diff --git a/src/middleware.ts b/src/middleware.ts
index 3657667..82211a6 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -12,6 +12,8 @@ const PUBLIC_PATHS: string[] = [
   '/api/public/',
   '/api/health',
   '/scan',
+  '/portal/',
+  '/api/portal/',
 ];
 
 function isPublicPath(pathname: string): boolean {
@@ -35,10 +37,7 @@ export function middleware(request: NextRequest): NextResponse {
   if (!sessionToken?.value) {
     if (isApiRoute(pathname)) {
       // API routes return 401 JSON — never redirect
-      return NextResponse.json(
-        { error: 'Authentication required' },
-        { status: 401 },
-      );
+      return NextResponse.json({ error: 'Authentication required' }, { status: 401 });
     }
 
     // Page routes redirect to /login, preserving the intended destination