diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go
index d7f5aa7b8..9f658aaaa 100644
--- a/weed/s3api/s3api_bucket_handlers.go
+++ b/weed/s3api/s3api_bucket_handlers.go
@@ -624,6 +624,17 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti
 
 		glog.V(4).Infof("AuthWithPublicRead: bucket=%s, object=%s, authType=%v, isAnonymous=%v", bucket, object, authType, isAnonymous)
 
+		// Allow anonymous access for SOSAPI virtual objects (discovery)
+		if isSOSAPIObject(object) {
+			// Ensure the bucket exists anyway
+			_, errCode := s3a.getBucketConfig(bucket)
+			if errCode == s3err.ErrNone {
+				glog.V(3).Infof("AuthWithPublicRead: allowing anonymous access to SOSAPI object %s in bucket %s", object, bucket)
+				handler(w, r)
+				return
+			}
+		}
+
 		// For anonymous requests, check if bucket allows public read via ACLs or bucket policies
 		if isAnonymous {
 			// First check ACL-based public access