diff --git a/server/index.ts b/server/index.ts
index 62dcc99..31b2ff3 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -2218,7 +2218,16 @@ for (const mod of getAllModules()) {
 		const accept = c.req.header("Accept") || "";
 		const isHtmlRequest = accept.includes("text/html");
 
-		if (!isHtmlRequest && (vis === "private" || vis === "permissioned")) {
+		// Exempt public-facing endpoints that are designed for unauthenticated users
+		const pathname = new URL(c.req.url).pathname;
+		const isPublicEndpoint = pathname.endsWith("/api/flows/user-onramp")
+			|| pathname.endsWith("/api/onramp/config")
+			|| pathname.endsWith("/api/transak/config")
+			|| pathname.endsWith("/api/transak/webhook")
+			|| pathname.endsWith("/api/coinbase/webhook")
+			|| pathname.endsWith("/api/ramp/webhook");
+
+		if (!isHtmlRequest && !isPublicEndpoint && (vis === "private" || vis === "permissioned")) {
 			const token = extractToken(c.req.raw.headers);
 			if (!token) {
 				return c.json({ error: "Authentication required" }, 401);