diff --git a/server/index.js b/server/index.js
index 0b29e5a..7229568 100644
--- a/server/index.js
+++ b/server/index.js
@@ -80,19 +80,11 @@ app.get('/api/pricing/:category', requireAuth, (req, res) => {
   res.status(400).json({ error: `Invalid category. Use: ${validCategories.join(', ')}` });
 });
 
-// Serve static files with auth protection
+// Serve static files (SPA loads without auth — auth is API-only)
 const clientDist = path.join(__dirname, '..', 'client', 'dist');
 if (fs.existsSync(clientDist)) {
-  // Allow unauthenticated access to login page assets and auth endpoints
-  app.use('/assets', express.static(path.join(clientDist, 'assets')));
-
-  // Login page is always accessible
-  app.get('/login', (req, res) => {
-    res.sendFile(path.join(clientDist, 'index.html'));
-  });
-
-  // All other routes require auth
-  app.get('*', requireAuth, (req, res) => {
+  app.use(express.static(clientDist));
+  app.get('*', (req, res) => {
     res.sendFile(path.join(clientDist, 'index.html'));
   });
 }