diff --git a/server/src/auth/auth.ts b/server/src/auth/auth.ts
index ceed746..cfc37ed 100644
--- a/server/src/auth/auth.ts
+++ b/server/src/auth/auth.ts
@@ -166,6 +166,9 @@ export const auth = betterAuth({
   trustedOrigins: [
     'http://localhost:5173',
     'https://labwise.wahwa.com',
+    // Apple sends the OAuth code via form_post, so the POST to
+    // /api/auth/callback/apple arrives with Origin: appleid.apple.com.
+    'https://appleid.apple.com',
     // iOS native app callback — allows Better Auth to honour the
     // https://labwise.wahwa.com/api/ios-callback callbackURL
     'labwise://',