diff --git a/.cursor/commands/pr-comments-review.md b/.cursor/commands/pr-comments-review.md
index bc9d8784f3..b8e4bcc58a 100644
--- a/.cursor/commands/pr-comments-review.md
+++ b/.cursor/commands/pr-comments-review.md
@@ -1 +1 @@
-Please review the PR comments with the `gh` CLI and fix those issues that are valid and relevant. Resolve the comments when you fix them. Also resolve all those comments that no longer exist or have already been resolved. Leave those comments that are mostly bullshit unresolved. Report the result to me in detail. Do NOT automatically commit or stage the changes back to the PR!
+Please review the PR comments with the `gh` CLI and fix those issues that are valid and relevant. Resolve the comments when you fix them. Also resolve all those comments that no longer exist or have already been resolved. Leave those comments that are mostly bullshit unresolved. Also, create or modify tests to make sure the fixed behavior works as expected. Report the result to me in detail (for the most important issues, whether resolved or unresolved, mark them with a ‼️ emoji). Do NOT automatically commit or stage the changes back to the PR!
diff --git a/apps/backend/.env.development b/apps/backend/.env.development
index 8b9329ce29..4ad9528b8c 100644
--- a/apps/backend/.env.development
+++ b/apps/backend/.env.development
@@ -1,5 +1,6 @@
 NEXT_PUBLIC_STACK_API_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}02
 NEXT_PUBLIC_STACK_DASHBOARD_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}01
+NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX=.localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}09
 NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR=false
 STACK_SERVER_SECRET=23-wuNpik0gIW4mruTz25rbIvhuuvZFrLOLtL7J4tyo
 
diff --git a/apps/backend/prisma/migrations/20260310150000_add_oauth_authorization_code_refresh_token_id/migration.sql b/apps/backend/prisma/migrations/20260310150000_add_oauth_authorization_code_refresh_token_id/migration.sql
new file mode 100644
index 0000000000..3ee579ba15
--- /dev/null
+++ b/apps/backend/prisma/migrations/20260310150000_add_oauth_authorization_code_refresh_token_id/migration.sql
@@ -0,0 +1,2 @@
+ALTER TABLE "ProjectUserAuthorizationCode"
+ADD COLUMN "grantedRefreshTokenId" UUID;
diff --git a/apps/backend/prisma/migrations/20260310150000_add_oauth_authorization_code_refresh_token_id/tests/preserve-null-and-allow-uuid.ts b/apps/backend/prisma/migrations/20260310150000_add_oauth_authorization_code_refresh_token_id/tests/preserve-null-and-allow-uuid.ts
new file mode 100644
index 0000000000..87c16da2b6
--- /dev/null
+++ b/apps/backend/prisma/migrations/20260310150000_add_oauth_authorization_code_refresh_token_id/tests/preserve-null-and-allow-uuid.ts
@@ -0,0 +1,81 @@
+import { randomUUID } from "crypto";
+import type { Sql } from "postgres";
+import { expect } from "vitest";
+
+export const preMigration = async (sql: Sql) => {
+  const projectId = `test-${randomUUID()}`;
+  const tenancyId = randomUUID();
+  const projectUserId = randomUUID();
+  const authorizationCode = `code-${randomUUID()}`;
+
+  await sql`
+    INSERT INTO "Project" ("id", "createdAt", "updatedAt", "displayName", "description", "isProductionMode")
+    VALUES (${projectId}, NOW(), NOW(), 'Test', '', false)
+  `;
+  await sql`
+    INSERT INTO "Tenancy" ("id", "createdAt", "updatedAt", "projectId", "branchId", "hasNoOrganization")
+    VALUES (${tenancyId}::uuid, NOW(), NOW(), ${projectId}, 'main', 'TRUE'::"BooleanTrue")
+  `;
+  await sql`
+    INSERT INTO "ProjectUser" ("projectUserId", "tenancyId", "mirroredProjectId", "mirroredBranchId", "createdAt", "updatedAt", "lastActiveAt")
+    VALUES (${projectUserId}::uuid, ${tenancyId}::uuid, ${projectId}, 'main', NOW(), NOW(), NOW())
+  `;
+  await sql`
+    INSERT INTO "ProjectUserAuthorizationCode" (
+      "tenancyId",
+      "projectUserId",
+      "authorizationCode",
+      "redirectUri",
+      "expiresAt",
+      "codeChallenge",
+      "codeChallengeMethod",
+      "newUser",
+      "afterCallbackRedirectUrl",
+      "createdAt",
+      "updatedAt"
+    )
+    VALUES (
+      ${tenancyId}::uuid,
+      ${projectUserId}::uuid,
+      ${authorizationCode},
+      'https://example.com/callback',
+      NOW() + INTERVAL '10 minutes',
+      'challenge',
+      'S256',
+      false,
+      'https://example.com/after-auth',
+      NOW(),
+      NOW()
+    )
+  `;
+
+  return { tenancyId, projectUserId, authorizationCode };
+};
+
+export const postMigration = async (sql: Sql, ctx: Awaited<ReturnType<typeof preMigration>>) => {
+  const existing = await sql`
+    SELECT "grantedRefreshTokenId"
+    FROM "ProjectUserAuthorizationCode"
+    WHERE "tenancyId" = ${ctx.tenancyId}::uuid
+      AND "authorizationCode" = ${ctx.authorizationCode}
+  `;
+  expect(existing).toHaveLength(1);
+  expect(existing[0].grantedRefreshTokenId).toBeNull();
+
+  const grantedRefreshTokenId = randomUUID();
+  await sql`
+    UPDATE "ProjectUserAuthorizationCode"
+    SET "grantedRefreshTokenId" = ${grantedRefreshTokenId}::uuid
+    WHERE "tenancyId" = ${ctx.tenancyId}::uuid
+      AND "authorizationCode" = ${ctx.authorizationCode}
+  `;
+
+  const updated = await sql`
+    SELECT "grantedRefreshTokenId"
+    FROM "ProjectUserAuthorizationCode"
+    WHERE "tenancyId" = ${ctx.tenancyId}::uuid
+      AND "authorizationCode" = ${ctx.authorizationCode}
+  `;
+  expect(updated).toHaveLength(1);
+  expect(updated[0].grantedRefreshTokenId).toBe(grantedRefreshTokenId);
+};
diff --git a/apps/backend/prisma/schema.prisma b/apps/backend/prisma/schema.prisma
index ecb4a8c512..48403f9daf 100644
--- a/apps/backend/prisma/schema.prisma
+++ b/apps/backend/prisma/schema.prisma
@@ -69,10 +69,10 @@ model Tenancy {
   branchId String
 
