diff --git a/backend/src/categories/categories.controller.ts b/backend/src/categories/categories.controller.ts
index 1a35e81a..447a0cc1 100644
--- a/backend/src/categories/categories.controller.ts
+++ b/backend/src/categories/categories.controller.ts
@@ -2,7 +2,7 @@ import { Controller, Get } from '@nestjs/common';
 import { CategoriesService } from './categories.service';
 import { Public } from '../auth/decorators/public.decorator';
 
-@Controller('api/categories')
+@Controller('categories')
 export class CategoriesController {
   constructor(private readonly categoriesService: CategoriesService) {}
 
diff --git a/frontend/app/admin/products/EditProductForm.tsx b/frontend/app/admin/products/EditProductForm.tsx
index 615875fd..ca257a34 100644
--- a/frontend/app/admin/products/EditProductForm.tsx
+++ b/frontend/app/admin/products/EditProductForm.tsx
@@ -43,7 +43,9 @@ export default function EditProductForm({ product }: Props) {
     if (isOpen && categoryTree.length === 0) {
       fetch('/api/categories')
         .then((r) => r.json())
-        .then((data: CategoryNode[]) => setCategoryTree(data))
+        .then((data: unknown) => {
+          if (Array.isArray(data)) setCategoryTree(data as CategoryNode[]);
+        })
         .catch(() => {});
     }
   }, [isOpen]);
diff --git a/frontend/app/api/products/route.ts b/frontend/app/api/products/route.ts
index 180a9db5..05c491cd 100644
--- a/frontend/app/api/products/route.ts
+++ b/frontend/app/api/products/route.ts
@@ -1,17 +1,19 @@
-import { NextRequest, NextResponse } from 'next/server';
-import { getAuthHeaders } from '../../../lib/auth-headers';
+import { NextResponse } from 'next/server';
+import { auth } from '../../../auth';
 
 const API_BASE = process.env.NEXT_PUBLIC_API_URL_INTERNAL || 'http://recipe-api:8080';
 
-export async function GET(request: NextRequest) {
-  const authHeaders = await getAuthHeaders();
-  const res = await fetch(`${API_BASE}/api/products`, {
-    method: 'GET',
-    headers: { ...authHeaders },
+export const GET = auth(async function GET(req) {
+  const token = (req.auth as any)?.accessToken as string | undefined;
+  if (!token) return NextResponse.json({ error: 'Unauthorized' }, { status: 401 });
+
+  const url = new URL(req.url);
+  const query = url.searchParams.toString();
+  const res = await fetch(`${API_BASE}/api/products${query ? `?${query}` : ''}`, {
+    headers: { Authorization: `Bearer ${token}` },
     cache: 'no-store',
   });
 
   const data = await res.json();
-
   return NextResponse.json(data, { status: res.status });
-}
+});