diff --git a/seatable_thumbnail/permissions.py b/seatable_thumbnail/permissions.py
index 991d7bc..2694d1e 100644
--- a/seatable_thumbnail/permissions.py
+++ b/seatable_thumbnail/permissions.py
@@ -38,13 +38,15 @@ def set_cache_permission(self):
 
     def has_dtable_asset_read_permission(self):
         # four ways to access asset
-        # 1. through external link to get image
+        # 1. through external link or external app to get image
         # 2. through collection table to get image
         # 3. through dtable perm, including dtable share, dtable custom share
         # 4. through view share perm
 
         if self.can_access_image_through_external_link():
             return True
+        if self.can_access_image_through_external_app():
+            return True
         if self.has_collection_table_permission():
             return True
         if self.check_dtable_permission():
@@ -62,6 +64,14 @@ def can_access_image_through_external_link(self):
 
         return self.external_link['dtable_uuid'] == self.dtable_uuid
 
+    def can_access_image_through_external_app(self):
+        if not hasattr(self, 'external_app'):
+            return False
+        if not self.external_app.get('dtable_uuid'):
+            return False
+
+        return self.external_app['dtable_uuid'] == self.dtable_uuid
+
     def has_collection_table_permission(self):
         if not hasattr(self, 'collection_table'):
             return False
diff --git a/seatable_thumbnail/serializers.py b/seatable_thumbnail/serializers.py
index a52cc5a..7ace092 100644
--- a/seatable_thumbnail/serializers.py
+++ b/seatable_thumbnail/serializers.py
@@ -51,10 +51,11 @@ def session_check(self):
         username = self.session_data.get('_auth_user_name')
         external_link = self.session_data.get('external_link')
         collection_table = self.session_data.get('collection_table')
+        external_app = self.session_data.get('external_app')
         if username:
             self.session_data['username'] = username
 
-        if not username and not external_link and not collection_table:
+        if not username and not external_link and not collection_table or not external_app:
             raise AssertionError(400, 'django session invalid.')
 
     def get_enable_file_type(self):