   // If organizationId is NULL, hasNoOrganization must be TRUE. If organizationId is not NULL, hasNoOrganization must be NULL.
-  organizationId    String?       @db.Uuid
-  hasNoOrganization BooleanTrue?
-  emailOutboxes     EmailOutbox[]
-  sessionReplays SessionReplay[]
+  organizationId      String?              @db.Uuid
+  hasNoOrganization   BooleanTrue?
+  emailOutboxes       EmailOutbox[]
+  sessionReplays      SessionReplay[]
   sessionReplayChunks SessionReplayChunk[]
   managedEmailDomains ManagedEmailDomain[]
 
@@ -94,24 +94,24 @@ enum ManagedEmailDomainStatus {
 model ManagedEmailDomain {
   id String @id @default(uuid()) @db.Uuid
 
-  tenancyId String @db.Uuid
-  tenancy Tenancy @relation(fields: [tenancyId], references: [id], onDelete: Cascade)
+  tenancyId String  @db.Uuid
+  tenancy   Tenancy @relation(fields: [tenancyId], references: [id], onDelete: Cascade)
 
   projectId String
-  branchId String
+  branchId  String
 
-  subdomain String
-  senderLocalPart String
-  resendDomainId String @unique
+  subdomain         String
+  senderLocalPart   String
+  resendDomainId    String @unique
   nameServerRecords Json
 
-  status ManagedEmailDomainStatus @default(PENDING_VERIFICATION)
+  status            ManagedEmailDomainStatus @default(PENDING_VERIFICATION)
   providerStatusRaw String?
-  isActive Boolean @default(true)
-  lastError String?
-  verifiedAt DateTime?
-  appliedAt DateTime?
-  lastWebhookAt DateTime?
+  isActive          Boolean                  @default(true)
+  lastError         String?
+  verifiedAt        DateTime?
+  appliedAt         DateTime?
+  lastWebhookAt     DateTime?
 
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
@@ -367,18 +367,18 @@ model SessionReplay {
   chunks SessionReplayChunk[]
 
   @@id([tenancyId, id])
-  @@map("SessionReplay")
   @@index([tenancyId, projectUserId, startedAt])
   @@index([tenancyId, lastEventAt])
   // index by updatedAt instead of lastEventAt because event timing can be spoofed
   @@index([tenancyId, refreshTokenId, updatedAt])
+  @@map("SessionReplay")
 }
 
 model SessionReplayChunk {
   id String @id @default(uuid()) @db.Uuid
 
-  tenancyId        String @db.Uuid
-  sessionReplayId  String @db.Uuid @map("sessionReplayId")
+  tenancyId       String @db.Uuid
+  sessionReplayId String @map("sessionReplayId") @db.Uuid
 
   // Unique per uploaded batch for a given session id.
   batchId String @db.Uuid
@@ -402,8 +402,8 @@ model SessionReplayChunk {
   tenancy       Tenancy       @relation(fields: [tenancyId], references: [id], onDelete: Cascade)
 
   @@unique([tenancyId, sessionReplayId, batchId])
-  @@map("SessionReplayChunk")
   @@index([tenancyId, sessionReplayId, createdAt])
+  @@map("SessionReplayChunk")
 }
 
 enum ContactChannelType {
@@ -631,6 +631,9 @@ model ProjectUserAuthorizationCode {
 
   newUser                  Boolean
   afterCallbackRedirectUrl String?
+  /// Refresh token ID that should be granted when this authorization code is exchanged.
+  /// NULL means no specific refresh token is preselected, so the token endpoint follows normal issuance/reuse logic.
+  grantedRefreshTokenId    String? @db.Uuid
 
   @@id([tenancyId, authorizationCode])
 }
diff --git a/apps/backend/src/app/api/latest/auth/oauth/authorize/[provider_id]/route.tsx b/apps/backend/src/app/api/latest/auth/oauth/authorize/[provider_id]/route.tsx
index ef2c23292e..853ddc71fb 100644
--- a/apps/backend/src/app/api/latest/auth/oauth/authorize/[provider_id]/route.tsx
+++ b/apps/backend/src/app/api/latest/auth/oauth/authorize/[provider_id]/route.tsx
@@ -1,11 +1,12 @@
 import { checkApiKeySet, throwCheckApiKeySetError } from "@/lib/internal-api-keys";
+import { isAcceptedNativeAppUrl, validateRedirectUrl } from "@/lib/redirect-urls";
 import { getSoleTenancyFromProjectBranch } from "@/lib/tenancies";
 import { decodeAccessToken, oauthCookieSchema } from "@/lib/tokens";
-import { getRequestContextAndBotChallengeAssessment, botChallengeFlowRequestSchemaFields } from "@/lib/turnstile";
+import { botChallengeFlowRequestSchemaFields, getRequestContextAndBotChallengeAssessment } from "@/lib/turnstile";
 import { getProjectBranchFromClientId, getProvider } from "@/oauth";
 import { globalPrismaClient } from "@/prisma-client";
-import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import type { SmartResponse } from "@/route-handlers/smart-response";
+import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
 import { KnownErrors } from "@stackframe/stack-shared/dist/known-errors";
 import { urlSchema, yupArray, yupNumber, yupObject, yupString, yupUnion } from "@stackframe/stack-shared/dist/schema-fields";
 import { getNodeEnvironment } from "@stackframe/stack-shared/dist/utils/env";
@@ -37,7 +38,7 @@ export const GET = createSmartRouteHandler({
        */
       error_redirect_url: urlSchema.optional().meta({ openapiField: { hidden: true } }),
       error_redirect_uri: urlSchema.optional(),
-      after_callback_redirect_url: yupString().optional(),
+      after_callback_redirect_url: urlSchema.optional(),
       stack_response_mode: yupString().oneOf(["json", "redirect"]).default("redirect"),
       ...botChallengeFlowRequestSchemaFields,
 
