diff --git a/apps/api/src/__tests__/portal.test.ts b/apps/api/src/__tests__/portal.test.ts
index 3fed8ee..907d879 100644
--- a/apps/api/src/__tests__/portal.test.ts
+++ b/apps/api/src/__tests__/portal.test.ts
@@ -24,14 +24,6 @@ const EXPIRED_SESSION = {
   createdAt: new Date(),
 };
 
-const ENDED_SESSION = {
-  id: SESSION_ID,
-  clientId: CLIENT_ID,
-  status: "ended" as const,
-  expiresAt: futureDate(),
-  createdAt: new Date(),
-};
-
 const APPOINTMENT = {
   id: APPOINTMENT_ID,
   clientId: CLIENT_ID,
diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index c940e0d..8de8e51 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -57,6 +57,9 @@ app.get("/api/branding", async (c) => {
   });
 });
 
+// Portal routes — no staff auth required, uses impersonation session for client auth
+app.route("/api/portal", portalRouter);
+
 // Protected API routes
 const api = app.basePath("/api");
 api.use("*", authMiddleware);
@@ -108,7 +111,6 @@ api.route("/clients", clientsRouter);
 api.route("/pets", petsRouter);
 api.route("/services", servicesRouter);
 api.route("/appointments", appointmentsRouter);
-api.route("/portal", portalRouter);
 api.route("/staff", staffRouter);
 api.route("/invoices", invoicesRouter);
 api.route("/reports", reportsRouter);
diff --git a/apps/api/src/routes/portal.ts b/apps/api/src/routes/portal.ts
index cd0f6ec..5c2b2f1 100644
--- a/apps/api/src/routes/portal.ts
+++ b/apps/api/src/routes/portal.ts
@@ -64,6 +64,10 @@ portalRouter.patch(
       .where(eq(appointments.id, id))
       .returning();
 
+    if (!updated) {
+      return c.json({ error: "Not found" }, 404);
+    }
+
     return c.json({
       id: updated.id,
       customerNotes: updated.customerNotes,