diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index 50ad085..9e56c42 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -25,7 +25,6 @@ import { setupRouter } from "./routes/setup.js";
 import { getDb, businessSettings, eq, staff } from "@groombook/db";
 import { authMiddleware } from "./middleware/auth.js";
 import { resolveStaffMiddleware, requireRole, requireRoleOrSuperUser, requireSuperUser } from "./middleware/rbac.js";
-import { csrfMiddleware } from "./middleware/csrf.js";
 import { devRouter } from "./routes/dev.js";
 import { adminSeedRouter } from "./routes/admin/seed.js";
 import { startReminderScheduler } from "./services/reminders.js";
@@ -106,7 +105,6 @@ app.get("/api/auth/providers", async (c) => {
 const api = app.basePath("/api");
 api.use("*", authMiddleware);
 api.use("*", resolveStaffMiddleware);
-api.use("*", csrfMiddleware);
 
 // Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
 // authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
diff --git a/apps/api/src/middleware/csrf.ts b/apps/api/src/middleware/csrf.ts
deleted file mode 100644
index d270862..0000000
--- a/apps/api/src/middleware/csrf.ts
+++ /dev/null
@@ -1,18 +0,0 @@
-import type { MiddlewareHandler } from "hono";
-import type { AppEnv } from "./rbac.js";
-
-const CSRF_SAFE_METHODS = ["GET", "HEAD", "OPTIONS"];
-
-export const csrfMiddleware: MiddlewareHandler<AppEnv> = async (c, next) => {
-  if (CSRF_SAFE_METHODS.includes(c.req.method)) {
-    await next();
-    return;
-  }
-
-  const csrfHeader = c.req.header("x-csrf-token");
-  if (!csrfHeader) {
-    return c.json({ error: "CSRF token required" }, 403);
-  }
-
-  await next();
-};
\ No newline at end of file