@@ -93,6 +94,13 @@ export const GET = createSmartRouteHandler({
     if (query.type === "link" && !query.token) {
       throw new StatusError(StatusError.BadRequest, "?token= query parameter is required for link type");
     }
+    if (
+      query.after_callback_redirect_url
+      && !validateRedirectUrl(query.after_callback_redirect_url, tenancy)
+      && !isAcceptedNativeAppUrl(query.after_callback_redirect_url)
+    ) {
+      throw new KnownErrors.RedirectUrlNotWhitelisted();
+    }
 
     const { turnstileAssessment } = await getRequestContextAndBotChallengeAssessment(query, "oauth_authenticate", tenancy);
 
diff --git a/apps/backend/src/app/api/latest/auth/oauth/cross-domain/authorize/route.tsx b/apps/backend/src/app/api/latest/auth/oauth/cross-domain/authorize/route.tsx
new file mode 100644
index 0000000000..972bd52358
--- /dev/null
+++ b/apps/backend/src/app/api/latest/auth/oauth/cross-domain/authorize/route.tsx
@@ -0,0 +1,184 @@
+import { checkApiKeySet, throwCheckApiKeySetError } from "@/lib/internal-api-keys";
+import { isAcceptedNativeAppUrl, validateRedirectUrl } from "@/lib/redirect-urls";
+import { Tenancy } from "@/lib/tenancies";
+import { isRefreshTokenValid } from "@/lib/tokens";
+import { oauthServer } from "@/oauth";
+import { globalPrismaClient } from "@/prisma-client";
+import { createSmartRouteHandler } from "@/route-handlers/smart-route-handler";
+import { KnownErrors } from "@stackframe/stack-shared";
+import { adaptSchema, clientOrHigherAuthTypeSchema, urlSchema, yupNumber, yupObject, yupString, yupTuple } from "@stackframe/stack-shared/dist/schema-fields";
+import { StackAssertionError, StatusError } from "@stackframe/stack-shared/dist/utils/errors";
+import { publishableClientKeyNotNecessarySentinel } from "@stackframe/stack-shared/dist/utils/oauth";
+import { InvalidClientError, InvalidScopeError, Request as OAuthRequest, Response as OAuthResponse } from "@node-oauth/oauth2-server";
+
+type CrossDomainAuthorizeBody = {
+  redirect_uri: string,
+  state: string,
+  code_challenge: string,
+  code_challenge_method: "S256",
+  after_callback_redirect_url?: string,
+};
+
+export async function createCrossDomainAuthorizeRedirect(options: {
+  tenancy: Tenancy,
+  user: { id: string, refreshTokenId: string } | null,
+  publishableClientKey: string,
+  body: CrossDomainAuthorizeBody,
+}): Promise<string> {
+  const { tenancy, user, body } = options;
+  if (!user) {
+    throw new KnownErrors.UserAuthenticationRequired();
+  }
+  if (
+    !validateRedirectUrl(body.redirect_uri, tenancy) &&
+    !isAcceptedNativeAppUrl(body.redirect_uri)
+  ) {
+    throw new KnownErrors.RedirectUrlNotWhitelisted();
+  }
+  if (
+    body.after_callback_redirect_url &&
+    !validateRedirectUrl(body.after_callback_redirect_url, tenancy) &&
+    !isAcceptedNativeAppUrl(body.after_callback_redirect_url)
+  ) {
+    throw new KnownErrors.RedirectUrlNotWhitelisted();
+  }
+  const oauthRequest = new OAuthRequest({
+    headers: {},
+    body: {},
+    method: "GET",
+    query: {
+      client_id: tenancy.branchId === "main" ? tenancy.project.id : `${tenancy.project.id}#${tenancy.branchId}`,
+      client_secret: options.publishableClientKey,
+      redirect_uri: body.redirect_uri,
+      scope: "legacy",
+      state: body.state,
+      grant_type: "authorization_code",
+      code_challenge: body.code_challenge,
+      code_challenge_method: body.code_challenge_method,
+      response_type: "code",
+    },
+  });
+  const oauthResponse = new OAuthResponse();
+  try {
+    await oauthServer.authorize(
+      oauthRequest,
+      oauthResponse,
+      {
+        authenticateHandler: {
+          handle: async () => ({
+            id: user.id,
+            refreshTokenId: user.refreshTokenId,
+            newUser: false,
+            afterCallbackRedirectUrl: body.after_callback_redirect_url,
+          }),
+        },
+      },
+    );
+  } catch (error) {
+    if (error instanceof InvalidClientError) {
+      throw new KnownErrors.InvalidOAuthClientIdOrSecret();
+    }
+    if (error instanceof InvalidScopeError) {
+      throw new StatusError(400, "Invalid scope requested.");
+    }
+    throw error;
+  }
+
+  const redirectUrl = oauthResponse.headers?.location;
+  if (typeof redirectUrl !== "string") {
+    throw new StackAssertionError("Cross-domain authorization response is missing redirect location", {
+      oauthResponse,
+    });
+  }
+  return redirectUrl;
+}
+
+export const POST = createSmartRouteHandler({
+  metadata: {
+    summary: "Create cross-domain auth handoff redirect",
+    description: "Creates a one-time OAuth authorization code redirect for cross-domain sign-in handoff using PKCE.",
+    tags: ["Oauth"],
+  },
+  request: yupObject({
+    auth: yupObject({
+      type: clientOrHigherAuthTypeSchema,
+      tenancy: adaptSchema.defined(),
+      user: adaptSchema.optional(),
+      refreshTokenId: adaptSchema.optional(),
+    }).defined(),
+    headers: yupObject({
+      "x-stack-publishable-client-key": yupTuple([yupString().defined()]).optional(),
+      "x-stack-refresh-token": yupTuple([yupString().defined()]).optional(),
+    }).defined(),
+    body: yupObject({
+      redirect_uri: urlSchema.defined(),
+      state: yupString().min(1).max(512).defined(),
+      code_challenge: yupString().matches(/^[A-Za-z0-9._~-]{43,128}$/).defined(),
+      code_challenge_method: yupString().oneOf(["S256"]).default("S256"),
+      after_callback_redirect_url: urlSchema.optional(),
+    }).defined(),
+  }),
+  response: yupObject({
+    statusCode: yupNumber().oneOf([200]).defined(),
+    bodyType: yupString().oneOf(["json"]).defined(),
+    body: yupObject({
+      redirect_url: urlSchema.defined(),
+    }).defined(),
+  }),
+  async handler({ auth: { tenancy, user, refreshTokenId }, headers, body }) {
+    let userWithSession: { id: string, refreshTokenId: string } | null = null;
+    if (!user) {
+      throw new KnownErrors.UserAuthenticationRequired();
+    }
+    if (!refreshTokenId) {
+      throw new StatusError(400, "Cross-domain auth handoff requires a refresh-token-bound session. Please sign in again.");
+    }
+    const providedRefreshToken = headers["x-stack-refresh-token"]?.[0];
+    if (!providedRefreshToken) {
+      throw new StatusError(400, "Cross-domain auth handoff requires passing the current refresh token.");
+    }
+    const refreshTokenObj = await globalPrismaClient.projectUserRefreshToken.findUnique({
+      where: {
+        refreshToken: providedRefreshToken,
+      },
+    });
+    if (
+      !refreshTokenObj
+      || refreshTokenObj.id !== refreshTokenId
+      || refreshTokenObj.projectUserId !== user.id
+      || refreshTokenObj.tenancyId !== tenancy.id
+    ) {
+      throw new StatusError(401, "Cross-domain auth handoff refresh token does not match the authenticated session.");
+    }
+    if (!await isRefreshTokenValid({ tenancy, refreshTokenObj })) {
+      throw new StatusError(401, "Cross-domain auth handoff refresh token is not valid.");
+    }
+    userWithSession = {
+      id: user.id,
+      refreshTokenId: refreshTokenObj.id,
+    };
+    const publishableClientKey = headers["x-stack-publishable-client-key"]?.[0] ?? publishableClientKeyNotNecessarySentinel;
+    const keyCheck = await checkApiKeySet(tenancy.project.id, { publishableClientKey });
+    if (keyCheck.status === "error") {
+      throwCheckApiKeySetError(
+        keyCheck.error,
+        tenancy.project.id,
+        new KnownErrors.InvalidPublishableClientKey(tenancy.project.id),
+      );
+    }
+    const redirectUrl = await createCrossDomainAuthorizeRedirect({
+      tenancy,
+      user: userWithSession,
+      publishableClientKey,
+      body,
+    });
+
+    return {
+      statusCode: 200,
+      bodyType: "json",
+      body: {
+        redirect_url: redirectUrl,
+      },
+    };
+  },
+});
diff --git a/apps/backend/src/oauth/model.tsx b/apps/backend/src/oauth/model.tsx
index 841300b42f..4953c2331b 100644
--- a/apps/backend/src/oauth/model.tsx
+++ b/apps/backend/src/oauth/model.tsx
@@ -8,7 +8,7 @@ import { createRefreshTokenObj, decodeAccessToken, generateAccessTokenFromRefres
 import { getPrismaClientForTenancy, globalPrismaClient } from "@/prisma-client";
 import { AuthorizationCode, AuthorizationCodeModel, Client, Falsey, RefreshToken, Token, User } from "@node-oauth/oauth2-server";
 import { KnownErrors } from "@stackframe/stack-shared";
-import { captureError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
+import { StackAssertionError, StatusError, captureError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import { getProjectBranchFromClientId } from ".";
 const PrismaClientKnownRequestError = Prisma.PrismaClientKnownRequestError;
 
