diff --git a/.env.development b/.env.development
index efdfcc7..acbeb07 100644
--- a/.env.development
+++ b/.env.development
@@ -14,7 +14,7 @@ NEXT_PUBLIC_TREASURY_ADDRESS=xion106p06276qgsdmtp7yn25qnzhcuchjy3z0xr8x5ag9sqf0s
 NEXT_PUBLIC_ENABLE_OAUTH3=true
 
 # OAuth3 (TEE-attested OAuth proxy)
-OAUTH3_BASE_URL=https://b7de194832e39104e31cbb56b0efadd9fd3466b4-8080.dstack-pha-prod5.phala.network
+OAUTH3_BASE_URL=https://oauth3.burnt.com
 
 # Reclaim Protocol (zkTLS verification)
 NEXT_PUBLIC_RECLAIM_CLEARANCE_CONTRACT=xion1naum74xam7ff684n6yewvnc0k50hqg7q9zkgjq0hh780a8kfaxrsp72c07
diff --git a/.env.production b/.env.production
index db8c0e2..08b373c 100644
--- a/.env.production
+++ b/.env.production
@@ -20,14 +20,14 @@ NEXT_PUBLIC_RECLAIM_CLEARANCE_CONTRACT=xion1naum74xam7ff684n6yewvnc0k50hqg7q9zkg
 # OAuth3 (TEE-attested OAuth proxy)
 NEXT_PUBLIC_ENABLE_OAUTH3=true
 NEXT_PUBLIC_GOOGLE_BLOCKED=false
-NEXT_PUBLIC_OAUTH3_BASE_URL=https://b7de194832e39104e31cbb56b0efadd9fd3466b4-8080.dstack-pha-prod5.phala.network
+NEXT_PUBLIC_OAUTH3_BASE_URL=https://oauth3.burnt.com
 
 # Droplinked Store
 NEXT_PUBLIC_DROPLINKED_SHOP_ID=69a083eab7618f1bcaeaf330
 NEXT_PUBLIC_DROPLINKED_PRODUCT_ID=69a08e00b7618f1bcaeaf335
 
 # Server only vars
-OAUTH3_BASE_URL=https://b7de194832e39104e31cbb56b0efadd9fd3466b4-8080.dstack-pha-prod5.phala.network
+OAUTH3_BASE_URL=https://oauth3.burnt.com
 RECLAIM_APP_ID=0x715DcADb8884D6D3E17898d81F82257c2733E46d
 MAINTENANCE_MODE=false
 
diff --git a/src/app/api/oauth3/login/route.ts b/src/app/api/oauth3/login/route.ts
index d40e05e..44dab25 100644
--- a/src/app/api/oauth3/login/route.ts
+++ b/src/app/api/oauth3/login/route.ts
@@ -9,14 +9,13 @@ const PROD_URL = "https://theredactedfile.com";
 export async function GET(request: NextRequest) {
   const host = request.nextUrl.hostname;
 
-  // For local dev, use the actual origin so the callback reaches localhost.
-  // In production (and any other environment), always use PROD_URL to ensure
-  // the CVM cookie round-trips correctly on the canonical domain.
-  const callbackOrigin = host === "localhost"
-    ? request.nextUrl.origin
-    : PROD_URL;
+  // For local dev and Cloudflare Workers preview deployments, use the actual
+  // request origin so the callback and proxy route resolve to the right host.
+  // In production, use PROD_URL for the canonical domain.
+  const isPreview = host === "localhost" || host.endsWith(".workers.dev");
+  const origin = isPreview ? request.nextUrl.origin : PROD_URL;
 
-  const returnTo = encodeURIComponent(`${callbackOrigin}/api/oauth3/callback`);
-  const authUrl = `${PROD_URL}/oauth3/auth/google?return_to=${returnTo}`;
+  const returnTo = encodeURIComponent(`${origin}/api/oauth3/callback`);
+  const authUrl = `${origin}/oauth3/auth/google?return_to=${returnTo}`;
   return NextResponse.redirect(authUrl);
 }
diff --git a/src/app/oauth3/[...path]/route.ts b/src/app/oauth3/[...path]/route.ts
index e7ba4f5..a4e1bb1 100644
--- a/src/app/oauth3/[...path]/route.ts
+++ b/src/app/oauth3/[...path]/route.ts
@@ -21,7 +21,7 @@ import { NextRequest, NextResponse } from "next/server";
 
 const OAUTH3_BASE_URL = process.env.OAUTH3_BASE_URL;
 
-const ALLOWED_OAUTH3_HOSTS = ["theredactedfile.com", "phala.network"];
+const ALLOWED_OAUTH3_HOSTS = ["theredactedfile.com", "phala.network", "burnt.com"];
 
 // Hop-by-hop headers that must not be forwarded between hops.
 const HOP_BY_HOP = new Set([
diff --git a/src/middleware.ts b/src/middleware.ts
index 0249cd4..6f4aa40 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -21,6 +21,10 @@ const ALLOWED_HOSTS = [
   "localhost",
 ];
 
+function isAllowedHost(hostname: string): boolean {
+  return ALLOWED_HOSTS.includes(hostname) || hostname.endsWith(".workers.dev");
+}
+
 function cleanupExpiredEntries() {
   const now = Date.now();
   rateLimitMap.forEach((entry, key) => {
@@ -65,7 +69,7 @@ export function middleware(request: NextRequest) {
     if (origin) {
       try {
         const originHost = new URL(origin).hostname;
-        if (!ALLOWED_HOSTS.includes(originHost)) {
+        if (!isAllowedHost(originHost)) {
           return NextResponse.json(
             { error: "Forbidden" },
             { status: 403 }
diff --git a/wrangler.jsonc b/wrangler.jsonc
index 1b39fdd..81a0457 100644
--- a/wrangler.jsonc
+++ b/wrangler.jsonc
@@ -13,7 +13,7 @@
     "enabled": true
   },
   "vars": {
-    "OAUTH3_BASE_URL": "https://b7de194832e39104e31cbb56b0efadd9fd3466b4-8080.dstack-pha-prod5.phala.network",
+    "OAUTH3_BASE_URL": "https://oauth3.burnt.com",
     "RECLAIM_APP_ID": "0x715DcADb8884D6D3E17898d81F82257c2733E46d",
     "MAINTENANCE_MODE": "false"
   },