diff --git a/server/src/index.ts b/server/src/index.ts
index 9e238ea..e93bd63 100644
--- a/server/src/index.ts
+++ b/server/src/index.ts
@@ -60,10 +60,13 @@ app.get('/api/ios-google', async (req, res) => {
 // custom URL scheme so the iOS app can inject it into URLSession's cookie jar.
 app.get('/api/ios-callback', (req, res) => {
   const cookieHeader = req.headers.cookie ?? '';
+  console.log('[ios-callback] cookies received:', cookieHeader.split(';').map(c => c.trim().split('=')[0]));
+  // Better Auth sets either 'better-auth.session_token' (dev/HTTP) or
+  // '__Secure-better-auth.session_token' (production HTTPS).
   const token = cookieHeader
     .split(';')
     .map(c => c.trim())
-    .find(c => c.startsWith('better-auth.session_token='))
+    .find(c => c.startsWith('better-auth.session_token=') || c.startsWith('__Secure-better-auth.session_token='))
     ?.split('=')
     .slice(1)
     .join('='); // re-join in case the value itself contains '='