@@ -123,6 +123,9 @@ export class OAuthModel implements AuthorizationCodeModel {
           },
         },
       });
+      if (refreshTokenObj && refreshTokenObj.projectUserId !== user.id) {
+        throw new StatusError(401, "Cross-domain handoff refresh token does not belong to the authenticated user.");
+      }
       if (refreshTokenObj && await isRefreshTokenValid({ tenancy, refreshTokenObj })) {
         return refreshTokenObj;
       }
@@ -145,6 +148,8 @@ export class OAuthModel implements AuthorizationCodeModel {
   }
 
   async saveToken(token: Token, client: Client, user: User): Promise<Token | Falsey> {
+    const afterCallbackRedirectUrl = user.afterCallbackRedirectUrl ?? null;
+
     if (token.refreshToken) {
       const tenancy = await getSoleTenancyFromProjectBranch(...getProjectBranchFromClientId(client.id));
       const prisma = await getPrismaClientForTenancy(tenancy);
@@ -199,8 +204,8 @@ export class OAuthModel implements AuthorizationCodeModel {
       // TODO remove deprecated camelCase properties
       newUser: user.newUser,
       is_new_user: user.newUser,
-      afterCallbackRedirectUrl: user.afterCallbackRedirectUrl,
-      after_callback_redirect_url: user.afterCallbackRedirectUrl,
+      afterCallbackRedirectUrl: afterCallbackRedirectUrl,
+      after_callback_redirect_url: afterCallbackRedirectUrl,
     };
   }
 
@@ -297,6 +302,7 @@ export class OAuthModel implements AuthorizationCodeModel {
         projectUserId: user.id,
         newUser: user.newUser,
         afterCallbackRedirectUrl: user.afterCallbackRedirectUrl,
+        grantedRefreshTokenId: user.refreshTokenId,
         tenancyId: tenancy.id,
       },
     });
@@ -361,7 +367,8 @@ export class OAuthModel implements AuthorizationCodeModel {
       user: {
         id: code.projectUserId,
         newUser: code.newUser,
-        afterCallbackRedirectUrl: code.afterCallbackRedirectUrl,
+        afterCallbackRedirectUrl: code.afterCallbackRedirectUrl ?? undefined,
+        refreshTokenId: code.grantedRefreshTokenId ?? undefined,
       },
     };
   }
diff --git a/apps/dashboard/.env.development b/apps/dashboard/.env.development
index c431a5ee70..0a16ee1c92 100644
--- a/apps/dashboard/.env.development
+++ b/apps/dashboard/.env.development
@@ -1,5 +1,6 @@
 NEXT_PUBLIC_STACK_API_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}02
 NEXT_PUBLIC_STACK_DOCS_BASE_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}04
+NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX=.localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}09
 NEXT_PUBLIC_STACK_IS_LOCAL_EMULATOR=false
 
 NEXT_PUBLIC_STACK_PROJECT_ID=internal
diff --git a/apps/e2e/.env.development b/apps/e2e/.env.development
index 42b681a546..c764d48b4b 100644
--- a/apps/e2e/.env.development
+++ b/apps/e2e/.env.development
@@ -4,6 +4,7 @@ STACK_INTERNAL_PROJECT_ID=internal
 STACK_INTERNAL_PROJECT_CLIENT_KEY=this-publishable-client-key-is-for-local-development-only
 STACK_INTERNAL_PROJECT_SERVER_KEY=this-secret-server-key-is-for-local-development-only
 STACK_INTERNAL_PROJECT_ADMIN_KEY=this-super-secret-admin-key-is-for-local-development-only
+NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX=.localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}09
 STACK_DATABASE_CONNECTION_STRING=postgres://postgres:PASSWORD-PLACEHOLDER--uqfEC1hmmv@localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}28/stackframe
 
