diff --git a/terraform/platform/imports.tf b/terraform/platform/imports.tf
new file mode 100644
index 0000000..453f15b
--- /dev/null
+++ b/terraform/platform/imports.tf
@@ -0,0 +1,6 @@
+# One-time imports — remove after successful apply.
+
+import {
+  to = module.lambdas.aws_lambda_permission.password_set_public_url
+  id = "javabin-password-set/FunctionURLAllowPublicAccess"
+}
diff --git a/terraform/platform/lambdas/main.tf b/terraform/platform/lambdas/main.tf
index a86bfcc..bae9240 100644
--- a/terraform/platform/lambdas/main.tf
+++ b/terraform/platform/lambdas/main.tf
@@ -738,8 +738,16 @@ resource "aws_lambda_function_url" "password_set" {
   authorization_type = "NONE"
 }
 
-# Public access — the function URL auto-creates FunctionURLAllowPublicAccess
-# for InvokeFunctionUrl. Since Oct 2025, InvokeFunction is also required.
+# Public access for function URL — both permissions required since Oct 2025.
+# FunctionURLAllowPublicAccess is imported (auto-created by the function URL).
+resource "aws_lambda_permission" "password_set_public_url" {
+  statement_id           = "FunctionURLAllowPublicAccess"
+  action                 = "lambda:InvokeFunctionUrl"
+  function_name          = aws_lambda_function.password_set.function_name
+  principal              = "*"
+  function_url_auth_type = "NONE"
+}
+
 resource "aws_lambda_permission" "password_set_public_invoke" {
   statement_id  = "AllowPublicInvoke"
   action        = "lambda:InvokeFunction"