diff --git a/web/routes/evotor_webhooks.py b/web/routes/evotor_webhooks.py
index c8d4d86..cec6d13 100644
--- a/web/routes/evotor_webhooks.py
+++ b/web/routes/evotor_webhooks.py
@@ -209,13 +209,17 @@ async def user_verify(request: Request, db: Session = Depends(get_db)):
     password: str = body.get("password", "")
 
     login = username or phone
-    if not login or not password:
-        return JSONResponse({"error": "username/phone and password required"}, status_code=400)
+    if not password:
+        return JSONResponse({"error": "password required"}, status_code=400)
 
-    # match by email, username, or phone
-    user = db.query(User).filter(
-        or_(User.email == login, User.phone == login)
-    ).first()
+    # 1. Match by evotor_user_id (most reliable — Evotor always sends userId)
+    user = db.query(User).filter(User.evotor_user_id == evotor_user_id).first() if evotor_user_id else None
+
+    # 2. Fall back to email or phone
+    if not user and login:
+        user = db.query(User).filter(
+            or_(User.email == login, User.phone == login)
+        ).first()
 
     if not user:
         return JSONResponse({"error": "Неверные данные"}, status_code=401)