 STACK_INBUCKET_API_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}05
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/auth/oauth/authorize.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/auth/oauth/authorize.test.ts
index 55f091f898..ad3905c9de 100644
--- a/apps/e2e/tests/backend/endpoints/api/v1/auth/oauth/authorize.test.ts
+++ b/apps/e2e/tests/backend/endpoints/api/v1/auth/oauth/authorize.test.ts
@@ -217,3 +217,58 @@ it("should fail if an invalid redirect URL is provided", async ({ expect }) => {
     }
   `);
 });
+
+it("should fail if an invalid after_callback_redirect_url is provided", async ({ expect }) => {
+  const response = await niceBackendFetch("/api/v1/auth/oauth/authorize/spotify", {
+    redirect: "manual",
+    query: {
+      ...await Auth.OAuth.getAuthorizeQuery(),
+      after_callback_redirect_url: "not-a-valid-url",
+    },
+  });
+  expect(response).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "SCHEMA_ERROR",
+        "details": {
+          "message": deindent\`
+            Request validation failed on GET /api/v1/auth/oauth/authorize/spotify:
+              - query.after_callback_redirect_url is not a valid URL
+          \`,
+        },
+        "error": deindent\`
+          Request validation failed on GET /api/v1/auth/oauth/authorize/spotify:
+            - query.after_callback_redirect_url is not a valid URL
+        \`,
+      },
+      "headers": Headers {
+        "x-stack-known-error": "SCHEMA_ERROR",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("should fail if an untrusted after_callback_redirect_url is provided", async ({ expect }) => {
+  const response = await niceBackendFetch("/api/v1/auth/oauth/authorize/spotify", {
+    redirect: "manual",
+    query: {
+      ...await Auth.OAuth.getAuthorizeQuery(),
+      after_callback_redirect_url: "https://evil.example.com/post-auth",
+    },
+  });
+  expect(response).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "REDIRECT_URL_NOT_WHITELISTED",
+        "error": "Redirect URL not whitelisted. Did you forget to add this domain to the trusted domains list on the Stack Auth dashboard?",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "REDIRECT_URL_NOT_WHITELISTED",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
diff --git a/apps/e2e/tests/backend/endpoints/api/v1/auth/oauth/cross-domain-authorize.test.ts b/apps/e2e/tests/backend/endpoints/api/v1/auth/oauth/cross-domain-authorize.test.ts
new file mode 100644
index 0000000000..c27ea32d49
--- /dev/null
+++ b/apps/e2e/tests/backend/endpoints/api/v1/auth/oauth/cross-domain-authorize.test.ts
@@ -0,0 +1,232 @@
+import { throwErr } from "@stackframe/stack-shared/dist/utils/errors";
+import { publishableClientKeyNotNecessarySentinel } from "@stackframe/stack-shared/dist/utils/oauth";
+import { it, localRedirectUrl } from "../../../../../../helpers";
+import { Auth, backendContext, niceBackendFetch } from "../../../../../backend-helpers";
+
+const pkceCodeVerifier = "W2LPAD4M4ES-3wBjzU6J5ApykmuxQy5VTs3oSmtboDM";
+const pkceCodeChallenge = "xf6HY7PIgoaCf_eMniSt-45brYE2J_05C9BnfIbueik";
+
+const createCrossDomainAuthorizeRedirect = async (options?: {
+  redirectUri?: string,
+  afterCallbackRedirectUrl?: string,
+  state?: string,
+  codeChallenge?: string,
+  userAuth?: {
+    accessToken?: string,
+    refreshToken?: string,
+  },
+}) => {
+  return await niceBackendFetch("/api/v1/auth/oauth/cross-domain/authorize", {
+    method: "POST",
+    accessType: "client",
+    userAuth: options?.userAuth,
+    body: {
+      redirect_uri: options?.redirectUri ?? `${localRedirectUrl}/handler/oauth-callback?stack_cross_domain_auth=1`,
+      state: options?.state ?? "cross-domain-state",
+      code_challenge: options?.codeChallenge ?? pkceCodeChallenge,
+      code_challenge_method: "S256",
+      after_callback_redirect_url: options?.afterCallbackRedirectUrl ?? `${localRedirectUrl}/after-sign-in`,
+    },
+  });
+};
+
+const exchangeAuthorizationCode = async (options: {
+  authorizationCode: string,
+  redirectUri: string,
+  codeVerifier?: string,
+}) => {
+  const projectKeys = backendContext.value.projectKeys;
+  if (projectKeys === "no-project") {
+    throw new Error("No project keys found in the backend context");
+  }
+  return await niceBackendFetch("/api/v1/auth/oauth/token", {
+    method: "POST",
+    accessType: "client",
+    body: {
+      client_id: projectKeys.projectId,
+      client_secret: projectKeys.publishableClientKey ?? publishableClientKeyNotNecessarySentinel,
+      code: options.authorizationCode,
+      redirect_uri: options.redirectUri,
+      code_verifier: options.codeVerifier ?? pkceCodeVerifier,
+      grant_type: "authorization_code",
+    },
+  });
+};
+
+it("creates a one-time cross-domain redirect and exchanges it with PKCE", async ({ expect }) => {
+  await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
+  const existingRefreshToken = backendContext.value.userAuth?.refreshToken ?? throwErr("Missing refresh token in backend test context");
+  const redirectUri = `${localRedirectUrl}/handler/oauth-callback?stack_cross_domain_auth=1`;
+  const afterCallbackRedirectUrl = `${localRedirectUrl}/after-sign-in`;
+
+  const authorizeResponse = await createCrossDomainAuthorizeRedirect({
+    redirectUri,
+    afterCallbackRedirectUrl,
+  });
+  expect(authorizeResponse.status).toBe(200);
+  expect(authorizeResponse.body.redirect_url).toEqual(expect.any(String));
+  const redirectUrl = new URL(authorizeResponse.body.redirect_url);
+  expect(redirectUrl.origin).toBe(new URL(localRedirectUrl).origin);
+  expect(redirectUrl.pathname).toBe(new URL(localRedirectUrl).pathname + "/handler/oauth-callback");
+  expect(redirectUrl.searchParams.get("state")).toBe("cross-domain-state");
+  const authorizationCode = redirectUrl.searchParams.get("code") ?? throwErr("Authorization code is missing in cross-domain redirect URL");
+
+  const tokenResponse = await exchangeAuthorizationCode({
+    authorizationCode,
+    redirectUri,
+  });
+  expect(tokenResponse).toMatchObject({
+    status: 200,
+    body: {
+      access_token: expect.any(String),
+      refresh_token: expect.any(String),
+      after_callback_redirect_url: afterCallbackRedirectUrl,
+      afterCallbackRedirectUrl,
+    },
+  });
+  expect(tokenResponse.body.refresh_token).toBe(existingRefreshToken);
+});
+
+it("rejects reusing the same cross-domain authorization code", async ({ expect }) => {
+  await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
+  const redirectUri = `${localRedirectUrl}/handler/oauth-callback?stack_cross_domain_auth=1`;
+
+  const authorizeResponse = await createCrossDomainAuthorizeRedirect({ redirectUri });
+  const authorizationCode = new URL(authorizeResponse.body.redirect_url).searchParams.get("code") ?? throwErr("Authorization code is missing in cross-domain redirect URL");
+
+  const firstExchange = await exchangeAuthorizationCode({ authorizationCode, redirectUri });
+  expect(firstExchange.status).toBe(200);
+
+  const secondExchange = await exchangeAuthorizationCode({ authorizationCode, redirectUri });
+  expect(secondExchange).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "INVALID_AUTHORIZATION_CODE",
+        "error": "The given authorization code is invalid.",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "INVALID_AUTHORIZATION_CODE",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("rejects exchanging with an invalid PKCE code_verifier", async ({ expect }) => {
+  await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
+  const redirectUri = `${localRedirectUrl}/handler/oauth-callback?stack_cross_domain_auth=1`;
+
+  const authorizeResponse = await createCrossDomainAuthorizeRedirect({ redirectUri });
+  const authorizationCode = new URL(authorizeResponse.body.redirect_url).searchParams.get("code") ?? throwErr("Authorization code is missing in cross-domain redirect URL");
+
+  const tokenResponse = await exchangeAuthorizationCode({
+    authorizationCode,
+    redirectUri,
+    codeVerifier: "this-is-an-invalid-pkce-verifier",
+  });
+  expect(tokenResponse).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "INVALID_AUTHORIZATION_CODE",
