diff --git a/apps/web/src/routes/auth.ts b/apps/web/src/routes/auth.ts
index 9cebca3..738de8e 100644
--- a/apps/web/src/routes/auth.ts
+++ b/apps/web/src/routes/auth.ts
@@ -6,7 +6,10 @@ import { createRateLimiter } from "../utils/rate-limit";
 const EMAIL_HMAC_KEY = process.env.EMAIL_HMAC_KEY || "pingql-default-hmac-key";
 
 function redir(to: string) {
-  return new Response(null, { status: 302, headers: { Location: to } });
+  return new Response(
+    `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0;url=${to}"><meta name="robots" content="noindex"></head><body></body></html>`,
+    { headers: { "content-type": "text/html; charset=utf-8", "cache-control": "no-store" } },
+  );
 }
 
 // ── Per-IP rate limiting for auth endpoints ───────────────────────────
diff --git a/apps/web/src/routes/dashboard.ts b/apps/web/src/routes/dashboard.ts
index d15913a..4feb715 100644
--- a/apps/web/src/routes/dashboard.ts
+++ b/apps/web/src/routes/dashboard.ts
@@ -111,7 +111,10 @@ export function html(template: string, data: Record<string, unknown> = {}) {
 }
 
 function redirect(to: string) {
-  return new Response(null, { status: 302, headers: { Location: to } });
+  return new Response(
+    `<!DOCTYPE html><html><head><meta http-equiv="refresh" content="0;url=${to}"><meta name="robots" content="noindex"></head><body></body></html>`,
+    { headers: { "content-type": "text/html; charset=utf-8", "cache-control": "no-store" } },
+  );
 }
 
 async function getAccountId(cookie: any, headers: any): Promise<{ accountId: string; keyId: string | null; plan: string } | null> {
diff --git a/apps/web/src/views/settings.ejs b/apps/web/src/views/settings.ejs
index a365493..c802d20 100644
--- a/apps/web/src/views/settings.ejs
+++ b/apps/web/src/views/settings.ejs
@@ -141,13 +141,12 @@
           <h2 class="text-sm font-semibold text-gray-300">Sub-Keys</h2>
           <p class="text-xs text-gray-600 mt-0.5">Create separate keys for different apps, scripts, or teammates.</p>
         </div>
-        <button onclick="document.getElementById('create-key-form').classList.toggle('hidden')" class="px-3 py-1.5 bg-blue-600 hover:bg-blue-500 text-white rounded-lg text-xs font-medium transition-colors">+ New Sub-Key</button>
       </div>
 
       <!-- Create key form -->
-      <form id="create-key-form" action="/account/keys" method="POST" class="hidden mb-4 p-4 bg-gray-800/50 rounded-lg border border-gray-700">
+      <form action="/account/keys" method="POST" class="mb-4 p-4 bg-gray-800/50 rounded-lg border border-gray-700">
         <input type="hidden" name="_form" value="1">
-        <label class="block text-xs text-gray-500 mb-1.5">Label</label>
+        <label class="block text-xs text-gray-500 mb-1.5">New Sub-Key</label>
         <div class="flex gap-2">
           <input name="label" type="text" placeholder="e.g. ci-pipeline, mobile-app" required
             class="flex-1 bg-gray-800 border border-gray-700 rounded-lg px-3 py-2 text-gray-100 placeholder-gray-600 focus:outline-none focus:border-blue-500 text-sm">