diff --git a/cloudflared-config.yml b/cloudflared-config.yml
index d0d13a4ba..593d08729 100644
--- a/cloudflared-config.yml
+++ b/cloudflared-config.yml
@@ -125,10 +125,17 @@ ingress:
     service: http://localhost:5000
 
   # ============================================
-  # Auth Service (Hono/Bun)
+  # Auth (Split: Portal-UI :3042, API :3001)
   # ============================================
+  # /api/* geht direkt an mana-auth (Hono/Bun, JWT-Ausstellung, Better Auth).
+  # Alles andere (Login, Register, Reset, Verify-Email) → mana-auth-web (SvelteKit).
+  # mana-auth-web läuft auf Host-Port 3042 (3002 belegt durch legacy mana-credits).
+  # Reihenfolge zählt: spezifischere Pfad-Regeln zuerst.
   - hostname: auth.mana.how
+    path: /api/.*
     service: http://localhost:3001
+  - hostname: auth.mana.how
+    service: http://localhost:3042
 
   # ============================================
   # Unified Backend API (Hono/Bun, port 3060)
diff --git a/scripts/validate-cloudflared-config.mjs b/scripts/validate-cloudflared-config.mjs
index fb293bfa6..26864c6f2 100755
--- a/scripts/validate-cloudflared-config.mjs
+++ b/scripts/validate-cloudflared-config.mjs
@@ -131,11 +131,15 @@ if (!Array.isArray(ingress)) {
 				err(
 					`${where}: hostname "${r.hostname}" looks invalid (lowercase, dot-separated, no spaces)`
 				);
-			} else if (seen.has(r.hostname)) {
-				err(
-					`${where}: duplicate hostname "${r.hostname}" (also at ingress[${seen.get(r.hostname)}])`
-				);
-			} else {
+			} else if (seen.has(r.hostname) && !r.path) {
+				// Duplicate hostnames are allowed when the earlier rule uses a `path:`
+				// matcher (path-based split routing, e.g. /api/* → backend, rest → UI).
+				// Only flag true duplicates: same hostname, neither rule has a path.
+				const prevIdx = seen.get(r.hostname);
+				if (!ingress[prevIdx].path) {
+					err(`${where}: duplicate hostname "${r.hostname}" (also at ingress[${prevIdx}])`);
+				}
+			} else if (!seen.has(r.hostname)) {
 				seen.set(r.hostname, i);
 			}
 		}