diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf
index 1e1e86a..a86bfcc 100644
--- a/terraform/platform/lambdas/main.tf
+++ b/terraform/platform/lambdas/main.tf
@@ -738,16 +738,8 @@ resource "aws_lambda_function_url" "password_set" {
   authorization_type = "NONE"
 }
 
-# Public access for function URL — since Oct 2025, both InvokeFunctionUrl
-# and InvokeFunction are required for public NONE-auth function URLs.
-resource "aws_lambda_permission" "password_set_public_url" {
-  statement_id           = "FunctionURLAllowPublicAccess"
-  action                 = "lambda:InvokeFunctionUrl"
-  function_name          = aws_lambda_function.password_set.function_name
-  principal              = "*"
-  function_url_auth_type = "NONE"
-}
-
+# Public access — the function URL auto-creates FunctionURLAllowPublicAccess
+# for InvokeFunctionUrl. Since Oct 2025, InvokeFunction is also required.
 resource "aws_lambda_permission" "password_set_public_invoke" {
   statement_id  = "AllowPublicInvoke"
   action        = "lambda:InvokeFunction"