diff --git a/services/web-ui/public/data.jsx b/services/web-ui/public/data.jsx
index 9d1c8e4..6250289 100644
--- a/services/web-ui/public/data.jsx
+++ b/services/web-ui/public/data.jsx
@@ -20,6 +20,15 @@ async function apiFetch(path, opts = {}) {
     headers: { 'Content-Type': 'application/json', ...(opts.headers || {}) },
     ...opts,
   });
+  // 401 from any API call means there's no live session. Bounce to the
+  // login screen instead of leaving the app in a half-loaded state.
+  // While AUTH_ENABLED=false the server returns a synthetic /auth/me with
+  // 200 so this branch never fires; flipping AUTH_ENABLED=true is what
+  // activates the redirect end-to-end.
+  if (res.status === 401 && !location.pathname.endsWith('/login.html')) {
+    location.replace('/login.html');
+    throw new Error('Unauthenticated — redirecting to login');
+  }
   if (!res.ok) throw new Error(res.status + ' ' + res.statusText);
   return res.json();
 }