 11c98ec..ee9295a 100644
--- a/backend/elena_app.py
+++ b/backend/elena_app.py
@@ -994,6 +994,8 @@ def build_spec_client():
 
 @app.route("/api/project/crm", methods=["POST"])
 def update_crm():
+    if not is_operator():
+        return jsonify({"error": "unauthorized"}), 401
     data = request.get_json(force=True) or {}
     proj = get_project(data.get("token"))
     if not proj:
@@ -1409,6 +1411,8 @@ def payment_webhook():
 
 @app.route("/api/project/delete", methods=["POST"])
 def delete_project():
+    if not is_operator():
+        return jsonify({"error": "unauthorized"}), 401
     data = request.get_json(force=True) or {}
     proj = get_project(data.get("token"))
     if not proj:
@@ -1429,6 +1433,8 @@ def delete_project():
 
 @app.route("/api/project/tasks", methods=["POST"])
 def update_tasks():
+    if not is_operator():
+        return jsonify({"error": "unauthorized"}), 401
     data = request.get_json(force=True) or {}
     proj = get_project(data.get("token"))
     if not proj:
@@ -1439,6 +1445,8 @@ def update_tasks():
 
 @app.route("/api/project/approve", methods=["POST"])
 def approve_stage():
+    if not is_operator():
+        return jsonify({"error": "unauthorized"}), 401
     data = request.get_json(force=True) or {}
     proj = get_project(data.get("token"))
     if not proj:
diff --git a/docs/crm.html b/docs/crm.html
index d9f0f6e..7520165 100644
--- a/docs/crm.html
+++ b/docs/crm.html
@@ -215,6 +215,14 @@ function chips(cur,opts,fn){return opts.map(([k,n])=>`<button class="fchip ${cur
 // ── Операторская авторизация ──
 let OP_TOKEN=localStorage.getItem('op_token')||'';
 function opHeaders(extra){return Object.assign({'X-Operator-Token':OP_TOKEN||''},extra||{});}
+// Все вызовы оператора несут X-Operator-Token (crm.html — операторский контекст)
+const _origFetch=window.fetch.bind(window);
+window.fetch=function(url,opts){
+  opts=opts||{};
+  const u=typeof url==='string'?url:((url&&url.url)||'');
+  if(u.indexOf('/api/')>=0){opts.headers=Object.assign({},opts.headers||{},{'X-Operator-Token':OP_TOKEN||''});}
+  return _origFetch(url,opts);
+};
 async function loadProjects(){
   const r=await fetch(`${API}/api/projects`,{headers:opHeaders()});
   if(r.status===401){return false;}