diff --git a/.env.example b/.env.example
index 5f665b0..e17619f 100644
--- a/.env.example
+++ b/.env.example
@@ -18,6 +18,7 @@ DATABASE_URL=sqlite://data/gitea-mirror.db
 # Generate with: openssl rand -base64 32
 BETTER_AUTH_SECRET=change-this-to-a-secure-random-string-in-production
 BETTER_AUTH_URL=http://localhost:4321
+# PUBLIC_BETTER_AUTH_URL=https://your-domain.com  # Optional: Set this if accessing from different origins (e.g., IP and domain)
 # ENCRYPTION_SECRET=optional-encryption-key-for-token-encryption # Generate with: openssl rand -base64 48
 
 # ===========================================
diff --git a/src/lib/auth-client.ts b/src/lib/auth-client.ts
index 9242e6f..a193598 100644
--- a/src/lib/auth-client.ts
+++ b/src/lib/auth-client.ts
@@ -4,9 +4,20 @@ import { ssoClient } from "@better-auth/sso/client";
 import type { Session as BetterAuthSession, User as BetterAuthUser } from "better-auth";
 
 export const authClient = createAuthClient({
-  // The base URL is optional when running on the same domain
-  // Better Auth will use the current domain by default
-  baseURL: typeof window !== 'undefined' ? window.location.origin : 'http://localhost:4321',
+  // Use PUBLIC_BETTER_AUTH_URL if set (for multi-origin access), otherwise use current origin
+  // This allows the client to connect to the auth server even when accessed from different origins
+  baseURL: (() => {
+    // Check for public environment variable first (for client-side access)
+    if (typeof import.meta !== 'undefined' && import.meta.env?.PUBLIC_BETTER_AUTH_URL) {
+      return import.meta.env.PUBLIC_BETTER_AUTH_URL;
+    }
+    // Fall back to current origin if running in browser
+    if (typeof window !== 'undefined') {
+      return window.location.origin;
+    }
+    // Default for SSR
+    return 'http://localhost:4321';
+  })(),
   basePath: '/api/auth', // Explicitly set the base path
   plugins: [
     oidcClient(),