diff --git a/src/gateway/probe.test.ts b/src/gateway/probe.test.ts
index 4a2374e17cb..8af3c943b6a 100644
--- a/src/gateway/probe.test.ts
+++ b/src/gateway/probe.test.ts
@@ -71,6 +71,16 @@ describe("probeGateway", () => {
     expect(gatewayClientState.options?.deviceIdentity).toBeUndefined();
   });
 
+  it("keeps device identity enabled for authenticated loopback probes with empty auth object", async () => {
+    await probeGateway({
+      url: "ws://127.0.0.1:18789",
+      auth: {},
+      timeoutMs: 1_000,
+    });
+
+    expect(gatewayClientState.options?.deviceIdentity).toBeUndefined();
+  });
+
   it("keeps device identity disabled for unauthenticated loopback probes", async () => {
     await probeGateway({
       url: "ws://127.0.0.1:18789",
diff --git a/src/gateway/probe.ts b/src/gateway/probe.ts
index bbd36639b78..541fab4d92f 100644
--- a/src/gateway/probe.ts
+++ b/src/gateway/probe.ts
@@ -47,7 +47,7 @@ export async function probeGateway(opts: {
       const hostname = new URL(opts.url).hostname;
       // Local authenticated probes should stay device-bound so read/detail RPCs
       // are not scope-limited by the shared-auth scope stripping hardening.
-      return isLoopbackHost(hostname) && !(opts.auth?.token || opts.auth?.password);
+      return isLoopbackHost(hostname) && opts.auth === undefined; // Preserves device identity for empty but present auth objects (e.g. {})
     } catch {
       return false;
     }