diff --git a/api/app.py b/api/app.py
index faca87b..f8eee4b 100644
--- a/api/app.py
+++ b/api/app.py
@@ -199,8 +199,8 @@ def enforce_auth():
     backward-compatibility with pre-auth test suites.
     """
     path = request.path
-    # Always allow non-API paths and auth namespace
-    if not path.startswith('/api/') or path.startswith('/api/auth/'):
+    # Always allow non-API paths, auth namespace, and setup namespace
+    if not path.startswith('/api/') or path.startswith('/api/auth/') or path.startswith('/api/setup/'):
         return None
     # Cell peer-sync endpoints authenticate via source IP + WG pubkey — not session
     if path.startswith('/api/cells/peer-sync/'):
diff --git a/tests/test_route_protection.py b/tests/test_route_protection.py
index b5045bf..73a2ba5 100644
--- a/tests/test_route_protection.py
+++ b/tests/test_route_protection.py
@@ -128,6 +128,12 @@ def test_anon_blocked_from_peer_routes(anon_client):
     assert r.status_code == 401
 
 
+def test_setup_routes_bypass_auth(anon_client):
+    """/api/setup/* must be reachable without a session — setup runs before any account exists."""
+    r = anon_client.get('/api/setup/status')
+    assert r.status_code != 401
+
+
 def test_anon_blocked_from_peer_dashboard(anon_client):
     r = anon_client.get('/api/peer/dashboard')
     assert r.status_code == 401