diff --git a/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs b/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
index 0740b22..3a90ccb 100644
--- a/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
+++ b/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
@@ -22,14 +22,15 @@ public class TenantValidationMiddleware
             return;
         }
 
-        // Exempt bootstrap and admin endpoints from tenant validation
-        if (context.Request.Path.StartsWithSegments("/api/clubs/me") ||
-            context.Request.Path.StartsWithSegments("/api/admin"))
-        {
-            _logger.LogInformation("TenantValidationMiddleware: Exempting {Path} from tenant validation", context.Request.Path);
-            await _next(context);
-            return;
-        }
+    // Exempt bootstrap, admin, and debug endpoints from tenant validation
+    if (context.Request.Path.StartsWithSegments("/api/clubs/me") ||
+        context.Request.Path.StartsWithSegments("/api/admin") ||
+        context.Request.Path.StartsWithSegments("/api/debug"))
+    {
+      _logger.LogInformation("TenantValidationMiddleware: Exempting {Path} from tenant validation", context.Request.Path);
+      await _next(context);
+      return;
+    }
 
         if (!context.Request.Headers.TryGetValue("X-Tenant-Id", out var tenantIdHeader) ||
             string.IsNullOrWhiteSpace(tenantIdHeader))
diff --git a/backend/WorkClub.Api/Program.cs b/backend/WorkClub.Api/Program.cs
index 3986432..08f1f55 100644
--- a/backend/WorkClub.Api/Program.cs
+++ b/backend/WorkClub.Api/Program.cs
@@ -31,6 +31,18 @@ builder.Services.AddScoped<MemberSyncService>();
 builder.Services.AddScoped<TenantDbTransactionInterceptor>();
 builder.Services.AddSingleton<SaveChangesTenantInterceptor>();
 
+// Add CORS to allow frontend requests
+builder.Services.AddCors(options =>
+{
+    options.AddPolicy("AllowFrontend", policy =>
+    {
+        policy.WithOrigins("http://localhost:3000")
+              .AllowAnyHeader()
+              .AllowAnyMethod()
+              .AllowCredentials();
+    });
+});
+
 builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
     .AddJwtBearer(options =>
     {
@@ -111,6 +123,8 @@ if (app.Environment.IsDevelopment())
 
 app.UseHttpsRedirection();
 
+app.UseCors("AllowFrontend");
+
 app.UseAuthentication();
 app.UseAuthorization();
 app.UseMiddleware<TenantValidationMiddleware>();
@@ -161,7 +175,12 @@ app.MapGet("/api/debug/claims", (HttpContext context) =>
         hasAuthHeader = !string.IsNullOrEmpty(authHeader),
         authHeaderPrefix = authHeader?.Substring(0, Math.Min(20, authHeader?.Length ?? 0))
     });
-}).RequireAuthorization();
+}).RequireAuthorization()
+  .AddEndpointFilter(async (context, next) =>
+  {
+      // Skip tenant validation for debug endpoint
+      return await next(context);
+  });
 
 app.MapTaskEndpoints();
 app.MapShiftEndpoints();