for those that have the same problem, i figured it out.
the database still had some old tokens that were created with a different enckey.
in the webui the token test calls the api specifically for {{tokenname}} and with a newly created token the enckey is the correct one and it can test the tokens correctly.
but if you login via apache it only has you username and tries every token, starting with the oldest one (that was made with a different enckey) and fails to decrypt the first one → it fails.
Feedback maybe, try all tokens per user before giving up.