diff --git a/app/oauth/callback/route.ts b/app/oauth/callback/route.ts
index 344da49d..2f66a103 100644
--- a/app/oauth/callback/route.ts
+++ b/app/oauth/callback/route.ts
@@ -64,7 +64,7 @@ export async function GET(request: NextRequest) {
 
   try {
     // Determine the redirect URI (must match what was used in the authorization request)
-    const redirectUri = `${request.nextUrl.origin}/oauth/callback`;
+    const redirectUri = `${process.env.APP_BASE_URL}/oauth/callback`;
 
     // Exchange authorization code for tokens
     const tokens = await exchangeCodeForTokens(code, codeVerifier, redirectUri);
diff --git a/app/oauth/login/route.ts b/app/oauth/login/route.ts
index 41a4a91a..6b973561 100644
--- a/app/oauth/login/route.ts
+++ b/app/oauth/login/route.ts
@@ -17,8 +17,9 @@ export async function GET(request: NextRequest) {
     const codeVerifier = generateRandomString(64);
     const codeChallenge = await generateCodeChallenge(codeVerifier);
 
-    // Determine redirect URI
-    const redirectUri = `${request.nextUrl.origin}/oauth/callback`;
+    // Determine redirect URI from the configured base URL, not the request origin,
+    // since the app runs behind a reverse proxy (Cloudflare Tunnel / Tailscale).
+    const redirectUri = `${process.env.APP_BASE_URL}/oauth/callback`;
 
     // Store state and code verifier in cookies for validation in callback
     const cookieStore = await cookies();
diff --git a/k8s/prod/configmap-env.yaml b/k8s/prod/configmap-env.yaml
index 1c433039..f992df30 100644
--- a/k8s/prod/configmap-env.yaml
+++ b/k8s/prod/configmap-env.yaml
@@ -4,6 +4,7 @@ metadata:
   name: forecasting-prod-env-config
 data:
   ENV: "prod"
+  APP_BASE_URL: "https://forecasting.ethanswan.com"
   IDP_BASE_URL: "http://identity.identity-prod.svc.cluster.local"
   NEXT_PUBLIC_IDP_BASE_URL: "https://identity.ethanswan.com"
   SENTRY_DSN: "https://42fb7fde7d5842831f2324ed33c7f50f@o4509062063587328.ingest.us.sentry.io/4509062066012160"
diff --git a/k8s/staging/configmap-env.yaml b/k8s/staging/configmap-env.yaml
index 7482993f..17abc600 100644
--- a/k8s/staging/configmap-env.yaml
+++ b/k8s/staging/configmap-env.yaml
@@ -4,6 +4,7 @@ metadata:
   name: forecasting-staging-env-config
 data:
   ENV: "staging"
+  APP_BASE_URL: "https://forecasting-staging.tailc06f30.ts.net"
   IDP_BASE_URL: "http://identity.identity-staging.svc.cluster.local"
   NEXT_PUBLIC_IDP_BASE_URL: "https://identity-staging.tailc06f30.ts.net"
   SENTRY_DSN: "https://42fb7fde7d5842831f2324ed33c7f50f@o4509062063587328.ingest.us.sentry.io/4509062066012160"