diff --git a/src/Modules/TeamUp.Modules.Identity/IdentityModule.cs b/src/Modules/TeamUp.Modules.Identity/IdentityModule.cs
index 3f098b0..87372dc 100644
--- a/src/Modules/TeamUp.Modules.Identity/IdentityModule.cs
+++ b/src/Modules/TeamUp.Modules.Identity/IdentityModule.cs
@@ -43,6 +43,17 @@ public sealed class IdentityModule : IModule
         services.Configure<JwtOptions>(configuration.GetSection(JwtOptions.SectionName));
         var jwt = configuration.GetSection(JwtOptions.SectionName).Get<JwtOptions>() ?? new JwtOptions();
 
+        // The HTTP auth stack is web-host-only: AddAuthorization's policy cache requires
+        // endpoint routing (EndpointDataSource), which a Generic Host worker doesn't have —
+        // and the worker never authenticates requests anyway.
+        if (services.Any(d => d.ServiceType == typeof(Microsoft.AspNetCore.Hosting.IWebHostEnvironment)))
+        {
+            AddHttpAuth(services, jwt);
+        }
+    }
+
+    private static void AddHttpAuth(IServiceCollection services, JwtOptions jwt)
+    {
         services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
             .AddJwtBearer(options =>
             {