diff --git a/src/main.rs b/src/main.rs
index 6f66111ad..0161e1a65 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -500,6 +500,14 @@ async fn run_axum_server(
         .layer(rate_limit_extension)
         // Request ID tracking for all requests
         .layer(middleware::from_fn(request_id_middleware))
+        // Authentication middleware using provider registry
+        // NOTE: In Axum, layers are applied bottom-to-top, so this runs BEFORE RBAC
+        .layer(middleware::from_fn(move |req: axum::http::Request<axum::body::Body>, next: axum::middleware::Next| {
+            let state = auth_middleware_state.clone();
+            async move {
+                botserver::security::auth_middleware_with_providers(req, next, state).await
+            }
+        }))
         // RBAC middleware - checks permissions AFTER authentication
         .layer(middleware::from_fn(move |req: axum::http::Request<axum::body::Body>, next: axum::middleware::Next| {
             let rbac = Arc::clone(&rbac_manager_for_middleware);
@@ -507,13 +515,6 @@ async fn run_axum_server(
                 botserver::security::rbac_middleware_fn(req, next, rbac).await
             }
         }))
-        // Authentication middleware using provider registry
-        .layer(middleware::from_fn(move |req: axum::http::Request<axum::body::Body>, next: axum::middleware::Next| {
-            let state = auth_middleware_state.clone();
-            async move {
-                botserver::security::auth_middleware_with_providers(req, next, state).await
-            }
-        }))
         // Panic handler catches panics and returns safe 500 responses
         .layer(middleware::from_fn(move |req, next| {
             let config = panic_config.clone();