diff --git a/navi/api/routes/auth.py b/navi/api/routes/auth.py
index b2597cf..25a87b9 100644
--- a/navi/api/routes/auth.py
+++ b/navi/api/routes/auth.py
@@ -28,9 +28,16 @@
     return f"{base}/auth/callback"
 
 
+def _auth_configured() -> bool:
+    return bool(settings.gnexus_auth_client_id and settings.gnexus_auth_client_secret)
+
+
 @router.get("/login")
 async def auth_login(request: Request) -> Response:
     """Redirect to gnexus-auth OAuth authorization endpoint."""
+    if not _auth_configured():
+        raise HTTPException(status_code=503, detail="OAuth is not configured. Set GNAUTH_CLIENT_ID and GNAUTH_CLIENT_SECRET in .env")
+
     redirect_uri = _get_redirect_uri(request)
     client = get_gauth_client(redirect_uri=redirect_uri)
 
@@ -46,6 +53,9 @@
 @router.get("/callback")
 async def auth_callback(code: str, state: str, request: Request) -> Response:
     """Handle OAuth callback from gnexus-auth."""
+    if not _auth_configured():
+        raise HTTPException(status_code=503, detail="OAuth is not configured. Set GNAUTH_CLIENT_ID and GNAUTH_CLIENT_SECRET in .env")
+
     redirect_uri = _get_redirect_uri(request)
     client = get_gauth_client(redirect_uri=redirect_uri)
     encryptor = get_encryptor()
diff --git a/navi/api/routes/webhooks.py b/navi/api/routes/webhooks.py
index 65d06f0..e1fee03 100644
--- a/navi/api/routes/webhooks.py
+++ b/navi/api/routes/webhooks.py
@@ -21,6 +21,10 @@
     - session.revoked → invalidate matching session
     - client.roles_changed / client.permissions_changed → update user role/permissions
     """
+    from navi.config import settings
+    if not settings.gnexus_auth_client_id or not settings.gnexus_auth_client_secret:
+        raise HTTPException(status_code=503, detail="OAuth is not configured")
+
     raw_body = await request.body()
     body_text = raw_body.decode("utf-8")
 
diff --git a/navi/auth/deps.py b/navi/auth/deps.py
index 742e38f..4b05412 100644
--- a/navi/auth/deps.py
+++ b/navi/auth/deps.py
@@ -25,6 +25,10 @@
     if hasattr(conn.state, "user") and conn.state.user is not None:
         return conn.state.user
 
+    # Auth not configured — treat as anonymous
+    if not settings.gnexus_auth_client_id or not settings.gnexus_auth_client_secret:
+        return None
+
     cookie_name = settings.navi_auth_cookie_name
     session_id = conn.cookies.get(cookie_name)
     if not session_id: