diff --git a/authz/authz.go b/authz/authz.go
index ca3991f7..774ce4de 100644
--- a/authz/authz.go
+++ b/authz/authz.go
@@ -15,6 +15,8 @@
 package authz
 
 import (
+	"strings"
+
 	"github.com/casbin/casbin/v2"
 	"github.com/casbin/casbin/v2/model"
 	xormadapter "github.com/casbin/xorm-adapter/v2"
@@ -144,7 +146,7 @@ func IsAllowed(subOwner string, subName string, method string, urlPath string, o
 
 func isAllowedInDemoMode(subOwner string, subName string, method string, urlPath string, objOwner string, objName string) bool {
 	if method == "POST" {
-		if urlPath == "/api/login" || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/send-verification-code" {
+		if strings.HasPrefix(urlPath, "/api/login") || urlPath == "/api/logout" || urlPath == "/api/signup" || urlPath == "/api/send-verification-code" {
 			return true
 		} else if urlPath == "/api/update-user" {
 			// Allow ordinary users to update their own information