diff --git a/README.md b/README.md
index 0aed3f3..068a1c9 100644
--- a/README.md
+++ b/README.md
@@ -159,6 +159,8 @@ NPM’s Access Lists use browser `Authorization` headers, so the app never needs
 
 NPM’s own docs call out that Access List basic auth and app-side auth both use `Authorization`, so the app-side login is the one to disable in production.
 
+If `DASHBOARD_USERNAME` and `DASHBOARD_PASSWORD_HASH` are omitted, the app now falls back to proxy-only mode automatically.
+
 For direct local Docker testing without a proxy:
 
 ```sh
diff --git a/status_bot.py b/status_bot.py
index 9acadc4..638502d 100644
--- a/status_bot.py
+++ b/status_bot.py
@@ -603,8 +603,11 @@ def dashboard_auth_from_env() -> DashboardAuth | None:
     if bool_env("DASHBOARD_AUTH_DISABLED", False):
         return None
 
-    username = env("DASHBOARD_USERNAME")
-    encoded_hash = env("DASHBOARD_PASSWORD_HASH")
+    username = os.getenv("DASHBOARD_USERNAME", "").strip()
+    encoded_hash = os.getenv("DASHBOARD_PASSWORD_HASH", "").strip()
+    if not username or not encoded_hash:
+        return None
+
     ttl = int(os.getenv("DASHBOARD_SESSION_TTL_SECONDS", "28800"))
     secure = bool_env("DASHBOARD_COOKIE_SECURE", False)
     return DashboardAuth(