diff --git a/internal/router/bot_routes.go b/internal/router/bot_routes.go
index 40d7b1377d..f68fdf7e01 100644
--- a/internal/router/bot_routes.go
+++ b/internal/router/bot_routes.go
@@ -28,16 +28,14 @@ import (
 //	@manager.route("/chatbots/<dialog_id>/completions")   bot_api.py:55
 //	@manager.route("/chatbots/<dialog_id>/info")          bot_api.py:126
 //
-// Both routes use BetaAuthMiddleware as a group-level middleware.
 // The two bot route groups (chatbots + agentbots) cannot share a
 // registrar because each carries a different <param_name>
 // (dialog_id vs agent_id) and would otherwise register paths under
 // the wrong group.
-func RegisterChatbotRoutes(g *gin.RouterGroup, mw gin.HandlerFunc, h *handler.BotHandler) {
+func RegisterChatbotRoutes(g *gin.RouterGroup, h *handler.BotHandler) {
 	if g == nil || h == nil {
 		return
 	}
-	g.Use(mw)
 	g.POST("/:dialog_id/completions", h.ChatbotCompletion)
 	g.GET("/:dialog_id/info", h.ChatbotInfo)
 }
@@ -47,11 +45,10 @@ func RegisterChatbotRoutes(g *gin.RouterGroup, mw gin.HandlerFunc, h *handler.Bo
 //
 //	@manager.route("/agentbots/<agent_id>/completions")   bot_api.py:157
 //	@manager.route("/agentbots/<agent_id>/inputs")        bot_api.py:239
-func RegisterAgentbotRoutes(g *gin.RouterGroup, mw gin.HandlerFunc, h *handler.BotHandler) {
+func RegisterAgentbotRoutes(g *gin.RouterGroup, h *handler.BotHandler) {
 	if g == nil || h == nil {
 		return
 	}
-	g.Use(mw)
 	g.POST("/:agent_id/completions", h.AgentbotCompletion)
 	g.GET("/:agent_id/inputs", h.AgentbotInputs)
 }
diff --git a/internal/router/router.go b/internal/router/router.go
index f14caeac83..a90c229f7a 100644
--- a/internal/router/router.go
+++ b/internal/router/router.go
@@ -186,19 +186,23 @@ func (r *Router) Setup(engine *gin.Engine) {
 		apiNoAuth.POST("/auth/password/forgot/otp", r.userHandler.ForgotSendOTP)
 		apiNoAuth.POST("/auth/password/forgot/otp/verify", r.userHandler.ForgotVerifyOTP)
 		apiNoAuth.POST("/auth/password/reset", r.userHandler.ForgotResetPassword)
+	}
+
+	// Beta-token routes. Mirrors python's
+	// @login_required(auth_types=AUTH_BETA) on bot_api.py bot endpoints.
+	apiBetaAuth := engine.Group("/api/v1")
+	apiBetaAuth.Use(r.authHandler.BetaAuthMiddleware())
+	{
+		searchbotGroup := apiBetaAuth.Group("/searchbots")
+		searchbotGroup.POST("/related_questions", r.searchBotHandler.Handle)
+		searchbotGroup.POST("/retrieval_test", r.searchBotHandler.RetrievalTest)
+		searchbotGroup.POST("/ask", r.searchBotHandler.Ask)
 
-		// Public bot endpoints — beta API token only, NOT regular
-		// user session. Mirrors python's
-		// @login_required(auth_types=AUTH_BETA) on bot_api.py:55,126,157,239.
-		// Mounted on apiNoAuth (not on the auth-protected v1 tree) so
-		// external widgets / iframes / downloads can hit them with
-		// only a beta token. Risk R0 of the plan.
 		if r.botHandler != nil {
-			betaMW := r.authHandler.BetaAuthMiddleware()
-			chatbotGroup := apiNoAuth.Group("/chatbots")
-			RegisterChatbotRoutes(chatbotGroup, betaMW, r.botHandler)
-			agentbotGroup := apiNoAuth.Group("/agentbots")
-			RegisterAgentbotRoutes(agentbotGroup, betaMW, r.botHandler)
+			chatbotGroup := apiBetaAuth.Group("/chatbots")
+			RegisterChatbotRoutes(chatbotGroup, r.botHandler)
+			agentbotGroup := apiBetaAuth.Group("/agentbots")
+			RegisterAgentbotRoutes(agentbotGroup, r.botHandler)
 		}
 	}
 
@@ -289,11 +293,6 @@ func (r *Router) Setup(engine *gin.Engine) {
 				openai.POST("/:chat_id/chat/completions", r.openaiChatHandler.OpenAIChatCompletions)
 			}
 
-			// Searchbot routes
-			v1.POST("/searchbots/related_questions", r.searchBotHandler.Handle)
-			v1.POST("/searchbots/retrieval_test", r.searchBotHandler.RetrievalTest)
-			v1.POST("/searchbots/ask", r.searchBotHandler.Ask)
-
 			// Dataset routes
 			datasets := v1.Group("/datasets")
 			{