diff --git a/routes/routes.go b/routes/routes.go
index 8e5c89a..3b5973f 100644
--- a/routes/routes.go
+++ b/routes/routes.go
@@ -35,6 +35,42 @@ func Register(
 
 	// Default 1MB body limit for API routes; upload endpoints are excluded
 	apiBodyLimit := middleware.BodyLimit(1*1024*1024, "/api/download/upload")
+
+	// ── Internal API (Rate Limit 제외, API Key 인증만) ──────────────
+	// 반드시 /api 그룹보다 먼저 등록해야 apiLimiter를 우회함
+	internalApi := app.Group("/api/internal", apiBodyLimit, middleware.ServerAuth)
+
+	// Internal - Boss Raid
+	br := internalApi.Group("/bossraid")
+	br.Post("/entry", brH.RequestEntry)
+	br.Post("/start", brH.StartRaid)
+	br.Post("/complete", middleware.IdempotencyRequired, brH.CompleteRaid)
+	br.Post("/fail", brH.FailRaid)
+	br.Get("/room", brH.GetRoom)
+	br.Post("/validate-entry", brH.ValidateEntryToken)
+	br.Post("/register", brH.RegisterServer)
+	br.Post("/heartbeat", brH.Heartbeat)
+	br.Post("/reset-room", brH.ResetRoom)
+	br.Get("/server-status", brH.GetServerStatus)
+
+	// Internal - Auth
+	internalAuth := internalApi.Group("/auth")
+	internalAuth.Post("/verify", authH.VerifyToken)
+
+	// Internal - Player
+	internalPlayer := internalApi.Group("/player")
+	internalPlayer.Get("/profile", playerH.InternalGetProfile)
+	internalPlayer.Post("/save", playerH.InternalSaveGameData)
+
+	// Internal - Chain
+	internalChain := internalApi.Group("/chain")
+	internalChain.Post("/reward", middleware.IdempotencyRequired, chainH.InternalGrantReward)
+	internalChain.Post("/mint", middleware.IdempotencyRequired, chainH.InternalMintAsset)
+	internalChain.Get("/balance", chainH.InternalGetBalance)
+	internalChain.Get("/assets", chainH.InternalGetAssets)
+	internalChain.Get("/inventory", chainH.InternalGetInventory)
+
+	// ── Public API (Rate Limit 적용) ────────────────────────────────
 	api := app.Group("/api", apiLimiter, apiBodyLimit)
 
 	// Auth
@@ -105,36 +141,4 @@ func Register(
 	p.Get("/profile", playerH.GetProfile)
 	p.Put("/profile", playerH.UpdateProfile)
 
-	// ── Internal API (Rate Limit 제외, API Key 인증만) ──────────────
-	internalApi := app.Group("/api/internal", apiBodyLimit, middleware.ServerAuth)
-
-	// Internal - Boss Raid
-	br := internalApi.Group("/bossraid")
-	br.Post("/entry", brH.RequestEntry)
-	br.Post("/start", brH.StartRaid)
-	br.Post("/complete", middleware.IdempotencyRequired, brH.CompleteRaid)
-	br.Post("/fail", brH.FailRaid)
-	br.Get("/room", brH.GetRoom)
-	br.Post("/validate-entry", brH.ValidateEntryToken)
-	br.Post("/register", brH.RegisterServer)
-	br.Post("/heartbeat", brH.Heartbeat)
-	br.Post("/reset-room", brH.ResetRoom)
-	br.Get("/server-status", brH.GetServerStatus)
-
-	// Internal - Auth
-	internalAuth := internalApi.Group("/auth")
-	internalAuth.Post("/verify", authH.VerifyToken)
-
-	// Internal - Player
-	internalPlayer := internalApi.Group("/player")
-	internalPlayer.Get("/profile", playerH.InternalGetProfile)
-	internalPlayer.Post("/save", playerH.InternalSaveGameData)
-
-	// Internal - Chain
-	internalChain := internalApi.Group("/chain")
-	internalChain.Post("/reward", middleware.IdempotencyRequired, chainH.InternalGrantReward)
-	internalChain.Post("/mint", middleware.IdempotencyRequired, chainH.InternalMintAsset)
-	internalChain.Get("/balance", chainH.InternalGetBalance)
-	internalChain.Get("/assets", chainH.InternalGetAssets)
-	internalChain.Get("/inventory", chainH.InternalGetInventory)
 }