diff --git a/stacks/fire-planner/main.tf b/stacks/fire-planner/main.tf
index 9cd80219..93ec91f3 100644
--- a/stacks/fire-planner/main.tf
+++ b/stacks/fire-planner/main.tf
@@ -444,11 +444,14 @@ module "ingress" {
 
 # Second ingress at the same host for the /api/ prefix WITHOUT Authentik
 # forward-auth. The SPA loads under Authentik (main ingress at /), then its
-# fetch() XHRs hit /api/* directly — forward-auth on /api/* would 302 the
-# XHR to a cross-origin Authentik login page, which fetch().json() can't
-# parse. App-layer bearer auth still gates writes (POST/PATCH/DELETE on
-# scenarios, /recompute, /simulate); read endpoints are open. Acceptable
-# for a personal tool whose only data is anonymous numeric projections.
+# fetch() XHRs hit /api/* directly — ANY forward-auth here (required OR
+# public-tier auto-bind) would 302 the XHR to a cross-origin Authentik
+# login page, which fetch() rejects under CORS preflight rules. Even the
+# `auth = "public"` flow needs a 302+cookie dance on first visit to set
+# the guest session cookie, so it doesn't help XHR APIs. App-layer bearer
+# auth still gates writes (POST/PATCH/DELETE on scenarios, /recompute,
+# /simulate); read endpoints are open. Acceptable for a personal tool
+# whose only data is anonymous numeric projections.
 module "ingress_api" {
   source          = "../../modules/kubernetes/ingress_factory"
   dns_type        = "none"
@@ -459,7 +462,7 @@ module "ingress_api" {
   port            = 8080
   ingress_path    = ["/api/"]
   tls_secret_name = var.tls_secret_name
-  auth            = "public"
+  auth            = "none"
 }
 
 # Plan-time read of the ESO-created K8s Secret for Grafana datasource
diff --git a/stacks/insta2spotify/main.tf b/stacks/insta2spotify/main.tf
index d671cbf0..a1bc3b0e 100644
--- a/stacks/insta2spotify/main.tf
+++ b/stacks/insta2spotify/main.tf
@@ -248,7 +248,9 @@ module "ingress" {
   }
 }
 
-# API ingress — unprotected (API key auth handled by backend)
+# API ingress — unprotected (API key auth handled by backend). XHR-based
+# endpoints; `auth = "public"` would 302+cookie-dance and break CORS
+# preflight, so we stay at `auth = "none"`.
 module "ingress_api" {
   source          = "../../modules/kubernetes/ingress_factory"
   namespace       = kubernetes_namespace.insta2spotify.metadata[0].name
@@ -256,7 +258,7 @@ module "ingress_api" {
   host            = "insta2spotify"
   service_name    = "insta2spotify"
   tls_secret_name = var.tls_secret_name
-  auth            = "public"
+  auth            = "none"
   ingress_path    = ["/api/identify", "/api/auth", "/api/health", "/api/history"]
   max_body_size   = "50m"
 }
diff --git a/stacks/k8s-portal/modules/k8s-portal/main.tf b/stacks/k8s-portal/modules/k8s-portal/main.tf
index 44ae778d..c40bfb8e 100644
--- a/stacks/k8s-portal/modules/k8s-portal/main.tf
+++ b/stacks/k8s-portal/modules/k8s-portal/main.tf
@@ -159,7 +159,9 @@ module "ingress" {
   }
 }
 
-# Unprotected ingress for the setup script and agent endpoint (needs to be curl-able without auth)
+# Unprotected ingress for the setup script and agent endpoint (needs to be
+# curl-able without auth). `auth = "public"` would 302+cookie-dance on
+# first visit, breaking automation that doesn't preserve cookies.
 module "ingress_setup_script" {
   source          = "../../../../modules/kubernetes/ingress_factory"
   namespace       = kubernetes_namespace.k8s_portal.metadata[0].name
@@ -168,5 +170,5 @@ module "ingress_setup_script" {
   service_name    = "k8s-portal"
   ingress_path    = ["/setup/script", "/agent"]
   tls_secret_name = var.tls_secret_name
-  auth            = "public"
+  auth            = "none"
 }