diff --git a/back/loaders/express.ts b/back/loaders/express.ts
index 97aa3253..12f28342 100644
--- a/back/loaders/express.ts
+++ b/back/loaders/express.ts
@@ -29,6 +29,8 @@ export default ({ app }: { app: Application }) => {
   }
 
   // Create base-URL-aware whitelist for JWT
+  // When baseUrl is empty, paths remain as-is (e.g., '/api/user/login')
+  // When baseUrl is set, paths are prefixed (e.g., '/qinglong/api/user/login')
   const jwtWhitelist = config.apiWhiteList.map(path => `${config.baseUrl}${path}`);
   // Exclude non-API/non-open paths from JWT requirement
   // When baseUrl is set: exclude paths that don't start with baseUrl/api/ or baseUrl/open/
@@ -84,6 +86,8 @@ export default ({ app }: { app: Application }) => {
       }
     }
 
+    // req.path already includes the full path with baseUrl
+    // e.g., when baseUrl=/qinglong and request is /qinglong/api/user/login, req.path=/qinglong/api/user/login
     const originPath = req.path;
     if (
       !headerToken &&
diff --git a/src/utils/http.tsx b/src/utils/http.tsx
index cdb026a7..13be8dc6 100644
--- a/src/utils/http.tsx
+++ b/src/utils/http.tsx
@@ -93,8 +93,9 @@ const apiWhiteListBase = [
 ];
 
 // Only modify paths if baseUrl is set and not the default '/'
+// Frontend baseUrl always ends with '/', so we remove leading '/' from paths
 const apiWhiteList = config.baseUrl && config.baseUrl !== '/'
-  ? apiWhiteListBase.map(path => `${config.baseUrl}${path.replace(/^\//, '')}`)
+  ? apiWhiteListBase.map(path => `${config.baseUrl}${path.substring(1)}`)
   : apiWhiteListBase;