diff --git a/backend/app/http/v1/auth/routes.manual.go b/backend/app/http/v1/auth/routes.manual.go
index 2117250..75ccfac 100644
--- a/backend/app/http/v1/auth/routes.manual.go
+++ b/backend/app/http/v1/auth/routes.manual.go
@@ -1,9 +1,11 @@
 package auth
 
 func (r *Routes) Path() string {
-	return "/v1/auth"
+	return "/t/:tenantCode/v1/auth"
 }
 
 func (r *Routes) Middlewares() []any {
-	return []any{}
+	return []any{
+		r.middlewares.TenantResolver,
+	}
 }
diff --git a/docs/todo_list.md b/docs/todo_list.md
index 2067fbe..9a22cc9 100644
--- a/docs/todo_list.md
+++ b/docs/todo_list.md
@@ -199,6 +199,7 @@
 - 运营统计报表（overview + CSV 导出基础版）。
 - 超管后台治理能力（健康度/异常监控/内容审核）。
 - 性能优化（避免 N+1：topics 聚合批量查询）。
+- 多租户强隔离（/t/:tenantCode/v1 + TenantResolver）。
 
 ## 里程碑建议
 - M1：完成 P0
diff --git a/frontend/portal/src/utils/request.js b/frontend/portal/src/utils/request.js
index 736e217..1564cac 100644
--- a/frontend/portal/src/utils/request.js
+++ b/frontend/portal/src/utils/request.js
@@ -3,7 +3,10 @@ import { getTenantCode } from './tenant';
 
 export async function request(endpoint, options = {}) {
     const tenantCode = getTenantCode();
-    const baseUrl = tenantCode ? `/t/${tenantCode}/v1` : '/v1';
+    if (!tenantCode) {
+        throw new Error('Tenant code missing in URL');
+    }
+    const baseUrl = `/t/${tenantCode}/v1`;
     const token = localStorage.getItem('token');
     
     const headers = {
@@ -42,7 +45,7 @@ export async function request(endpoint, options = {}) {
             if (res.status === 401) {
                 localStorage.removeItem('token');
                 localStorage.removeItem('user');
-                const loginPath = tenantCode ? `/t/${tenantCode}/auth/login` : '/auth/login';
+                const loginPath = `/t/${tenantCode}/auth/login`;
                 // Redirect to login if not already there
                 if (!window.location.pathname.includes('/auth/login')) {
                     window.location.href = loginPath;