diff --git a/packages/stacks-docs/src/lib/auth.ts b/packages/stacks-docs/src/lib/auth.ts
index a3183eb3ce..cece49872e 100644
--- a/packages/stacks-docs/src/lib/auth.ts
+++ b/packages/stacks-docs/src/lib/auth.ts
@@ -5,13 +5,19 @@ import { sveltekitCookies } from "better-auth/svelte-kit";
 import { env } from "$env/dynamic/private";
 import { getRequestEvent } from "$app/server";
 
-// TODO: Make dynamic once we figure out Netlify env vars at runtime
-const baseURL = "https://stackoverflow.design";
+// baseURL is set per deploy from Netlify's build-time env vars
+// DEPLOY_PRIME_URL tracks the current deploy context
+// Static url is the production fallback
+const baseURL = env.DEPLOY_PRIME_URL || env.URL || "https://stackoverflow.design";
 
 export const auth = betterAuth({
     baseURL,
 
-    trustedOrigins: [baseURL, "https://*.stackoverflow.design"],
+    trustedOrigins: [
+        "https://stackoverflow.design",
+        "https://*.stackoverflow.design",
+        "https://*.private-preview.stackoverflow.design",
+    ],
 
     // Secret for signing cookies and tokens
     // openssl rand -base64 32