diff --git a/backend/main.py b/backend/main.py
index 350976bd..ba962e75 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -70,7 +70,7 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
         CustomCSRFMiddleware,
         cookie_name="romm_csrftoken",
         secret=ROMM_AUTH_SECRET_KEY,
-        exempt_urls=[re.compile(r"^/token.*"), re.compile(r"^/ws")],
+        exempt_urls=[re.compile(r"^/api/token.*"), re.compile(r"^/ws")],
     )
 
 # Handles both basic and oauth authentication