diff --git a/app/beauty_main.py b/app/beauty_main.py
index 7ddce33..c425209 100644
--- a/app/beauty_main.py
+++ b/app/beauty_main.py
@@ -123,9 +123,12 @@ app = FastAPI(title="BeautyLeads", lifespan=lifespan)
 # ── Auth middleware ───────────────────────────────────────────────────────────
 
 class AuthMiddleware(BaseHTTPMiddleware):
-    # Paths that don't require a session
-    _EXEMPT_PREFIXES = ("/api/auth/",)
-    _EXEMPT_EXACT    = {"/login.html", "/favicon.ico"}
+    # Only these exact paths skip the session check:
+    # - login (no session yet)
+    # - logout (gracefully accepts expired/missing session)
+    # - login page and favicon
+    _EXEMPT_PREFIXES = ()
+    _EXEMPT_EXACT    = {"/api/auth/login", "/api/auth/logout", "/login.html", "/favicon.ico"}
 
     async def dispatch(self, request: Request, call_next):
         path = request.url.path