diff --git a/backend/src/auth/middleware.ts b/backend/src/auth/middleware.ts
index 4df7ff64..15e82d53 100755
--- a/backend/src/auth/middleware.ts
+++ b/backend/src/auth/middleware.ts
@@ -29,6 +29,11 @@ const TRUSTED_ORIGINS = [
   'http://localhost:5173',
 ];
 
+// Pattern-based trusted origins (wildcards)
+const TRUSTED_ORIGIN_PATTERNS = [
+  /^https:\/\/.*\.cannabrands\.app$/,  // *.cannabrands.app
+];
+
 // Trusted IPs for internal pod-to-pod communication
 const TRUSTED_IPS = [
   '127.0.0.1',
@@ -42,8 +47,16 @@ const TRUSTED_IPS = [
 function isTrustedRequest(req: Request): boolean {
   // Check origin header
   const origin = req.headers.origin;
-  if (origin && TRUSTED_ORIGINS.includes(origin)) {
-    return true;
+  if (origin) {
+    if (TRUSTED_ORIGINS.includes(origin)) {
+      return true;
+    }
+    // Check pattern-based origins (wildcards like *.cannabrands.app)
+    for (const pattern of TRUSTED_ORIGIN_PATTERNS) {
+      if (pattern.test(origin)) {
+        return true;
+      }
+    }
   }
 
   // Check referer header (for same-origin requests without CORS)
@@ -54,6 +67,18 @@ function isTrustedRequest(req: Request): boolean {
         return true;
       }
     }
+    // Check pattern-based referers
+    try {
+      const refererUrl = new URL(referer);
+      const refererOrigin = refererUrl.origin;
+      for (const pattern of TRUSTED_ORIGIN_PATTERNS) {
+        if (pattern.test(refererOrigin)) {
+          return true;
+        }
+      }
+    } catch {
+      // Invalid referer URL, skip
+    }
   }
 
   // Check IP for internal requests (pod-to-pod, localhost)