diff --git a/packages/api/src/server.ts b/packages/api/src/server.ts
index 640d4cd..5b4f342 100644
--- a/packages/api/src/server.ts
+++ b/packages/api/src/server.ts
@@ -86,9 +86,9 @@ export async function createServer() {
   app.addHook("onRequest", async (req, reply) => {
     if (["POST", "PUT", "PATCH", "DELETE"].includes(req.method)) {
       const origin = req.headers.origin;
-      // Server-to-server webhook calls don't send Origin headers
-      if (!origin && req.url.startsWith('/api/v1/plugins/') && req.url.includes('/webhook')) return;
-      if (!origin || !allowedOrigins.has(origin)) {
+      // no Origin header = same-origin request or server-to-server call
+      if (!origin) return;
+      if (!allowedOrigins.has(origin)) {
         return reply.status(403).send({ error: "Forbidden" });
       }
     }