diff --git a/src/backend/middleware/auth.ts b/src/backend/middleware/auth.ts
index 2f3734a..5e03313 100644
--- a/src/backend/middleware/auth.ts
+++ b/src/backend/middleware/auth.ts
@@ -33,17 +33,35 @@ export const apiKeyAuth = (
     const origin = req.headers.origin || req.headers.referer;
     const allowedOrigins = config.frontendAllowedOrigins;
 
-    // Check if origin is present and matches allowed origins
+    // If no origin/referer header, check if it's a same-origin request by checking Host header
     if (!origin) {
-      logger.warn('Frontend API key used without origin/referer header', {
-        ip: req.ip,
-        path: req.path,
-        userAgent: req.headers['user-agent'],
-      });
-      res.status(403).json({
-        error: 'Forbidden',
-        message: 'Origin header required for frontend API key',
-      });
+      const host = req.headers.host;
+      const protocol = req.protocol || 'http';
+      const requestOrigin = `${protocol}://${host}`;
+
+      // Check if the request comes from an allowed origin based on Host header
+      const isSameOriginAllowed = allowedOrigins.some(allowed =>
+        requestOrigin.startsWith(allowed)
+      );
+
+      if (!isSameOriginAllowed) {
+        logger.warn('Frontend API key used without origin/referer header', {
+          ip: req.ip,
+          path: req.path,
+          host: host,
+          requestOrigin: requestOrigin,
+          userAgent: req.headers['user-agent'],
+        });
+        res.status(403).json({
+          error: 'Forbidden',
+          message: 'Origin header required for frontend API key',
+        });
+        return;
+      }
+
+      // Same-origin request allowed
+      req.apiKeyType = 'frontend';
+      next();
       return;
     }