diff --git a/backend/app/middlewares/tenant.go b/backend/app/middlewares/tenant.go
index dde4c1b..f4d8a98 100644
--- a/backend/app/middlewares/tenant.go
+++ b/backend/app/middlewares/tenant.go
@@ -6,10 +6,39 @@ import (
 	"quyun/v2/database/models"
 	"quyun/v2/pkg/consts"
 	"quyun/v2/providers/jwt"
+	"strings"
 
 	"github.com/gofiber/fiber/v3"
 )
 
+func shouldSkipTenantJWTAuth(path string) bool {
+	// Public read endpoints allow anonymous access (optional JWT).
+	if strings.Contains(path, "/v1/public/") {
+		return true
+	}
+	// Media play is token-based, no JWT required.
+	if strings.Contains(path, "/v1/media/play") {
+		return true
+	}
+	return false
+}
+
+func shouldSkipTenantRequireMember(path string) bool {
+	// Public read endpoints allow anonymous access.
+	if strings.Contains(path, "/v1/public/") {
+		return true
+	}
+	// Join endpoints require JWT but not tenant membership.
+	if strings.Contains(path, "/v1/join/") {
+		return true
+	}
+	// Media play is token-based, no JWT required.
+	if strings.Contains(path, "/v1/media/play") {
+		return true
+	}
+	return false
+}
+
 func (f *Middlewares) TenantResolve(c fiber.Ctx) error {
 	tenantCode := c.Params("tenantCode")
 	if tenantCode == "" {
@@ -32,6 +61,11 @@ func (f *Middlewares) TenantResolve(c fiber.Ctx) error {
 }
 
 func (f *Middlewares) TenantAuth(c fiber.Ctx) error {
+	if shouldSkipTenantJWTAuth(c.Path()) {
+		f.log.Debug("middlewares.tenant.auth.skipped")
+		return c.Next()
+	}
+
 	authHeader := c.Get(jwt.HttpHeader)
 	if authHeader == "" {
 		f.log.Info("middlewares.tenant.auth.missing_token")
@@ -98,6 +132,11 @@ func (f *Middlewares) TenantOptionalAuth(c fiber.Ctx) error {
 }
 
 func (f *Middlewares) TenantRequireMember(c fiber.Ctx) error {
+	if shouldSkipTenantRequireMember(c.Path()) {
+		f.log.Debug("middlewares.tenant.require_member.skipped")
+		return c.Next()
+	}
+
 	tenantModel, ok := c.Locals(consts.CtxKeyTenant).(*models.Tenant)
 	if !ok || tenantModel == nil {
 		f.log.Error("middlewares.tenant.require_member.missing_tenant_context")