diff --git a/src/api/pyproject.toml b/src/api/pyproject.toml
index 484812ea..eec646fd 100644
--- a/src/api/pyproject.toml
+++ b/src/api/pyproject.toml
@@ -6,6 +6,7 @@ readme = "README.md"
 requires-python = ">=3.12"
 dependencies = [
     "alembic>=1.17.2",
+    "authlib>=1.6.9",  # CVE fix: transitive dep pinned for security
     "apache-age-python>=0.0.7",
     "asyncpg>=0.31.0",
     "asyncpg-listen>=0.0.9",
diff --git a/src/api/uv.lock b/src/api/uv.lock
index b085bb5d..c8e2c16d 100644
--- a/src/api/uv.lock
+++ b/src/api/uv.lock
@@ -149,14 +149,14 @@ wheels = [
 
 [[package]]
 name = "authlib"
-version = "1.6.6"
+version = "1.6.9"
 source = { registry = "https://pypi.org/simple" }
 dependencies = [
     { name = "cryptography" },
 ]
-sdist = { url = "https://files.pythonhosted.org/packages/bb/9b/b1661026ff24bc641b76b78c5222d614776b0c085bcfdac9bd15a1cb4b35/authlib-1.6.6.tar.gz", hash = "sha256:45770e8e056d0f283451d9996fbb59b70d45722b45d854d58f32878d0a40c38e", size = 164894, upload-time = "2025-12-12T08:01:41.464Z" }
+sdist = { url = "https://files.pythonhosted.org/packages/af/98/00d3dd826d46959ad8e32af2dbb2398868fd9fd0683c26e56d0789bd0e68/authlib-1.6.9.tar.gz", hash = "sha256:d8f2421e7e5980cc1ddb4e32d3f5fa659cfaf60d8eaf3281ebed192e4ab74f04", size = 165134, upload-time = "2026-03-02T07:44:01.998Z" }
 wheels = [
-    { url = "https://files.pythonhosted.org/packages/54/51/321e821856452f7386c4e9df866f196720b1ad0c5ea1623ea7399969ae3b/authlib-1.6.6-py2.py3-none-any.whl", hash = "sha256:7d9e9bc535c13974313a87f53e8430eb6ea3d1cf6ae4f6efcd793f2e949143fd", size = 244005, upload-time = "2025-12-12T08:01:40.209Z" },
+    { url = "https://files.pythonhosted.org/packages/53/23/b65f568ed0c22f1efacb744d2db1a33c8068f384b8c9b482b52ebdbc3ef6/authlib-1.6.9-py2.py3-none-any.whl", hash = "sha256:f08b4c14e08f0861dc18a32357b33fbcfd2ea86cfe3fe149484b4d764c4a0ac3", size = 244197, upload-time = "2026-03-02T07:44:00.307Z" },
 ]
 
 [[package]]
@@ -1171,13 +1171,14 @@ wheels = [
 
 [[package]]
 name = "kartograph-api"
-version = "3.30.0"
+version = "3.31.0"
 source = { virtual = "." }
 dependencies = [
     { name = "alembic" },
     { name = "apache-age-python" },
     { name = "asyncpg" },
     { name = "asyncpg-listen" },
+    { name = "authlib" },
     { name = "authzed" },
     { name = "bcrypt" },
     { name = "cyclopts" },
@@ -1214,6 +1215,7 @@ requires-dist = [
     { name = "apache-age-python", specifier = ">=0.0.7" },
     { name = "asyncpg", specifier = ">=0.31.0" },
     { name = "asyncpg-listen", specifier = ">=0.0.9" },
+    { name = "authlib", specifier = ">=1.6.9" },
     { name = "authzed", specifier = ">=1.24.0" },
     { name = "bcrypt", specifier = ">=5.0.0" },
     { name = "cyclopts", specifier = "==5.0.0a1" },