diff --git a/apps/api/src/auth/auth.controller.ts b/apps/api/src/auth/auth.controller.ts
index c632bbc..c3f98b6 100644
--- a/apps/api/src/auth/auth.controller.ts
+++ b/apps/api/src/auth/auth.controller.ts
@@ -5,6 +5,7 @@ import type { AuthUser, AuthSession } from "@mosaic/shared";
 import { AuthService } from "./auth.service";
 import { AuthGuard } from "./guards/auth.guard";
 import { CurrentUser } from "./decorators/current-user.decorator";
+import { SkipCsrf } from "../common/decorators/skip-csrf.decorator";
 
 interface RequestWithSession {
   user?: AuthUser;
@@ -88,6 +89,7 @@ export class AuthController {
    * Rate limiting and logging are applied to mitigate abuse (SEC-API-10).
    */
   @All("*")
+  @SkipCsrf()
   @Throttle({ strict: { limit: 10, ttl: 60000 } })
   async handleAuth(@Req() req: ExpressRequest, @Res() res: ExpressResponse): Promise<void> {
     // Extract client IP for logging