diff --git a/public_html/api.php b/public_html/api.php
index 8214fe7..f338446 100644
--- a/public_html/api.php
+++ b/public_html/api.php
@@ -8,11 +8,21 @@ require_once __DIR__ . '/../api/config.php';
require_once __DIR__ . '/../api/lib/db.php';
require_once __DIR__ . '/../api/lib/kb_engine.php';
-// Skip session for agent/netscan/ping — each heartbeat would otherwise create
-// an empty session file, producing millions of files that slow session GC for all requests.
+// Skip session for machine-agent calls and netscan/ping — each heartbeat would
+// otherwise create an empty session file, producing millions of files that slow
+// session GC for all requests. Browser-facing agent sub-actions (list/status/myip)
+// still need a session to verify auth, so we only skip for machine-agent actions.
$_earlyParts = explode('/', trim(parse_url($_SERVER['REQUEST_URI'] ?? '/', PHP_URL_PATH), '/'));
if (($_earlyParts[0] ?? '') === 'api') array_shift($_earlyParts);
-if (!in_array($_earlyParts[0] ?? '', ['agent','netscan','ping'], true)) {
+$_e0 = $_earlyParts[0] ?? '';
+$_e1 = $_earlyParts[1] ?? '';
+$_skipSession = match(true) {
+ $_e0 === 'ping' => true,
+ $_e0 === 'netscan' => true,
+ $_e0 === 'agent' && !in_array($_e1, ['list','status','myip'], true) => true,
+ default => false,
+};
+if (!$_skipSession) {
session_start();
}