diff --git a/bin/apicall.sh b/bin/apicall.sh
index 50a3331ca..676491f5a 100755
--- a/bin/apicall.sh
+++ b/bin/apicall.sh
@@ -4,9 +4,10 @@ port=$(grep ^port= ../DATA/SETTINGS/yacy.conf |cut -d= -f2)
 pw=$(grep ^adminAccountBase64MD5= ../DATA/SETTINGS/yacy.conf |cut -d= -f2)
 
 if which curl &>/dev/null; then
-  curl -s --header "Authorization: realm=$pw" "http://127.0.0.1:$port/$1"
+  curl -s -u admin:$pw "http://127.0.0.1:$port/$1"
 elif which wget &>/dev/null; then
-  wget -q -t 1 --timeout=120 --header "Authorization: realm=$pw" "http://127.0.0.1:$port/$1" -O -
+  wget -q -t 1 --timeout=120 --http-user admin --http-password pw "http://127.0.0.1:$port/$1" -O -
 else
   exit 1
 fi
+
diff --git a/source/net/yacy/http/YaCyLegacyCredential.java b/source/net/yacy/http/YaCyLegacyCredential.java
index 7ad216ef7..11a133b52 100644
--- a/source/net/yacy/http/YaCyLegacyCredential.java
+++ b/source/net/yacy/http/YaCyLegacyCredential.java
@@ -26,6 +26,7 @@ package net.yacy.http;
 
 import net.yacy.cora.order.Base64Order;
 import net.yacy.cora.order.Digest;
+import net.yacy.server.serverAccessTracker;
 
 import org.eclipse.jetty.util.security.Credential;
 
@@ -55,7 +56,17 @@ public class YaCyLegacyCredential extends Credential {
     public boolean check(Object credentials) {
         if (credentials instanceof String) {
             final String pw = (String) credentials;
-            if (isBase64enc) return calcHash(foruser + ":" + pw).equals(this.hash); // for admin user
+            if (isBase64enc) {
+                if (serverAccessTracker.timeSinceAccessFromLocalhost() < 100) {
+                    // we allow localhost accesses also to submit the hash as password
+                    // this is very important since that method is used by the scripts in bin/ which are based on bin/apicall.sh
+                    // the cleartext password is not stored anywhere, but we must find a way to allow scripts to steer a peer.
+                    // this is the exception that makes that possible.
+                    // TODO: it should be better to check the actual access IP here, but that is not handed over to Credential classes :(
+                    if (pw.equals(this.hash)) return true;
+                }
+                return calcHash(foruser + ":" + pw).equals(this.hash); // for admin user
+            }
             // normal users
             return Digest.encodeMD5Hex(foruser + ":" + pw).equals(this.hash);
         }