diff --git a/server/api/profile/upload-image.post.ts b/server/api/profile/upload-image.post.ts
index 9571493..f943a0a 100644
--- a/server/api/profile/upload-image.post.ts
+++ b/server/api/profile/upload-image.post.ts
@@ -5,52 +5,48 @@ import {
   updateMemberProfileImageUrl,
   validateImageFile 
 } from '~/server/utils/profile-images';
+import { createSessionManager } from '~/server/utils/session';
 
-// Authentication utility - we'll need to check if it exists
-async function requireAuth(event: any) {
-  // Check for session-based authentication
-  const sessionCookie = getCookie(event, 'auth-token') || getCookie(event, 'nuxt-oidc-auth-session');
-  
-  if (!sessionCookie) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: 'Authentication required',
-    });
-  }
-
-  // For now, return a basic user object - this should integrate with your existing auth system
-  const user = event.context.user;
-  if (!user) {
-    throw createError({
-      statusCode: 401,
-      statusMessage: 'Invalid authentication',
-    });
-  }
-  
-  return user;
-}
-
-// Role-based access control
+// Role-based access control using consistent session structure
 function canEditMember(user: any, targetMemberId: string): boolean {
   // Admin can edit anyone
-  if (user.tier === 'admin' || user.groups?.includes('admin') || user.groups?.includes('monaco-admin')) {
+  if (user.tier === 'admin') {
     return true;
   }
   
   // Board members can edit anyone
-  if (user.tier === 'board' || user.groups?.includes('board') || user.groups?.includes('monaco-board')) {
+  if (user.tier === 'board') {
     return true;
   }
   
   // Users can only edit their own profile
-  // We'll need to match by email or keycloak ID since users might not know their member_id
-  return user.email === targetMemberId || user.member_id === targetMemberId;
+  // Match by email, member_id, or user ID
+  return user.email === targetMemberId || 
+         user.member_id === targetMemberId || 
+         user.id === targetMemberId;
 }
 
 export default defineEventHandler(async (event) => {
+  console.log('[profile-upload] =========================');
+  console.log('[profile-upload] POST /api/profile/upload-image');
+  console.log('[profile-upload] Request from:', getClientIP(event));
+  
   try {
-    // Check authentication
-    const user = await requireAuth(event);
+    // Get user session using the working session manager
+    const sessionManager = createSessionManager();
+    const cookieHeader = getHeader(event, 'cookie');
+    const session = sessionManager.getSession(cookieHeader);
+    
+    if (!session || !session.user) {
+      console.log('[profile-upload] ❌ No valid session found');
+      throw createError({
+        statusCode: 401,
+        statusMessage: 'Authentication required'
+      });
+    }
+
+    console.log('[profile-upload] ✅ Valid session found for user:', session.user.email);
+    console.log('[profile-upload] User tier:', session.user.tier);
     
     // Get query parameters
     const query = getQuery(event);
@@ -64,7 +60,8 @@ export default defineEventHandler(async (event) => {
     }
     
     // Check permissions
-    if (!canEditMember(user, targetMemberId)) {
+    if (!canEditMember(session.user, targetMemberId)) {
+      console.log('[profile-upload] ❌ Permission denied for user:', session.user.email, 'target:', targetMemberId);
       throw createError({
         statusCode: 403,
         statusMessage: 'You can only upload images for your own profile',