diff --git a/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt b/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
index 067486c..6f7e3d0 100644
--- a/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
@@ -40,7 +40,7 @@ class FirebaseAuthFilter(
         }
         val token = header.removePrefix("Bearer ").trim()
         try {
-            val principal = authResolver.resolveFromToken(token, createIfMissing = false)
+            val principal = authResolver.resolveFromToken(token, createIfMissing = shouldAutoCreateUser(request))
             val user = appUserRepo.findById(principal.userId).orElse(null)
             logger.debug("Auth verified uid={}, userId={}", principal.firebaseUid, user?.id)
             val auth = UsernamePasswordAuthenticationToken(principal, token, emptyList())
@@ -51,4 +51,9 @@ class FirebaseAuthFilter(
             response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid token")
         }
     }
+
+    private fun shouldAutoCreateUser(request: HttpServletRequest): Boolean {
+        val path = request.requestURI
+        return path == "/auth/verify" || path == "/auth/me"
+    }
 }