diff --git a/frontend/src/app/sign-in/page.tsx b/frontend/src/app/sign-in/[[...rest]]/page.tsx
similarity index 100%
rename from frontend/src/app/sign-in/page.tsx
rename to frontend/src/app/sign-in/[[...rest]]/page.tsx
diff --git a/frontend/src/proxy.ts b/frontend/src/proxy.ts
index c147ef4..27f1432 100644
--- a/frontend/src/proxy.ts
+++ b/frontend/src/proxy.ts
@@ -1,5 +1,5 @@
 import { NextResponse } from "next/server";
-import { clerkMiddleware } from "@clerk/nextjs/server";
+import { clerkMiddleware, createRouteMatcher } from "@clerk/nextjs/server";
 
 import { isLikelyValidClerkPublishableKey } from "@/auth/clerkKey";
 
@@ -8,7 +8,16 @@ const isClerkEnabled = () =>
     process.env.NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY,
   );
 
-export default isClerkEnabled() ? clerkMiddleware() : () => NextResponse.next();
+// Public routes must include Clerk sign-in paths to avoid redirect loops.
+const isPublicRoute = createRouteMatcher(["/sign-in(.*)"]); 
+
+export default isClerkEnabled()
+  ? clerkMiddleware((auth, req) => {
+      if (isPublicRoute(req)) return NextResponse.next();
+      auth().protect();
+      return NextResponse.next();
+    })
+  : () => NextResponse.next();
 
 export const config = {
   matcher: [