diff --git a/.github/workflows/publish-workspace-server-image.yml b/.github/workflows/publish-workspace-server-image.yml
index 5f7d6bd4..c72d6c8e 100644
--- a/.github/workflows/publish-workspace-server-image.yml
+++ b/.github/workflows/publish-workspace-server-image.yml
@@ -111,6 +111,21 @@ jobs:
             ${{ env.TENANT_IMAGE_NAME }}:staging-${{ steps.tags.outputs.sha }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          # Bake the SaaS control-plane URL into the canvas bundle.
+          # Canvas's browser-side code uses PLATFORM_URL for every
+          # /cp/* call (auth, orgs, billing, terms). Leaving this empty
+          # made PLATFORM_URL fall back to http://localhost:8080 in the
+          # built bundle — which fails from the user's browser because
+          # localhost resolves to their own machine, not the tenant
+          # instance. Baking the CP origin here fixes browser-side auth
+          # for every tenant.
+          #
+          # Self-hosted / private-label deployments override this by
+          # rebuilding the image with a different NEXT_PUBLIC_PLATFORM_URL
+          # build-arg (e.g. https://api.their-domain.com). Same pattern
+          # molecule-app uses with NEXT_PUBLIC_CP_ORIGIN.
+          build-args: |
+            NEXT_PUBLIC_PLATFORM_URL=https://api.moleculesai.app
           labels: |
             org.opencontainers.image.source=https://github.com/${{ github.repository }}
             org.opencontainers.image.revision=${{ github.sha }}