diff --git a/auth.php b/auth.php
index d8604ff..9ac0ff1 100644
--- a/auth.php
+++ b/auth.php
@@ -15,6 +15,11 @@
  * @return bool True if authenticated, false otherwise
  */
 function authenticate() {
+    // Development mode: allow localhost without auth
+    if (isDevelopmentMode()) {
+        return true;
+    }
+
     $api_key = extractApiKey();
 
     if (!$api_key) {
@@ -27,6 +32,18 @@ function authenticate() {
     return in_array($api_key, $valid_keys, true);
 }
 
+/**
+ * Check if running in development mode (localhost)
+ *
+ * @return bool True if development mode
+ */
+function isDevelopmentMode() {
+    $host = $_SERVER['HTTP_HOST'] ?? $_SERVER['SERVER_NAME'] ?? 'unknown';
+
+    // Allow localhost and 127.0.0.1 without auth
+    return in_array($host, ['localhost:8000', 'localhost', '127.0.0.1:8000', '127.0.0.1']);
+}
+
 /**
  * Extract API key from request
  *