diff --git a/src/routers/auth.py b/src/routers/auth.py
index 59cf1d0..a674c31 100644
--- a/src/routers/auth.py
+++ b/src/routers/auth.py
@@ -14,6 +14,8 @@ from src.sso import validate_microsoft_id_token
 
 _REFRESH_COOKIE = "refresh_token"
 _REFRESH_MAX_AGE = settings.REFRESH_TOKEN_EXPIRE_DAYS * 86400
+# Cookie path must match the browser-visible URL (including BASE_PATH prefix from reverse proxy)
+_COOKIE_PATH = f"{settings.BASE_PATH}/api/auth" if settings.BASE_PATH else "/api/auth"
 
 
 def _set_refresh_cookie(response: Response, token: str) -> None:
@@ -24,12 +26,12 @@ def _set_refresh_cookie(response: Response, token: str) -> None:
         secure=not settings.DEBUG,
         samesite="lax",
         max_age=_REFRESH_MAX_AGE,
-        path="/api/auth",
+        path=_COOKIE_PATH,
     )
 
 
 def _clear_refresh_cookie(response: Response) -> None:
-    response.delete_cookie(key=_REFRESH_COOKIE, path="/api/auth")
+    response.delete_cookie(key=_REFRESH_COOKIE, path=_COOKIE_PATH)
 
 router = APIRouter(prefix="/api/auth", tags=["auth"])