diff --git a/app.py b/app.py
index 80c47d2..2dfb167 100644
--- a/app.py
+++ b/app.py
@@ -278,9 +278,13 @@ def get_sdr_device_status() -> dict[int, str]:
 # ============================================
 
 @app.before_request
-def require_login():
-    # Routes that don't require login (to avoid infinite redirect loop)
-    allowed_routes = ['login', 'static', 'favicon', 'health', 'health_check']
+def require_login():
+    # Routes that don't require login (to avoid infinite redirect loop)
+    allowed_routes = ['login', 'static', 'favicon', 'health', 'health_check']
+
+    # Allow audio streaming endpoints without session auth
+    if request.path.startswith('/listening/audio/'):
+        return None
 
     # Controller API endpoints use API key auth, not session auth
     # Allow agent push/pull endpoints without session login