+        "error": "The given authorization code is invalid.",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "INVALID_AUTHORIZATION_CODE",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("rejects untrusted redirect URLs before issuing a code", async ({ expect }) => {
+  await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
+
+  const response = await createCrossDomainAuthorizeRedirect({
+    redirectUri: "https://evil.example.com/oauth/callback",
+  });
+  expect(response).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "REDIRECT_URL_NOT_WHITELISTED",
+        "error": "Redirect URL not whitelisted. Did you forget to add this domain to the trusted domains list on the Stack Auth dashboard?",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "REDIRECT_URL_NOT_WHITELISTED",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("rejects untrusted after-callback redirect URLs before issuing a code", async ({ expect }) => {
+  await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
+
+  const response = await createCrossDomainAuthorizeRedirect({
+    afterCallbackRedirectUrl: "https://evil.example.com/post-auth",
+  });
+  expect(response).toMatchInlineSnapshot(`
+    NiceResponse {
+      "status": 400,
+      "body": {
+        "code": "REDIRECT_URL_NOT_WHITELISTED",
+        "error": "Redirect URL not whitelisted. Did you forget to add this domain to the trusted domains list on the Stack Auth dashboard?",
+      },
+      "headers": Headers {
+        "x-stack-known-error": "REDIRECT_URL_NOT_WHITELISTED",
+        <some fields may have been hidden>,
+      },
+    }
+  `);
+});
+
+it("requires a signed-in user to issue a cross-domain code", async ({ expect }) => {
+  await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
+  backendContext.set({ userAuth: null });
+
+  const response = await createCrossDomainAuthorizeRedirect();
+  expect(response.status).toBe(401);
+  expect(response.body.code).toBe("USER_AUTHENTICATION_REQUIRED");
+});
+
+it("requires providing the current refresh token to issue a cross-domain code", async ({ expect }) => {
+  const { signUpResponse } = await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
+  backendContext.set({
+    userAuth: {
+      accessToken: signUpResponse.body.access_token,
+      refreshToken: undefined,
+    },
+  });
+
+  const response = await createCrossDomainAuthorizeRedirect();
+  expect(response.status).toBe(400);
+  expect(response.body).toBe("Cross-domain auth handoff requires passing the current refresh token.");
+});
+
+it("rejects refresh tokens that do not match the authenticated session", async ({ expect }) => {
+  const firstSignUp = await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
+  const response = await createCrossDomainAuthorizeRedirect({
+    userAuth: {
+      accessToken: firstSignUp.signUpResponse.body.access_token,
+      refreshToken: "this-refresh-token-does-not-match-the-current-session",
+    },
+  });
+  expect(response.status).toBe(401);
+  expect(response.body).toBe("Cross-domain auth handoff refresh token does not match the authenticated session.");
+});
+
+it("does not authorize when only a refresh token is present", async ({ expect }) => {
+  const { signUpResponse } = await Auth.Password.signUpWithEmail({ noWaitForEmail: true });
+  backendContext.set({
+    userAuth: {
+      accessToken: undefined,
+      refreshToken: signUpResponse.body.refresh_token,
+    },
+  });
+
+  const response = await createCrossDomainAuthorizeRedirect();
+  expect(response.status).toBe(401);
+  expect(response.body.code).toBe("USER_AUTHENTICATION_REQUIRED");
+});
diff --git a/apps/e2e/tests/js/cross-domain-auth.test.ts b/apps/e2e/tests/js/cross-domain-auth.test.ts
new file mode 100644
index 0000000000..f48f0fa9ed
--- /dev/null
+++ b/apps/e2e/tests/js/cross-domain-auth.test.ts
@@ -0,0 +1,255 @@
+import { StackClientApp } from "@stackframe/js";
+import { afterEach, vi } from "vitest";
+import { it, localRedirectUrl } from "../helpers";
+
+const withHostedDomainSuffix = async (callback: () => Promise<void>) => {
+  const oldHostedHandlerDomainSuffix = process.env.NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX;
+  const oldHostedHandlerUrlTemplate = process.env.NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE;
+  process.env.NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX = ".example-stack-hosted.test";
+  delete process.env.NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE;
+
+  try {
+    await callback();
+  } finally {
+    if (oldHostedHandlerDomainSuffix == null) {
+      delete process.env.NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX;
+    } else {
+      process.env.NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX = oldHostedHandlerDomainSuffix;
+    }
+    if (oldHostedHandlerUrlTemplate == null) {
+      delete process.env.NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE;
+    } else {
+      process.env.NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE = oldHostedHandlerUrlTemplate;
+    }
+  }
+};
+
+afterEach(() => {
+  vi.restoreAllMocks();
+});
+
+const createClientApp = (projectId: string) => new StackClientApp({
+  baseUrl: "http://localhost:8102",
+  projectId,
+  publishableClientKey: "test-publishable-client-key",
+  tokenStore: "memory",
+  redirectMethod: "window",
+  urls: {
+    default: { type: "hosted" },
+  },
+});
+
+it("adds secure cross-domain handoff parameters when redirecting to hosted sign-in", async ({ expect }) => {
+  await withHostedDomainSuffix(async () => {
+    const projectId = "11111111-1111-4111-8111-111111111111";
+    const clientApp = createClientApp(projectId);
+
+    const previousWindow = globalThis.window;
+    const previousDocument = globalThis.document;
+    let redirectedUrl = "";
+
+    globalThis.document = { cookie: "", createElement: () => ({}) } as any;
+    globalThis.window = {
+      location: {
+        href: `${localRedirectUrl}/private-page?foo=bar`,
+        assign: (url: string) => {
+          redirectedUrl = url;
+          throw new Error("INTENTIONAL_TEST_ABORT");
+        },
+      },
+    } as any;
+
+    try {
+      await expect(clientApp.redirectToSignIn()).rejects.toThrowError("INTENTIONAL_TEST_ABORT");
+    } finally {
+      globalThis.window = previousWindow;
+      globalThis.document = previousDocument;
+    }
+
+    const redirectUrl = new URL(redirectedUrl);
+    expect(redirectUrl.origin).toBe(`https://${projectId}.example-stack-hosted.test`);
+    expect(redirectUrl.pathname).toBe("/handler/sign-in");
+    expect(redirectUrl.searchParams.get("stack_cross_domain_state")).toEqual(expect.any(String));
+    expect(redirectUrl.searchParams.get("stack_cross_domain_code_challenge")).toEqual(expect.any(String));
+    expect(redirectUrl.searchParams.get("stack_cross_domain_after_callback_redirect_url")).toBe(`${localRedirectUrl}/private-page?foo=bar`);
+    const callbackUrl = new URL(redirectUrl.searchParams.get("after_auth_return_to") ?? "");
+    expect(callbackUrl.origin).toBe(new URL(localRedirectUrl).origin);
+    expect(callbackUrl.pathname).toBe("/handler/oauth-callback");
+    expect(callbackUrl.searchParams.get("stack_cross_domain_auth")).toBe("1");
+    expect(callbackUrl.searchParams.get("stack_cross_domain_state")).toEqual(expect.any(String));
+    expect(callbackUrl.searchParams.get("stack_cross_domain_code_challenge")).toEqual(expect.any(String));
+    expect(callbackUrl.searchParams.get("stack_cross_domain_after_callback_redirect_url")).toBe(`${localRedirectUrl}/private-page?foo=bar`);
+  });
+});
+
+it("returns static app.urls.signIn for hosted flows", async ({ expect }) => {
+  await withHostedDomainSuffix(async () => {
+    const projectId = "44444444-4444-4444-8444-444444444444";
+    const currentHref = `${localRedirectUrl}/private-page?foo=bar`;
+
+    const previousWindow = globalThis.window;
+    const previousDocument = globalThis.document;
+    globalThis.document = { cookie: "", createElement: () => ({}) } as any;
+    globalThis.window = {
+      location: {
+        href: currentHref,
+        assign: () => { throw new Error("INTENTIONAL_TEST_ABORT"); },
+      },
+    } as any;
+
+    try {
