diff --git a/templates/ingressroute.yaml b/templates/ingressroute.yaml
index e328b5c..d188458 100644
--- a/templates/ingressroute.yaml
+++ b/templates/ingressroute.yaml
@@ -2,8 +2,13 @@
 # same hostname.
 #
 # Routing rules (Traefik picks longest-match-with-priority):
-#   - API endpoints (/healthz, /instances, future /api/*) → backend
-#   - everything else → frontend (Vue SPA)
+#   - /api/*, /healthz, /connect/*, /teardown/*  → backend
+#   - everything else                             → frontend (Vue SPA)
+#
+# /connect and /teardown are customer-facing (token-bearer auth, no
+# operator JWT) — that's why they're NOT under /api. They still
+# need to land on the backend, not the SPA, so the customer's
+# `curl … | sudo bash` actually receives a shell script.
 #
 # Priority is set explicitly so Traefik doesn't fall back to its
 # heuristic; the API rule outranks the catchall, which outranks no
@@ -19,7 +24,7 @@ spec:
     - {{ .Values.ingress.entryPoint }}
   routes:
 {{- if .Values.backend.enabled }}
-    - match: Host(`{{ .Values.ingress.domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/healthz`))
+    - match: Host(`{{ .Values.ingress.domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/healthz`) || PathPrefix(`/connect`) || PathPrefix(`/teardown`))
       kind: Rule
       priority: 200
       services: