diff --git a/services/platform-service/src/server.ts b/services/platform-service/src/server.ts
index f7c35a7b..06a01d5f 100644
--- a/services/platform-service/src/server.ts
+++ b/services/platform-service/src/server.ts
@@ -64,6 +64,22 @@ const app = await createServiceApp({
   metrics: true,
 });
 
+// Parse JWT on every request (best-effort — doesn't block unauthenticated routes)
+import { verifyToken } from './modules/auth/jwt.js';
+import type { JwtPayload } from './lib/request-context.js';
+
+app.addHook('onRequest', async req => {
+  const auth = req.headers.authorization;
+  if (!auth?.startsWith('Bearer ')) return;
+  try {
+    const payload = await verifyToken(auth.slice(7));
+    req.jwtPayload = payload as JwtPayload;
+  } catch {
+    // Token invalid/expired — leave jwtPayload undefined.
+    // Auth-required routes will handle this in their own validation.
+  }
+});
+
 // Register route modules
 await app.register(productRoutes, { prefix: '/api' });
 await app.register(authRoutes, { prefix: '/api' });