diff --git a/veza-backend-api/tests/api_routes_integration_test.go b/veza-backend-api/tests/api_routes_integration_test.go
index bb83258d3..d74fc5d6c 100644
--- a/veza-backend-api/tests/api_routes_integration_test.go
+++ b/veza-backend-api/tests/api_routes_integration_test.go
@@ -67,6 +67,13 @@ func setupTestRouter(t *testing.T) (*gin.Engine, func()) {
 }
 
 func TestPublicCoreRoutes(t *testing.T) {
+	// MetricsProtection middleware (added in 7b2f87373) reads METRICS_BEARER_TOKEN
+	// at construction time. Set it before setupTestRouter so the protected
+	// /metrics, /metrics/aggregated, /system/metrics routes are reachable in tests
+	// when the request carries the matching bearer header.
+	const metricsToken = "test-metrics-token"
+	t.Setenv("METRICS_BEARER_TOKEN", metricsToken)
+
 	router, cleanup := setupTestRouter(t)
 	defer cleanup()
 
@@ -78,6 +85,7 @@ func TestPublicCoreRoutes(t *testing.T) {
 		modernPath             string
 		expectedStatus         int
 		expectDeprecatedHeader bool
+		needsMetricsAuth       bool
 	}{
 		{
 			name:                   "Health Check",
@@ -103,8 +111,8 @@ func TestPublicCoreRoutes(t *testing.T) {
 			expectedStatus:         http.StatusOK,
 			expectDeprecatedHeader: true,
 		},
-		// Metrics endpoints might return different body content due to dynamic nature,
-		// so we primarily check status code.
+		// Metrics endpoints are protected by MetricsProtection middleware.
+		// We pass a bearer token to verify they're reachable when authenticated.
 		{
 			name:                   "Metrics",
 			method:                 http.MethodGet,
@@ -112,6 +120,7 @@ func TestPublicCoreRoutes(t *testing.T) {
 			modernPath:             "/api/v1/metrics",
 			expectedStatus:         http.StatusOK,
 			expectDeprecatedHeader: true,
+			needsMetricsAuth:       true,
 		},
 		{
 			name:                   "Aggregated Metrics",
@@ -120,6 +129,7 @@ func TestPublicCoreRoutes(t *testing.T) {
 			modernPath:             "/api/v1/metrics/aggregated",
 			expectedStatus:         http.StatusOK,
 			expectDeprecatedHeader: true,
+			needsMetricsAuth:       true,
 		},
 		{
 			name:                   "System Metrics",
@@ -128,12 +138,16 @@ func TestPublicCoreRoutes(t *testing.T) {
 			modernPath:             "/api/v1/system/metrics",
 			expectedStatus:         http.StatusOK,
 			expectDeprecatedHeader: true,
+			needsMetricsAuth:       true,
 		},
 	}
 
 	for _, tc := range testCases {
 		t.Run("Legacy "+tc.name, func(t *testing.T) {
 			req, _ := http.NewRequest(tc.method, tc.legacyPath, nil)
+			if tc.needsMetricsAuth {
+				req.Header.Set("Authorization", "Bearer "+metricsToken)
+			}
 			w := httptest.NewRecorder()
 			router.ServeHTTP(w, req)
 
@@ -145,6 +159,9 @@ func TestPublicCoreRoutes(t *testing.T) {
 
 		t.Run("Modern "+tc.name, func(t *testing.T) {
 			req, _ := http.NewRequest(tc.method, tc.modernPath, nil)
+			if tc.needsMetricsAuth {
+				req.Header.Set("Authorization", "Bearer "+metricsToken)
+			}
 			w := httptest.NewRecorder()
 			router.ServeHTTP(w, req)