diff --git a/server/middleware/01.csrf.js b/server/middleware/01.csrf.js
index 3f3e841..b479c6e 100644
--- a/server/middleware/01.csrf.js
+++ b/server/middleware/01.csrf.js
@@ -2,11 +2,13 @@ import crypto from 'crypto'
 
 const SAFE_METHODS = new Set(['GET', 'HEAD', 'OPTIONS'])
 
-// Routes exempt from CSRF (external webhooks, magic link verify)
+// Routes exempt from CSRF (external webhooks, magic link verify, machine-to-
+// machine internal endpoints with their own shared-secret auth)
 const EXEMPT_PREFIXES = [
   '/api/helcim/webhook',
   '/api/slack/webhook',
   '/api/auth/verify',
+  '/api/internal/',
   '/oidc/',
 ]