diff --git a/packages/cli/src/decorators/registerController.ts b/packages/cli/src/decorators/registerController.ts
index fe792040b6067..54ff6bbbbcfd6 100644
--- a/packages/cli/src/decorators/registerController.ts
+++ b/packages/cli/src/decorators/registerController.ts
@@ -32,6 +32,11 @@ export const createAuthMiddleware =
 		res.status(403).json({ status: 'error', message: 'Unauthorized' });
 	};
 
+const authFreeRoutes: string[] = [];
+
+export const canSkipAuth = (method: string, path: string): boolean =>
+	authFreeRoutes.includes(`${method.toLowerCase()} ${path}`);
+
 export const registerController = (app: Application, config: Config, controller: object) => {
 	const controllerClass = controller.constructor;
 	const controllerBasePath = Reflect.getMetadata(CONTROLLER_BASE_PATH, controllerClass) as
@@ -69,6 +74,7 @@ export const registerController = (app: Application, config: Config, controller:
 					(controller as Controller)[handlerName](req, res),
 				),
 			);
+			if (!authRole || authRole === 'none') authFreeRoutes.push(`${method} ${prefix}${path}`);
 		});
 
 		app.use(prefix, router);
diff --git a/packages/cli/src/middlewares/auth.ts b/packages/cli/src/middlewares/auth.ts
index 231b48beddf91..e28272766b916 100644
--- a/packages/cli/src/middlewares/auth.ts
+++ b/packages/cli/src/middlewares/auth.ts
@@ -12,6 +12,7 @@ import { AUTH_COOKIE_NAME, EDITOR_UI_DIST_DIR } from '@/constants';
 import { issueCookie, resolveJwtContent } from '@/auth/jwt';
 import { isUserManagementEnabled } from '@/UserManagement/UserManagementHelper';
 import type { UserRepository } from '@db/repositories';
+import { canSkipAuth } from '@/decorators/registerController';
 
 const jwtFromRequest = (req: Request) => {
 	// eslint-disable-next-line @typescript-eslint/no-unsafe-member-access
@@ -90,14 +91,10 @@ export const setupAuthMiddlewares = (
 			// skip authentication for preflight requests
 			req.method === 'OPTIONS' ||
 			staticAssets.includes(req.url.slice(1)) ||
+			canSkipAuth(req.method, req.path) ||
 			isAuthExcluded(req.url, ignoredEndpoints) ||
 			req.url.startsWith(`/${restEndpoint}/settings`) ||
-			req.url.startsWith(`/${restEndpoint}/login`) ||
-			req.url.startsWith(`/${restEndpoint}/resolve-signup-token`) ||
 			isPostUsersId(req, restEndpoint) ||
-			req.url.startsWith(`/${restEndpoint}/forgot-password`) ||
-			req.url.startsWith(`/${restEndpoint}/resolve-password-token`) ||
-			req.url.startsWith(`/${restEndpoint}/change-password`) ||
 			req.url.startsWith(`/${restEndpoint}/oauth2-credential/callback`) ||
 			req.url.startsWith(`/${restEndpoint}/oauth1-credential/callback`)
 		) {