+      const clientApp = createClientApp(projectId);
+      const signInUrl = new URL(clientApp.urls.signIn);
+      expect(signInUrl.origin).toBe(`https://${projectId}.example-stack-hosted.test`);
+      expect(signInUrl.pathname).toBe("/handler/sign-in");
+      expect(signInUrl.searchParams.get("after_auth_return_to")).toBeNull();
+      expect(signInUrl.searchParams.get("stack_cross_domain_state")).toBeNull();
+      expect(signInUrl.searchParams.get("stack_cross_domain_code_challenge")).toBeNull();
+      expect(signInUrl.searchParams.get("stack_cross_domain_after_callback_redirect_url")).toBeNull();
+    } finally {
+      globalThis.window = previousWindow;
+      globalThis.document = previousDocument;
+    }
+  });
+});
+
+it("returns static app.urls.signOut for hosted flows", async ({ expect }) => {
+  await withHostedDomainSuffix(async () => {
+    const projectId = "55555555-5555-4555-8555-555555555555";
+    const currentHref = `${localRedirectUrl}/signed-in-page?foo=bar`;
+
+    const previousWindow = globalThis.window;
+    const previousDocument = globalThis.document;
+    globalThis.document = { cookie: "", createElement: () => ({}) } as any;
+    globalThis.window = {
+      location: {
+        href: currentHref,
+        assign: () => { throw new Error("INTENTIONAL_TEST_ABORT"); },
+      },
+    } as any;
+
+    try {
+      const clientApp = createClientApp(projectId);
+      const signOutUrl = new URL(clientApp.urls.signOut);
+      expect(signOutUrl.origin).toBe(`https://${projectId}.example-stack-hosted.test`);
+      expect(signOutUrl.pathname).toBe("/handler/sign-out");
+      expect(signOutUrl.searchParams.get("after_auth_return_to")).toBeNull();
+    } finally {
+      globalThis.window = previousWindow;
+      globalThis.document = previousDocument;
+    }
+  });
+});
+
+it("keeps cross-domain handoff working when top-level params are dropped before after-sign-in", async ({ expect }) => {
+  await withHostedDomainSuffix(async () => {
+    const projectId = "22222222-2222-4222-8222-222222222222";
+    const clientApp = createClientApp(projectId);
+
+    const handoffState = "state-from-initial-sign-in";
+    const handoffCodeChallenge = "abcdefghijklmnopqrstuvwxyzABCDEFG_0123456789-._~";
+    const handoffAfterCallbackRedirect = `${localRedirectUrl}/cross-domain-handoff`;
+    const redirectBackUrl = new URL(`${localRedirectUrl}/handler/oauth-callback`);
+    redirectBackUrl.searchParams.set("stack_cross_domain_auth", "1");
+    redirectBackUrl.searchParams.set("stack_cross_domain_state", handoffState);
+    redirectBackUrl.searchParams.set("stack_cross_domain_code_challenge", handoffCodeChallenge);
+    redirectBackUrl.searchParams.set("stack_cross_domain_after_callback_redirect_url", handoffAfterCallbackRedirect);
+
+    const hostedAfterSignInCallbackUrl = new URL(`https://${projectId}.example-stack-hosted.test/handler/oauth-callback`);
+    hostedAfterSignInCallbackUrl.searchParams.set("after_auth_return_to", redirectBackUrl.toString());
+    hostedAfterSignInCallbackUrl.searchParams.set("code", "inner-hosted-code");
+    hostedAfterSignInCallbackUrl.searchParams.set("state", "inner-hosted-state");
+
+    const previousWindow = globalThis.window;
+    const previousDocument = globalThis.document;
+    let redirectedUrl = "";
+
+    const crossDomainAuthorizeRedirect = `https://${projectId}.example-stack-hosted.test/handler/final-cross-domain-redirect`;
+    const createCrossDomainAuthRedirectUrlSpy = vi
+      .spyOn(clientApp as any, "_createCrossDomainAuthRedirectUrl")
+      .mockResolvedValue(crossDomainAuthorizeRedirect);
+
+    globalThis.document = { cookie: "", createElement: () => ({}) } as any;
+    globalThis.window = {
+      location: {
+        href: hostedAfterSignInCallbackUrl.toString(),
+        assign: (url: string) => {
+          redirectedUrl = url;
+          throw new Error("INTENTIONAL_TEST_ABORT");
+        },
+      },
+    } as any;
+
+    try {
+      await expect(clientApp.redirectToAfterSignIn()).rejects.toThrowError("INTENTIONAL_TEST_ABORT");
+    } finally {
+      globalThis.window = previousWindow;
+      globalThis.document = previousDocument;
+    }
+
+    expect(createCrossDomainAuthRedirectUrlSpy).toHaveBeenCalledWith({
+      redirectUri: redirectBackUrl.toString(),
+      state: handoffState,
+      codeChallenge: handoffCodeChallenge,
+      afterCallbackRedirectUrl: handoffAfterCallbackRedirect,
+    });
+    expect(redirectedUrl).toBe(crossDomainAuthorizeRedirect);
+  });
+});
+
+it("keeps cross-domain handoff working when after_auth_return_to is rewritten to same-origin relative URL", async ({ expect }) => {
+  await withHostedDomainSuffix(async () => {
+    const projectId = "33333333-3333-4333-8333-333333333333";
+    const clientApp = createClientApp(projectId);
+
+    const handoffState = "state-from-relative-after-auth-return";
+    const handoffCodeChallenge = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-._~";
+    const handoffAfterCallbackRedirect = "http://p93.localhost:9303/cross-domain-handoff";
+    const relativeRedirectBackPath = new URL("/handler/oauth-callback", `https://${projectId}.example-stack-hosted.test`);
+    relativeRedirectBackPath.searchParams.set("stack_cross_domain_auth", "1");
+    relativeRedirectBackPath.searchParams.set("stack_cross_domain_state", handoffState);
+    relativeRedirectBackPath.searchParams.set("stack_cross_domain_code_challenge", handoffCodeChallenge);
+    relativeRedirectBackPath.searchParams.set("stack_cross_domain_after_callback_redirect_url", handoffAfterCallbackRedirect);
+
+    const hostedAfterSignInCallbackUrl = new URL(`https://${projectId}.example-stack-hosted.test/handler/oauth-callback`);
+    hostedAfterSignInCallbackUrl.searchParams.set("after_auth_return_to", `${relativeRedirectBackPath.pathname}${relativeRedirectBackPath.search}`);
+    hostedAfterSignInCallbackUrl.searchParams.set("code", "inner-hosted-code");
+    hostedAfterSignInCallbackUrl.searchParams.set("state", "inner-hosted-state");
+
+    const previousWindow = globalThis.window;
+    const previousDocument = globalThis.document;
+    let redirectedUrl = "";
+
+    const crossDomainAuthorizeRedirect = `https://${projectId}.example-stack-hosted.test/handler/final-cross-domain-redirect`;
+    const createCrossDomainAuthRedirectUrlSpy = vi
+      .spyOn(clientApp as any, "_createCrossDomainAuthRedirectUrl")
+      .mockResolvedValue(crossDomainAuthorizeRedirect);
+
+    globalThis.document = { cookie: "", createElement: () => ({}) } as any;
+    globalThis.window = {
+      location: {
+        href: hostedAfterSignInCallbackUrl.toString(),
+        assign: (url: string) => {
+          redirectedUrl = url;
+          throw new Error("INTENTIONAL_TEST_ABORT");
+        },
+      },
+    } as any;
+
+    try {
+      await expect(clientApp.redirectToAfterSignIn()).rejects.toThrowError("INTENTIONAL_TEST_ABORT");
+    } finally {
+      globalThis.window = previousWindow;
+      globalThis.document = previousDocument;
+    }
+
+    expect(createCrossDomainAuthRedirectUrlSpy).toHaveBeenCalledTimes(1);
+    expect(createCrossDomainAuthRedirectUrlSpy).toHaveBeenCalledWith(expect.objectContaining({
+      redirectUri: expect.stringContaining("http://p93.localhost:9303/handler/oauth-callback?"),
+      state: handoffState,
+      codeChallenge: handoffCodeChallenge,
+      afterCallbackRedirectUrl: handoffAfterCallbackRedirect,
+    }));
+    expect(redirectedUrl).toBe(crossDomainAuthorizeRedirect);
+  });
+});
diff --git a/claude/CLAUDE-KNOWLEDGE.md b/claude/CLAUDE-KNOWLEDGE.md
index f682b9ef69..96389c4aca 100644
--- a/claude/CLAUDE-KNOWLEDGE.md
+++ b/claude/CLAUDE-KNOWLEDGE.md
@@ -79,9 +79,48 @@ A: Run lint from `apps/dashboard` directly (for example `pnpm lint -- "src/app/(
 Q: How should unsubscribe-link e2e tests avoid breakage from email theme/layout changes?
 A: In `apps/e2e/tests/backend/endpoints/api/v1/unsubscribe-link.test.ts`, avoid snapshotting the entire rendered HTML for transactional emails; assert stable behavior instead (email content present and `/api/v1/emails/unsubscribe-link` absent) so cosmetic wrapper/style changes do not fail the test.
 
