diff --git a/internal/netbox/client.go b/internal/netbox/client.go
index f140255..07894b4 100644
--- a/internal/netbox/client.go
+++ b/internal/netbox/client.go
@@ -133,6 +133,14 @@ func (c *Client) searchVMs(ctx context.Context, query string) ([]HostEntry, erro
 	return entries, nil
 }
 
+// TokenVersion returns 2 for NetBox v2 tokens (nbt_ prefix) or 1 for legacy tokens.
+func TokenVersion(token string) int {
+	if strings.HasPrefix(token, "nbt_") {
+		return 2
+	}
+	return 1
+}
+
 func (c *Client) get(ctx context.Context, apiURL string, out any) error {
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, apiURL, nil)
 	if err != nil {
@@ -147,6 +155,14 @@ func (c *Client) get(ctx context.Context, apiURL string, out any) error {
 	}
 	defer resp.Body.Close()
 
+	if resp.StatusCode == http.StatusForbidden {
+		hint := "check token permissions in NetBox"
+		if TokenVersion(c.token) == 1 {
+			hint += " — legacy v1 token detected, consider upgrading to a v2 token (starts with nbt_)"
+		}
+		return fmt.Errorf("%s: %s", apiURL, hint)
+	}
+
 	if resp.StatusCode != http.StatusOK {
 		return fmt.Errorf("netbox returned %d for %s", resp.StatusCode, apiURL)
 	}
diff --git a/internal/setup/wizard.go b/internal/setup/wizard.go
index 55fb739..00920fe 100644
--- a/internal/setup/wizard.go
+++ b/internal/setup/wizard.go
@@ -11,6 +11,7 @@ import (
 	"github.com/charmbracelet/huh"
 
 	"git.zb-server.de/Sebi/ssh-netbox-wrapper/internal/config"
+	"git.zb-server.de/Sebi/ssh-netbox-wrapper/internal/netbox"
 )
 
 // RunWizard runs the interactive setup form, pre-filled with any existing cfg values.
@@ -102,6 +103,11 @@ func RunWizard(cfg *config.Config) error {
 		return err
 	}
 
+	if netbox.TokenVersion(token) == 1 {
+		fmt.Fprintln(os.Stderr, "\nHinweis: Du verwendest einen Legacy-Token (v1). Erstelle in NetBox einen v2-Token (beginnt mit nbt_) für bessere Kompatibilität.")
+		fmt.Fprintln(os.Stderr, "  NetBox → Admin → API Tokens → Add Token")
+	}
+
 	ttl, _ := strconv.Atoi(cacheTTL)
 
 	var subnetList []string