diff --git a/src/modes/server.rs b/src/modes/server.rs
index 9fb028e..d58aa98 100644
--- a/src/modes/server.rs
+++ b/src/modes/server.rs
@@ -98,15 +98,23 @@ async fn run_server(
         .route("/mcp", post(mcp::handle_mcp_request))
         .with_state(state.clone());
     
-    let app = Router::new()
-        // Add API, documentation, and pages routes first
-        .merge(api::add_routes(Router::new()))
+    // Create routes that don't require authentication
+    let open_routes = Router::new()
         .merge(api::add_docs_routes(Router::new()))
+        .with_state(state.clone())
+        .layer(axum::middleware::from_fn(logging_middleware))
+        .layer(
+            ServiceBuilder::new()
+                .layer(TraceLayer::new_for_http())
+                .layer(CorsLayer::permissive())
+        );
+
+    // Create routes that require authentication
+    let protected_routes = Router::new()
+        .merge(api::add_routes(Router::new()))
         .merge(pages::add_routes(Router::new()))
         .merge(mcp_router)
-        // Apply state
         .with_state(state)
-        // Add middleware layers (applied in reverse order)
         .layer(axum::middleware::from_fn(logging_middleware))
         .layer(axum::middleware::from_fn(create_auth_middleware(config.password.clone(), config.password_hash.clone())))
         .layer(
@@ -114,6 +122,9 @@ async fn run_server(
                 .layer(TraceLayer::new_for_http())
                 .layer(CorsLayer::permissive())
         );
+
+    // Combine both route groups
+    let app = open_routes.merge(protected_routes);
     
     let addr: SocketAddr = bind_address.parse()?;