diff --git a/src/app.py b/src/app.py
index a01df71..d3d8e7b 100644
--- a/src/app.py
+++ b/src/app.py
@@ -133,6 +133,10 @@ def create_app() -> FastAPI:
 
         response: Response = await call_next(request)
 
+        # Banned requests are already logged by BanCheckMiddleware
+        if getattr(request.state, "banned", False):
+            return response
+
         client_ip = get_client_ip(request)
         path = request.url.path
         method = request.method
diff --git a/src/middleware/ban_check.py b/src/middleware/ban_check.py
index 5fcacf5..9ab03f9 100644
--- a/src/middleware/ban_check.py
+++ b/src/middleware/ban_check.py
@@ -29,6 +29,7 @@ class BanCheckMiddleware(BaseHTTPMiddleware):
             get_access_logger().info(
                 f"[BANNED] [{request.method}] {client_ip} - {request.url.path}"
             )
+            request.state.banned = True
             transport = request.scope.get("transport")
             if transport:
                 transport.close()
diff --git a/src/routes/api.py b/src/routes/api.py
index 08c9eeb..11ee8ce 100644
--- a/src/routes/api.py
+++ b/src/routes/api.py
@@ -16,7 +16,7 @@ from fastapi import APIRouter, Request, Response, Query, Cookie
 from fastapi.responses import JSONResponse, PlainTextResponse
 from pydantic import BaseModel
 
-from dependencies import get_db
+from dependencies import get_db, get_client_ip
 from logger import get_app_logger
 
 # Server-side session token store (valid tokens for authenticated sessions)
@@ -52,7 +52,7 @@ def verify_auth(request: Request) -> bool:
 
 @router.post("/api/auth")
 async def authenticate(request: Request, body: AuthRequest):
-    ip = request.client.host
+    ip = get_client_ip(request)
 
     # Check if IP is currently locked out
     record = _auth_attempts.get(ip)