diff --git a/api.js b/api.js
index 488d1ee..16e56f1 100644
--- a/api.js
+++ b/api.js
@@ -906,8 +906,7 @@ app.get("/api/sets/:setCode", requireCardDb, (req, res) => {
 });
 
 // POST /api/card-database/sync
-app.post("/api/card-database/sync", apiAuthMiddleware, async (req, res) => {
-  if (req.authTier !== "owner") return res.status(403).json({ error: "Owner only" });
+app.post("/api/card-database/sync", ownerOnly, async (req, res) => {
   try {
     const force = req.query.force === "true";
     const result = await syncCardDatabase({ force });
diff --git a/test/api-test.js b/test/api-test.js
index d0098e7..dea3569 100644
--- a/test/api-test.js
+++ b/test/api-test.js
@@ -948,8 +948,9 @@ async function run() {
   });
 
   await test("POST /api/card-database/sync requires owner key", async () => {
-    const { res } = await json("/api/card-database/sync", { method: "POST" });
-    assert(res.status === 403, `expected 403, got ${res.status}`);
+    const { res } = await jsonNoAuth("/api/card-database/sync", { method: "POST" });
+    if (API_KEY) assert(res.status === 403, `expected 403, got ${res.status}`);
+    else assert(res.status === 200, `expected 200 in local mode, got ${res.status}`);
   });
 
   // ── Price trend ──