From aa13c87e87bfc4a7c23d9d565af35a3be24483c6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Carl-Gerhard=20Lindesva=CC=88rd?= <lindesvard@gmail.com>
Date: Tue, 20 Jan 2026 12:43:30 +0100
Subject: [PATCH] feat: add CUSTOM_COOKIE_DOMAIN

---
 .../self-hosting/environment-variables.mdx    | 21 +++++++++++++++++++
 packages/auth/parse-cookie-domain.ts          |  7 +++++++
 2 files changed, 28 insertions(+)

diff --git a/apps/public/content/docs/self-hosting/environment-variables.mdx b/apps/public/content/docs/self-hosting/environment-variables.mdx
index 9548dcd2..e062c95f 100644
--- a/apps/public/content/docs/self-hosting/environment-variables.mdx
+++ b/apps/public/content/docs/self-hosting/environment-variables.mdx
@@ -196,6 +196,27 @@ COOKIE_TLDS=my.id,web.id,co.id
 This is required when using domain suffixes that are public suffixes (like `.co.uk`). Without this, the browser will reject authentication cookies. Common examples include Indonesian domains (`.my.id`, `.web.id`, `.co.id`).
 </Callout>
 
+### CUSTOM_COOKIE_DOMAIN
+
+**Type**: `string`  
+**Required**: No  
+**Default**: None
+
+Override the automatic cookie domain detection and set a specific domain for authentication cookies. Useful when proxying the API through your main domain or when you need precise control over cookie scope.
+
+**Example**:
+```bash
+# Set cookies only on the main domain
+CUSTOM_COOKIE_DOMAIN=.example.com
+
+# Set cookies on a specific subdomain
+CUSTOM_COOKIE_DOMAIN=.app.example.com
+```
+
+<Callout>
+When set, this completely bypasses the automatic domain parsing logic. The cookie will always be set as secure. Include a leading dot (`.`) to allow the cookie to be shared across subdomains.
+</Callout>
+
 ### DEMO_USER_ID
 
 **Type**: `string`  
diff --git a/packages/auth/parse-cookie-domain.ts b/packages/auth/parse-cookie-domain.ts
index b727fb7f..e405a576 100644
--- a/packages/auth/parse-cookie-domain.ts
+++ b/packages/auth/parse-cookie-domain.ts
@@ -33,6 +33,13 @@ function isMultiPartTLD(potentialTLD: string): boolean {
 }
 
 export const parseCookieDomain = (url: string) => {
+  if (process.env.CUSTOM_COOKIE_DOMAIN) {
+    return {
+      domain: process.env.CUSTOM_COOKIE_DOMAIN,
+      secure: true,
+    };
+  }
+
   if (!url) {
     return {
       domain: undefined,