diff --git a/routes/session_routes.py b/routes/session_routes.py
index 049323c26..4dbacde0d 100644
--- a/routes/session_routes.py
+++ b/routes/session_routes.py
@@ -11,7 +11,7 @@ from core.session_manager import SessionManager
 from core.models import ChatMessage
 from src.request_models import SessionResponse
 from core.database import Session as DbSession, SessionLocal, Document, GalleryImage
-from src.auth_helpers import get_current_user, effective_user
+from src.auth_helpers import get_current_user, effective_user, _auth_disabled
 
 
 def _sanitize_export_filename(name: str) -> str:
@@ -106,8 +106,8 @@ def _verify_session_owner(request: Request, session_id: str, session_manager=Non
     that only care about persisted sessions keep their exact prior behavior.
     """
     user = effective_user(request)
-    if not user:
-        raise HTTPException(403, "Authentication required")
+    if not user and not _auth_disabled():
+        raise HTTPException(401, "Authentication required")
     db = SessionLocal()
     try:
         row = db.query(DbSession.owner).filter(DbSession.id == session_id).first()
diff --git a/src/auth_helpers.py b/src/auth_helpers.py
index 62060390d..afe46c74e 100644
--- a/src/auth_helpers.py
+++ b/src/auth_helpers.py
@@ -10,7 +10,7 @@ def get_current_user(request: Request) -> Optional[str]:
     return getattr(request.state, 'current_user', None)
 
 
-def effective_user(request: Request):
+def effective_user(request: Request) -> Optional[str]:
     """The real human behind the request, for ownership/attribution.
 
     Cookie sessions resolve to the logged-in username. Bearer ``ody_`` callers
diff --git a/tests/test_session_ghost_delete.py b/tests/test_session_ghost_delete.py
index f34c4a78b..20cea1c50 100644
--- a/tests/test_session_ghost_delete.py
+++ b/tests/test_session_ghost_delete.py
@@ -109,7 +109,7 @@ def test_unauthenticated_still_403(monkeypatch):
     sm = SimpleNamespace(sessions={"ghost": SimpleNamespace(owner=None)})
     with pytest.raises(HTTPException) as exc:
         SR._verify_session_owner(_req(api_token=False, current_user=None), "ghost", sm)
-    assert exc.value.status_code == 403
+    assert exc.value.status_code == 401
 
 
 # --- manager layer: delete_session clears memory-only ghosts ---------------
diff --git a/tests/test_session_owner_attribution.py b/tests/test_session_owner_attribution.py
index 85d5a1586..421bdea17 100644
--- a/tests/test_session_owner_attribution.py
+++ b/tests/test_session_owner_attribution.py
@@ -136,4 +136,4 @@ def test_unauthenticated_caller_rejected(monkeypatch):
     req = _req(api_token=False, current_user=None)
     with pytest.raises(HTTPException) as exc:
         SR._verify_session_owner(req, "sid")
-    assert exc.value.status_code == 403
+    assert exc.value.status_code == 401