diff --git a/src/lib/auth.ts b/src/lib/auth.ts
index abc3c8d..f0824b0 100644
--- a/src/lib/auth.ts
+++ b/src/lib/auth.ts
@@ -4,12 +4,16 @@ import { PrismaAdapter } from "@auth/prisma-adapter";
 import { prisma } from "@/lib/prisma";
 import type { Role } from "@/generated/prisma/client";
 
-// next-auth v5 beta ignores redirectProxyUrl when building the redirect_uri
-// sent to the OAuth provider — it strips the pathname from AUTH_URL and appends
-// basePath directly to the origin. We must pass redirect_uri explicitly so the
-// /hp-prod-tracker basePath is included in the Microsoft callback URL.
-const explicitRedirectUri = process.env.AUTH_URL
-  ? `${process.env.AUTH_URL}/api/auth/callback/microsoft-entra-id`
+// AUTH_URL must be the full auth endpoint URL including basePath, e.g.:
+// https://optical-dev.oliver.solutions/hp-prod-tracker/api/auth
+//
+// next-auth v5 beta ignores redirectProxyUrl for the authorization request
+// (strips pathname from AUTH_URL) but DOES use it for the token exchange.
+// We fix the authorization request via authorization.params.redirect_uri
+// and restore redirectProxyUrl so token exchange uses the same URI.
+const authUrl = process.env.AUTH_URL; // e.g. https://…/hp-prod-tracker/api/auth
+const explicitRedirectUri = authUrl
+  ? `${authUrl}/callback/microsoft-entra-id`
   : undefined;
 
 export const { handlers, auth, signIn, signOut } = NextAuth({
@@ -26,11 +30,13 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
       // Safe for Entra ID — Microsoft verifies organizational emails.
       // Required to link SSO accounts to pre-seeded User records by email match.
       allowDangerousEmailAccountLinking: true,
-      // Explicitly set redirect_uri so /hp-prod-tracker basePath is included.
-      // next-auth v5 beta strips the pathname from AUTH_URL otherwise.
+      // authorization.params: fixes redirect_uri in the authorization request
+      // redirectProxyUrl: fixes redirect_uri in the token exchange request
+      // Both are needed — beta.30 ignores redirectProxyUrl for authorization.
       ...(explicitRedirectUri && {
         authorization: { params: { redirect_uri: explicitRedirectUri } },
       }),
+      redirectProxyUrl: authUrl,
     }),
   ],
   session: {