diff --git a/src/__tests__/app-routes.test.ts b/src/__tests__/app-routes.test.ts
index b4875fd..2326aea 100644
--- a/src/__tests__/app-routes.test.ts
+++ b/src/__tests__/app-routes.test.ts
@@ -59,7 +59,7 @@ describe("App-level routes", () => {
 
   describe("CORS behavior", () => {
     it("returns restricted origin for auth routes", async () => {
-      for (const path of ["/v1/signup", "/v1/recover", "/v1/billing", "/v1/demo"]) {
+      for (const path of ["/v1/signup", "/v1/recover", "/v1/billing", "/v1/demo", "/v1/email-change"]) {
         const res = await request(app).get(path);
         expect(res.headers["access-control-allow-origin"]).toBe("https://docfast.dev");
       }
diff --git a/src/index.ts b/src/index.ts
index a39bfbe..898b476 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -61,7 +61,8 @@ app.use((req, res, next) => {
   const isAuthBillingRoute = req.path.startsWith('/v1/signup') || 
                              req.path.startsWith('/v1/recover') || 
                              req.path.startsWith('/v1/billing') ||
-                             req.path.startsWith('/v1/demo');
+                             req.path.startsWith('/v1/demo') ||
+                             req.path.startsWith('/v1/email-change');
   
   if (isAuthBillingRoute) {
     res.setHeader("Access-Control-Allow-Origin", "https://docfast.dev");