diff --git a/scripts/patch-indieauth-metadata-well-known.mjs b/scripts/patch-indieauth-metadata-well-known.mjs
new file mode 100644
index 00000000..e3283944
--- /dev/null
+++ b/scripts/patch-indieauth-metadata-well-known.mjs
@@ -0,0 +1,39 @@
+/**
+ * Add /.well-known/indieauth-metadata as a public route.
+ *
+ * endpoint-auth registers /auth/metadata (authenticated) and
+ * /.well-known/oauth-authorization-server (patched away by patch-mastodon-well-known),
+ * but never /.well-known/indieauth-metadata. Without an explicit registration
+ * the request falls through to indieauth.authenticate() and redirects to login.
+ */
+
+import { readFileSync, writeFileSync } from "node:fs";
+import { fileURLToPath } from "node:url";
+import { join, dirname } from "node:path";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const pkg = join(__dirname, "../node_modules/@indiekit/endpoint-auth/index.js");
+let src = readFileSync(pkg, "utf-8");
+
+const MARKER = "// patch-indieauth-metadata-well-known: added";
+if (src.includes(MARKER)) {
+  console.log("[patch-indieauth-metadata-well-known] Already applied");
+  process.exit(0);
+}
+
+const OLD = `    router.get("/change-password", (request, response) =>
+      response.redirect(\`\${this.mountPath}/new-password\`),
+    );`;
+const NEW = `    router.get("/change-password", (request, response) =>
+      response.redirect(\`\${this.mountPath}/new-password\`),
+    );
+    router.get("/indieauth-metadata", metadataController); ${MARKER}`;
+
+if (!src.includes(OLD)) {
+  console.error("[patch-indieauth-metadata-well-known] Target line not found — check endpoint-auth version");
+  process.exit(1);
+}
+
+src = src.replace(OLD, NEW);
+writeFileSync(pkg, src, "utf-8");
+console.log("[patch-indieauth-metadata-well-known] Added /.well-known/indieauth-metadata public route");