diff --git a/src/proxy.ts b/src/proxy.ts
index c2e0ed68..b5dfd580 100644
--- a/src/proxy.ts
+++ b/src/proxy.ts
@@ -209,7 +209,14 @@ export function proxy(request: NextRequest): NextResponse {
     return applyCsp(NextResponse.next({ request: { headers: requestHeaders } }), nonce, pathname);
   }
 
-  const sessionToken = request.cookies.get('pn-crm.session_token');
+  // better-auth prefixes the cookie with `__Secure-` whenever it issues
+  // secure cookies (production / HTTPS), so the name on the wire is
+  // `__Secure-pn-crm.session_token` in prod but bare `pn-crm.session_token`
+  // in dev. Check both, or every authenticated request in prod gets
+  // bounced to /login because the gate can't find the (prefixed) cookie.
+  const sessionToken =
+    request.cookies.get('pn-crm.session_token') ??
+    request.cookies.get('__Secure-pn-crm.session_token');
 
   if (!sessionToken?.value) {
     if (isApiRoute(pathname)) {