diff --git a/src/index.js b/src/index.js
--- a/src/index.js
+++ b/src/index.js
@@ -1,9 +1,8 @@
 import fs from "node:fs";
 import path from "node:path";
 import express from "express";
-import cookieParser from "cookie-parser";
 import cors from "cors";
 
 import sql from "./db/index.js";
 import healthRouter from "./routes/health.js";
 import { authJwt } from "./middleware/authJwt.js";
@@ -64,7 +63,7 @@
 // ✅ อยู่หลัง NPM/Reverse proxy → ให้ trust proxy เพื่อให้ cookie secure / proto ทำงานถูก
 app.set("trust proxy", 1);
 
-// CORS แบบกำหนด origin ตามรายการที่อนุญาต + อนุญาต credentials (จำเป็นสำหรับ cookie)
+// ✅ CORS สำหรับ Bearer token: ไม่ต้องใช้ credentials (ไม่มีคุกกี้)
 app.use(
   cors({
     origin(origin, cb) {
       if (!origin) return cb(null, true); // server-to-server / curl
       return cb(null, ALLOW_ORIGINS.includes(origin));
     },
-    credentials: true,
+    credentials: false,
     methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
-    allowedHeaders: ["Content-Type", "Authorization", "X-Requested-With"],
+    allowedHeaders: [
+      "Content-Type",
+      "Authorization",
+      "X-Requested-With",
+      "Accept",
+      "Origin",
+      "Referer",
+      "User-Agent",
+      "Cache-Control",
+      "Pragma"
+    ],
     exposedHeaders: ["Content-Disposition", "Content-Length"],
   })
 );
 // preflight
 app.options(
   "*",
   cors({
     origin(origin, cb) {
       if (!origin) return cb(null, true);
       return cb(null, ALLOW_ORIGINS.includes(origin));
     },
-    credentials: true,
+    credentials: false,
   })
 );
 
-app.use(cookieParser());
+// ❌ ไม่ต้อง parse cookie แล้ว (เราไม่ใช้คุกกี้สำหรับ auth)
+// app.use(cookieParser());
 
 // Payload limits
 app.use(express.json({ limit: "10mb" }));
 app.use(express.urlencoded({ extended: true, limit: "10mb" }));