diff --git a/public/index.php b/public/index.php
index 59531d0..04c65ea 100644
--- a/public/index.php
+++ b/public/index.php
@@ -5,7 +5,11 @@ declare(strict_types=1);
 require_once __DIR__ . '/../config/fileload.php';
 
 // Staging-Access-Protection (Basic Auth)
-if (defined('APP_ENV') && APP_ENV === 'staging') {
+$uriPath = parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH) ?: '/';
+$uriPath = preg_replace('~/{2,}~', '/', $uriPath);
+$uriPath = trim($uriPath, '/');
+$isRetoolPath = ($uriPath === 'retool' || str_starts_with($uriPath, 'retool/'));
+if (defined('APP_ENV') && APP_ENV === 'staging' && !$isRetoolPath) {
     $authUser = getenv('STAGING_AUTH_USER') ?: 'staging';
     $authPass = getenv('STAGING_AUTH_PASS') ?: 'staging123';
     $user = $_SERVER['PHP_AUTH_USER'] ?? null;
@@ -18,10 +22,6 @@ if (defined('APP_ENV') && APP_ENV === 'staging') {
     }
 }
 
-$uriPath = parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH) ?: '/';
-$uriPath = preg_replace('~/{2,}~', '/', $uriPath);
-$uriPath = trim($uriPath, '/');
-
 // Sicherheitscheck
 if (str_contains($uriPath, '..')) {
     http_response_code(400);