diff --git a/canvas/src/lib/auth.ts b/canvas/src/lib/auth.ts
index 8514260d..fe7c71ab 100644
--- a/canvas/src/lib/auth.ts
+++ b/canvas/src/lib/auth.ts
@@ -7,6 +7,7 @@
  * can surface them.
  */
 import { PLATFORM_URL } from "./api";
+import { SaaSHostSuffix } from "./tenant";
 
 export interface Session {
   user_id: string;
@@ -17,6 +18,18 @@ export interface Session {
 // Base path prefix for auth endpoints on the control plane.
 const AUTH_BASE = "/cp/auth";
 
+// Auth UI lives on the "app" subdomain (app.moleculesai.app), NOT on
+// tenant subdomains (hongmingwang.moleculesai.app). Tenant subdomains
+// proxy to EC2 platform which has no auth routes.
+function getAuthOrigin(): string {
+  if (typeof window === "undefined") return PLATFORM_URL;
+  const host = window.location.hostname;
+  if (host.endsWith(SaaSHostSuffix)) {
+    return `${window.location.protocol}//app${SaaSHostSuffix}`;
+  }
+  return PLATFORM_URL;
+}
+
 /**
  * fetchSession probes /cp/auth/me with the session cookie (credentials:
  * include mandatory cross-origin). Returns the Session on 200, null on
@@ -50,6 +63,7 @@ export function redirectToLogin(screenHint: "sign-up" | "sign-in" = "sign-in"):
   if (window.location.pathname.startsWith("/cp/auth/")) return;
   const returnTo = window.location.href;
   const path = screenHint === "sign-up" ? "signup" : "login";
-  const dest = `${PLATFORM_URL}${AUTH_BASE}/${path}?return_to=${encodeURIComponent(returnTo)}`;
+  const authOrigin = getAuthOrigin();
+  const dest = `${authOrigin}${AUTH_BASE}/${path}?return_to=${encodeURIComponent(returnTo)}`;
   window.location.href = dest;
 }