diff --git a/src/gateway/server/ws-connection/auth-context.ts b/src/gateway/server/ws-connection/auth-context.ts
index d5e98dfd533..cb797772288 100644
--- a/src/gateway/server/ws-connection/auth-context.ts
+++ b/src/gateway/server/ws-connection/auth-context.ts
@@ -133,9 +133,13 @@ export async function resolveConnectAuthState(params: {
       // primary auth flow (or deferred for device-token candidates).
       rateLimitScope: AUTH_RATE_LIMIT_SCOPE_SHARED_SECRET,
     }));
+  // Trusted-proxy auth is semantically shared: the proxy vouches for identity,
+  // no per-device credential needed. Include it so operator connections
+  // can skip device identity via roleCanSkipDeviceIdentity().
   const sharedAuthOk =
-    sharedAuthResult?.ok === true &&
-    (sharedAuthResult.method === "token" || sharedAuthResult.method === "password");
+    (sharedAuthResult?.ok === true &&
+      (sharedAuthResult.method === "token" || sharedAuthResult.method === "password")) ||
+    (authResult.ok && authResult.method === "trusted-proxy");
 
   return {
     authResult,