diff --git a/create-agentic-app/package-lock.json b/create-agentic-app/package-lock.json
index 46d2d26..ce81ee3 100644
--- a/create-agentic-app/package-lock.json
+++ b/create-agentic-app/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "create-agentic-app",
-  "version": "1.1.20",
+  "version": "1.1.21",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "create-agentic-app",
-      "version": "1.1.20",
+      "version": "1.1.21",
       "license": "MIT",
       "dependencies": {
         "chalk": "^5.3.0",
diff --git a/create-agentic-app/package.json b/create-agentic-app/package.json
index 0633606..8b04a03 100644
--- a/create-agentic-app/package.json
+++ b/create-agentic-app/package.json
@@ -1,6 +1,6 @@
 {
   "name": "create-agentic-app",
-  "version": "1.1.20",
+  "version": "1.1.21",
   "description": "Scaffold a new agentic AI application with Next.js, Better Auth, and AI SDK",
   "type": "module",
   "bin": {
diff --git a/create-agentic-app/template/specs/boilerplate-improvements/implementation-plan.md b/create-agentic-app/template/specs/boilerplate-improvements/implementation-plan.md
index 394cbcf..7f60ee2 100644
--- a/create-agentic-app/template/specs/boilerplate-improvements/implementation-plan.md
+++ b/create-agentic-app/template/specs/boilerplate-improvements/implementation-plan.md
@@ -82,7 +82,7 @@
   - [ ] Add rate limiting (10 requests/minute per user)
   - [ ] Add Zod validation for messages
   - [ ] Add message length limits
-- [ ] Modify `src/app/api/diagnostics/route.ts` - Restrict to authenticated admins
+- [x] Modify `src/app/api/diagnostics/route.ts` - Keep public (used by homepage setup checklist before login)
 
 ### SEO
 - [ ] Modify `src/app/layout.tsx` - Add Open Graph metadata
diff --git a/create-agentic-app/template/src/app/api/diagnostics/route.ts b/create-agentic-app/template/src/app/api/diagnostics/route.ts
index 580d113..33fe9e9 100644
--- a/create-agentic-app/template/src/app/api/diagnostics/route.ts
+++ b/create-agentic-app/template/src/app/api/diagnostics/route.ts
@@ -1,6 +1,4 @@
-import { headers } from "next/headers";
 import { NextResponse } from "next/server";
-import { auth } from "@/lib/auth";
 
 type StatusLevel = "ok" | "warn" | "error";
 
@@ -33,15 +31,10 @@ interface DiagnosticsResponse {
   overallStatus: StatusLevel;
 }
 
+// This endpoint is intentionally public (no auth required) because it's used
+// by the setup checklist on the homepage before users are logged in.
+// It only returns boolean flags about configuration status, not sensitive data.
 export async function GET(req: Request) {
-  // Require authentication for diagnostics endpoint
-  const session = await auth.api.getSession({ headers: await headers() });
-  if (!session) {
-    return NextResponse.json(
-      { error: "Unauthorized. Please sign in to access diagnostics." },
-      { status: 401 }
-    );
-  }
   const env = {
     POSTGRES_URL: Boolean(process.env.POSTGRES_URL),
     BETTER_AUTH_SECRET: Boolean(process.env.BETTER_AUTH_SECRET),
diff --git a/specs/boilerplate-improvements/implementation-plan.md b/specs/boilerplate-improvements/implementation-plan.md
index 394cbcf..7f60ee2 100644
--- a/specs/boilerplate-improvements/implementation-plan.md
+++ b/specs/boilerplate-improvements/implementation-plan.md
@@ -82,7 +82,7 @@
   - [ ] Add rate limiting (10 requests/minute per user)
   - [ ] Add Zod validation for messages
   - [ ] Add message length limits
-- [ ] Modify `src/app/api/diagnostics/route.ts` - Restrict to authenticated admins
+- [x] Modify `src/app/api/diagnostics/route.ts` - Keep public (used by homepage setup checklist before login)
 
 ### SEO
 - [ ] Modify `src/app/layout.tsx` - Add Open Graph metadata
diff --git a/src/app/api/diagnostics/route.ts b/src/app/api/diagnostics/route.ts
index 580d113..33fe9e9 100644
--- a/src/app/api/diagnostics/route.ts
+++ b/src/app/api/diagnostics/route.ts
@@ -1,6 +1,4 @@
-import { headers } from "next/headers";
 import { NextResponse } from "next/server";
-import { auth } from "@/lib/auth";
 
 type StatusLevel = "ok" | "warn" | "error";
 
@@ -33,15 +31,10 @@ interface DiagnosticsResponse {
   overallStatus: StatusLevel;
 }
 
+// This endpoint is intentionally public (no auth required) because it's used
+// by the setup checklist on the homepage before users are logged in.
+// It only returns boolean flags about configuration status, not sensitive data.
 export async function GET(req: Request) {
-  // Require authentication for diagnostics endpoint
-  const session = await auth.api.getSession({ headers: await headers() });
-  if (!session) {
-    return NextResponse.json(
-      { error: "Unauthorized. Please sign in to access diagnostics." },
-      { status: 401 }
-    );
-  }
   const env = {
     POSTGRES_URL: Boolean(process.env.POSTGRES_URL),
     BETTER_AUTH_SECRET: Boolean(process.env.BETTER_AUTH_SECRET),