diff --git a/src/gateway/server-http.ts b/src/gateway/server-http.ts
index e67737b5b76..72a81a769ad 100644
--- a/src/gateway/server-http.ts
+++ b/src/gateway/server-http.ts
@@ -491,7 +491,7 @@ export function createGatewayHttpServer(opts: {
         // Channel HTTP endpoints are gateway-auth protected by default.
         // Non-channel plugin routes remain plugin-owned and must enforce
         // their own auth when exposing sensitive functionality.
-        if (requestPath.startsWith("/api/channels/")) {
+        if (requestPath === "/api/channels" || requestPath.startsWith("/api/channels/")) {
           const token = getBearerToken(req);
           const authResult = await authorizeHttpGatewayConnect({
             auth: resolvedAuth,
diff --git a/src/gateway/server.plugin-http-auth.test.ts b/src/gateway/server.plugin-http-auth.test.ts
index f932e1e2a35..25568d4803e 100644
--- a/src/gateway/server.plugin-http-auth.test.ts
+++ b/src/gateway/server.plugin-http-auth.test.ts
@@ -142,6 +142,12 @@ describe("gateway plugin HTTP auth boundary", () => {
       run: async () => {
         const handlePluginRequest = vi.fn(async (req: IncomingMessage, res: ServerResponse) => {
           const pathname = new URL(req.url ?? "/", "http://localhost").pathname;
+          if (pathname === "/api/channels") {
+            res.statusCode = 200;
+            res.setHeader("Content-Type", "application/json; charset=utf-8");
+            res.end(JSON.stringify({ ok: true, route: "channel-root" }));
+            return true;
+          }
           if (pathname === "/api/channels/nostr/default/profile") {
             res.statusCode = 200;
             res.setHeader("Content-Type", "application/json; charset=utf-8");
@@ -179,6 +185,16 @@ describe("gateway plugin HTTP auth boundary", () => {
         expect(unauthenticated.getBody()).toContain("Unauthorized");
         expect(handlePluginRequest).not.toHaveBeenCalled();
 
+        const unauthenticatedRoot = createResponse();
+        await dispatchRequest(
+          server,
+          createRequest({ path: "/api/channels" }),
+          unauthenticatedRoot.res,
+        );
+        expect(unauthenticatedRoot.res.statusCode).toBe(401);
+        expect(unauthenticatedRoot.getBody()).toContain("Unauthorized");
+        expect(handlePluginRequest).not.toHaveBeenCalled();
+
         const authenticated = createResponse();
         await dispatchRequest(
           server,