diff --git a/src/server.js b/src/server.js
index 8c90827..602afe4 100644
--- a/src/server.js
+++ b/src/server.js
@@ -5,7 +5,7 @@ import bodyParser from 'body-parser';
 import cors from 'cors';
 import config from './config.js';
 import { initDatabase } from './db.js';
-import { initOIDC } from './middleware/oidcMiddleware.js';
+import { initOIDC, isOIDCEnabled } from './middleware/oidcMiddleware.js';
 import {
   requestLogger,
   securityHeaders,
@@ -70,6 +70,22 @@ app.use(
 // Static files
 app.use(express.static('public'));
 
+// Development mode: auto-create session for /admin and /api access
+app.use((req, res, next) => {
+  // In dev mode without OIDC, create a session automatically
+  if (req.path.startsWith('/admin') || req.path.startsWith('/api') || req.path.startsWith('/dashboard')) {
+    if (!isOIDCEnabled() && !req.session.user) {
+      req.session.user = {
+        sub: 'dev-user-' + Date.now(),
+        name: 'Dev User',
+        email: 'dev@localhost',
+        isAdmin: true,
+      };
+    }
+  }
+  next();
+});
+
 // Routes
 app.use('/auth', authRoutes);
 app.use('/api', adminRoutes);