diff --git a/src/app/api/user/route.ts b/src/app/api/user/route.ts
index 1d25b58..8d45c1b 100644
--- a/src/app/api/user/route.ts
+++ b/src/app/api/user/route.ts
@@ -2,6 +2,9 @@ import { NextRequest, NextResponse } from 'next/server';
 import { cookies } from 'next/headers';
 import { db } from '@/lib/db';
 
+// Force dynamic rendering (required for cookies)
+export const dynamic = 'force-dynamic';
+
 /**
  * GET /api/user
  * Get current user information
diff --git a/src/middleware.ts b/src/middleware.ts
index 27b74c0..2acd6ab 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -1,64 +1,56 @@
-import { withAuth } from 'next-auth/middleware';
 import { NextResponse } from 'next/server';
+import type { NextRequest } from 'next/server';
 
-export default withAuth(
-  function middleware(req) {
-    const token = req.nextauth.token;
-    const path = req.nextUrl.pathname;
+export function middleware(req: NextRequest) {
+  const path = req.nextUrl.pathname;
 
-    // Protected dashboard routes - redirect to /signup if not authenticated
-    const protectedRoutes = [
-      '/dashboard',
-      '/create',
-      '/bulk-creation',
-      '/analytics',
-      '/pricing',
-      '/settings',
-    ];
+  // Public routes that don't require authentication
+  const publicPaths = [
+    '/',
+    '/pricing',
+    '/faq',
+    '/blog',
+    '/login',
+    '/signup',
+    '/privacy',
+    '/newsletter',
+  ];
 
-    // Check if current path matches any protected route
-    const isProtectedRoute = protectedRoutes.some(route => path.startsWith(route));
-
-    // If protected route and no token, redirect to signup
-    if (isProtectedRoute && !token) {
-      const signupUrl = new URL('/signup', req.url);
-      return NextResponse.redirect(signupUrl);
-    }
+  // Check if path is public
+  const isPublicPath = publicPaths.some(p => path === p || path.startsWith(p + '/'));
 
+  // Allow API routes
+  if (path.startsWith('/api/')) {
     return NextResponse.next();
-  },
-  {
-    callbacks: {
-      authorized: ({ req, token }) => {
-        // Public routes that don't require authentication
-        const publicPaths = [
-          '/',
-          '/pricing',
-          '/faq',
-          '/blog',
-          '/login',
-          '/signup',
-          '/api/auth',
-        ];
-
-        const path = req.nextUrl.pathname;
-
-        // Allow public paths
-        if (publicPaths.some(p => path.startsWith(p))) {
-          return true;
-        }
-
-        // Allow redirect routes
-        if (path.startsWith('/r/')) {
-          return true;
-        }
-
-        // Require authentication for all other routes
-        return !!token;
-      },
-    },
   }
-);
+
+  // Allow redirect routes (QR code redirects)
+  if (path.startsWith('/r/')) {
+    return NextResponse.next();
+  }
+
+  // Allow static files
+  if (path.includes('.') || path.startsWith('/_next')) {
+    return NextResponse.next();
+  }
+
+  // Allow public paths
+  if (isPublicPath) {
+    return NextResponse.next();
+  }
+
+  // For protected routes, check for userId cookie
+  const userId = req.cookies.get('userId')?.value;
+
+  if (!userId) {
+    // Not authenticated - redirect to signup
+    const signupUrl = new URL('/signup', req.url);
+    return NextResponse.redirect(signupUrl);
+  }
+
+  // Authenticated - allow access
+  return NextResponse.next();
+}
 
 export const config = {
   matcher: [