diff --git a/server/src/auth/auth.ts b/server/src/auth/auth.ts
index 4250840..046d94f 100644
--- a/server/src/auth/auth.ts
+++ b/server/src/auth/auth.ts
@@ -58,5 +58,8 @@ export const auth = betterAuth({
   trustedOrigins: [
     'http://localhost:5173',
     'https://labwise.wahwa.com',
+    // iOS native app callback — allows Better Auth to honour the
+    // https://labwise.wahwa.com/api/ios-callback callbackURL
+    'labwise://',
   ],
 });
diff --git a/server/src/index.ts b/server/src/index.ts
index 683d502..2fd12b9 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -4,6 +4,7 @@ import cors from 'cors';
 import { toNodeHandler } from 'better-auth/node';
 import { auth } from './auth/auth';
 import { authRateLimiter, apiRateLimiter } from './auth/rateLimiter';
+import { requireAuth } from './auth/middleware';
 import chemicalsRouter from './routes/chemicals';
 import protocolsRouter from './routes/protocols';
 import profileRouter from './routes/profile';
@@ -27,6 +28,29 @@ app.use(cors({
 // Serve uploaded files
 app.use('/uploads', express.static(UPLOADS_DIR));
 
+// iOS OAuth callback — must be registered before the Better Auth wildcard
+// so Express matches this specific path first.
+// Better Auth completes the Google flow, sets the session cookie, then
+// redirects to this endpoint (passed as callbackURL from the native app).
+// We read the raw session token out of the cookie and forward it in the
+// custom URL scheme so the iOS app can inject it into URLSession's cookie jar.
+app.get('/api/ios-callback', requireAuth, (req, res) => {
+  const cookieHeader = req.headers.cookie ?? '';
+  const token = cookieHeader
+    .split(';')
+    .map(c => c.trim())
+    .find(c => c.startsWith('better-auth.session_token='))
+    ?.split('=')
+    .slice(1)
+    .join('='); // re-join in case the value itself contains '='
+
+  if (!token) {
+    return res.redirect('labwise://auth?error=no_session');
+  }
+
+  res.redirect(`labwise://auth?token=${encodeURIComponent(token)}`);
+});
+
 // Better Auth — must come before express.json() so it can read its own body
 app.use('/api/auth/*', authRateLimiter);
 app.all('/api/auth/*', toNodeHandler(auth));