diff --git a/src/cloud/server.ts b/src/cloud/server.ts
index 1f1f4d44..d1a0e535 100644
--- a/src/cloud/server.ts
+++ b/src/cloud/server.ts
@@ -222,7 +222,8 @@ export async function createServer(): Promise<CloudServer> {
   const isWorkspaceProxyRoute = (path: string) => /^\/api\/workspaces\/[^/]+\/proxy\//.test(path);
   app.use((req: Request, res: Response, next: NextFunction) => {
     // Skip CSRF for webhook endpoints and workspace proxy routes
-    if (CSRF_EXEMPT_PATHS.some(path => req.path.startsWith(path)) || isWorkspaceProxyRoute(req.path)) {
+    const isExemptPath = CSRF_EXEMPT_PATHS.some(exemptPath => req.path.startsWith(exemptPath));
+    if (isExemptPath || isWorkspaceProxyRoute(req.path)) {
       return next();
     }
 
@@ -252,6 +253,12 @@ export async function createServer(): Promise<CloudServer> {
       return next();
     }
 
+    // Skip CSRF for admin API key authenticated requests
+    const adminSecret = req.get('x-admin-secret');
+    if (adminSecret) {
+      return next();
+    }
+
     // Skip CSRF for test endpoints in non-production
     if (process.env.NODE_ENV !== 'production' && req.path.startsWith('/api/test/')) {
       return next();