diff --git a/main.py b/main.py
index 8f689f07..782ca955 100644
--- a/main.py
+++ b/main.py
@@ -1046,6 +1046,15 @@ class AuthMiddleware(BaseHTTPMiddleware):
         if path.startswith("/ws/live"):
             return await call_next(request)
 
+        # Trust internal connections (Docker network gateway + loopback). The
+        # tracker port (8765) is bound to 127.0.0.1 in docker-compose.yml and
+        # only the host or other compose-network containers can reach it.
+        # This lets host-side helpers (overlord-agent, discord-rare-monitor,
+        # etc.) call any endpoint without forging a session cookie.
+        client_host = request.client.host if request.client else ""
+        if client_host.startswith("172.") or client_host in ("127.0.0.1", "::1", "localhost"):
+            return await call_next(request)
+
         # Check session cookie
         token = request.cookies.get("session")
         if token: