diff --git a/modules/auth/csrf.py b/modules/auth/csrf.py
index 40e33961..0266db3e 100644
--- a/modules/auth/csrf.py
+++ b/modules/auth/csrf.py
@@ -28,6 +28,7 @@ class CSRFMiddleware(BaseHTTPMiddleware):
             "/api/google/login",
             "/api/msft/callback",
             "/api/google/callback",
+            "/api/billing/webhook/stripe",  # Stripe webhook (auth via Stripe-Signature)
         }
 
         # Path prefixes exempt from CSRF (for service-to-service callbacks)