diff --git a/apps/rowboat/app/actions/assistant-templates.actions.ts b/apps/rowboat/app/actions/assistant-templates.actions.ts
index 5b163a2e..29abde59 100644
--- a/apps/rowboat/app/actions/assistant-templates.actions.ts
+++ b/apps/rowboat/app/actions/assistant-templates.actions.ts
@@ -4,7 +4,6 @@ import { z } from 'zod';
 import { authCheck } from "./auth.actions";
 import { MongoDBAssistantTemplatesRepository } from '@/src/infrastructure/repositories/mongodb.assistant-templates.repository';
 import { prebuiltTemplates } from '@/app/lib/prebuilt-cards';
-import { auth0 } from '@/app/lib/auth0';
 import { USE_AUTH } from '@/app/lib/feature_flags';
 
 const repo = new MongoDBAssistantTemplatesRepository();
@@ -146,6 +145,7 @@ export async function createAssistantTemplate(data: z.infer<typeof CreateTemplat
     
     if (USE_AUTH) {
         try {
+            const { auth0 } = await import('@/app/lib/auth0');
             const { user: auth0User } = await auth0.getSession() || {};
             if (auth0User) {
                 authorName = auth0User.name ?? auth0User.email ?? 'Anonymous';
diff --git a/apps/rowboat/app/lib/auth0.ts b/apps/rowboat/app/lib/auth0.ts
index 3fef2ee0..cefb6ae0 100644
--- a/apps/rowboat/app/lib/auth0.ts
+++ b/apps/rowboat/app/lib/auth0.ts
@@ -1,40 +1,21 @@
 // lib/auth0.js
 
-import { NextResponse } from "next/server";
 import { Auth0Client } from "@auth0/nextjs-auth0/server";
-import { USE_AUTH } from "../lib/feature_flags";
 
-// Treat config as present only when all required pieces exist
-const auth0Domain = process.env.AUTH0_DOMAIN || process.env.AUTH0_ISSUER_BASE_URL;
-const auth0ClientId = process.env.AUTH0_CLIENT_ID;
-const auth0ClientSecret = process.env.AUTH0_CLIENT_SECRET || process.env.AUTH0_CLIENT_ASSERTION_SIGNING_KEY;
-const auth0BaseUrl = process.env.AUTH0_BASE_URL;
-const auth0Secret = process.env.AUTH0_SECRET;
+// Initialize the Auth0 client 
+export const auth0 = new Auth0Client({
+  // Options are loaded from environment variables by default
+  // Ensure necessary environment variables are properly set
+  domain: process.env.AUTH0_ISSUER_BASE_URL,
+  clientId: process.env.AUTH0_CLIENT_ID,
+  clientSecret: process.env.AUTH0_CLIENT_SECRET,
+  appBaseUrl: process.env.AUTH0_BASE_URL,
+  secret: process.env.AUTH0_SECRET,
 
-const isAuthConfigured = Boolean(
-  auth0Domain && auth0ClientId && auth0BaseUrl && auth0Secret && auth0ClientSecret
-);
-
-// When auth is disabled or misconfigured, export a safe no-op shim so imports won't crash
-const createAuth0Shim = () => ({
-  async getSession(_req?: unknown) {
-    return null;
-  },
-  async middleware(_req?: unknown) {
-    return NextResponse.next();
-  },
-});
-
-export const auth0 = USE_AUTH && isAuthConfigured
-  ? new Auth0Client({
-      domain: auth0Domain,
-      clientId: auth0ClientId,
-      clientSecret: process.env.AUTH0_CLIENT_SECRET,
-      appBaseUrl: auth0BaseUrl,
-      secret: auth0Secret,
-      authorizationParameters: {
-        scope: process.env.AUTH0_SCOPE,
-        audience: process.env.AUTH0_AUDIENCE,
-      }
-    })
-  : createAuth0Shim();
\ No newline at end of file
+  authorizationParameters: {
+    // In v4, the AUTH0_SCOPE and AUTH0_AUDIENCE environment variables for API authorized applications are no longer automatically picked up by the SDK.
+    // Instead, we need to provide the values explicitly.
+    scope: process.env.AUTH0_SCOPE,
+    audience: process.env.AUTH0_AUDIENCE,
+  }
+});
\ No newline at end of file
diff --git a/apps/rowboat/middleware.ts b/apps/rowboat/middleware.ts
index 8e5961a5..fac06262 100644
--- a/apps/rowboat/middleware.ts
+++ b/apps/rowboat/middleware.ts
@@ -1,6 +1,5 @@
 import { NextFetchEvent, NextRequest, NextResponse } from "next/server";
 import { auth0 } from "./app/lib/auth0";
-import { USE_AUTH } from "./app/lib/feature_flags";
 
 const corsOptions = {
   'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
@@ -18,13 +17,9 @@ async function authCheck(request: NextRequest) {
 }
 
 export async function middleware(request: NextRequest, event: NextFetchEvent) {
-  // Check if the request path starts with /auth
+  // Check if the request path starts with /api/auth/
   if (request.nextUrl.pathname.startsWith('/auth')) {
-    // Only delegate to Auth0 when auth is enabled; otherwise allow through
-    if (USE_AUTH) {
-      return await auth0.middleware(request);
-    }
-    return NextResponse.next();
+    return await auth0.middleware(request);
   }
 
   // Check if the request path starts with /api/
@@ -54,7 +49,8 @@ export async function middleware(request: NextRequest, event: NextFetchEvent) {
   if (request.nextUrl.pathname.startsWith('/projects') ||
     request.nextUrl.pathname.startsWith('/billing') ||
     request.nextUrl.pathname.startsWith('/onboarding')) {
-    if (USE_AUTH) {
+    // Skip auth check if USE_AUTH is not enabled
+    if (process.env.USE_AUTH === 'true') {
       return await authCheck(request);
     }
   }
diff --git a/start.sh b/start.sh
index 2ee2f895..c98c240e 100755
--- a/start.sh
+++ b/start.sh
@@ -22,6 +22,17 @@ export USE_KLAVIS_TOOLS=true
 #   export USE_KLAVIS_TOOLS=true
 # fi
 
+# default to disabling auth if not explicitly enabled
+export USE_AUTH="${USE_AUTH:-false}"
+
+# provide dummy auth0 env vars if missing (to silence build-time warnings)
+# Note: app/lib/auth0.ts expects AUTH0_ISSUER_BASE_URL and AUTH0_BASE_URL
+export AUTH0_ISSUER_BASE_URL="${AUTH0_ISSUER_BASE_URL:-${AUTH0_DOMAIN:-test}}"
+export AUTH0_CLIENT_ID="${AUTH0_CLIENT_ID:-test}"
+export AUTH0_BASE_URL="${AUTH0_BASE_URL:-${APP_BASE_URL:-test}}"
+export AUTH0_SECRET="${AUTH0_SECRET:-test}"
+export AUTH0_CLIENT_SECRET="${AUTH0_CLIENT_SECRET:-test}"
+
 # Start with the base command and profile flags
 CMD="docker compose"
 CMD="$CMD --profile setup_qdrant"