+Q: How do cross-domain auth handoffs avoid creating extra refresh-token sessions?
+A: The cross-domain authorize route must carry the current `refreshTokenId` through authorization-code exchange and OAuth token issuance must reuse that ID. Keep `afterCallbackRedirectUrl` URL-only and persist refresh-token linkage in `ProjectUserAuthorizationCode.grantedRefreshTokenId`; then return that as `user.refreshTokenId` in `getAuthorizationCode` so token issuance can reuse the same refresh-token row with ownership checks.
+
+Q: Is there a manual demo page for cross-domain auth handoff verification?
+A: Yes — `examples/demo/src/app/cross-domain-handoff/page.tsx` provides one-click triggers for client sign-in/sign-up redirects, server protected-page redirects, and OAuth provider sign-in, plus runtime URL visibility for manual verification.
+
+Q: Why did the demo still use `*.built-with-stack-auth.com` in local dev?
+A: The demo app needs `NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX` in `examples/demo/.env.development`; set it to `.localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}09` so hosted handler URLs resolve to the local hosted-components instance.
+
+Q: How should SDK code read environment variables to work across bundlers?
+A: Read from `packages/template/src/lib/env.ts` via `envVars` only. That file uses explicit `typeof process !== "undefined" ? process.env.KEY : undefined` getters so bundlers like Next.js can inline `process.env.KEY` at build time while still being safe if `process` is unavailable at runtime. Direct `process.env` usage is banned in `packages/template/.eslintrc.cjs` everywhere except `src/lib/env.ts`.
+
+Q: What if hosted auth rewrites `after_auth_return_to` into a same-origin relative callback URL?
+A: Cross-domain handoff should still run when handoff params indicate a different final callback origin. In that case, reconstruct the cross-domain redirect URI on the `afterCallbackRedirectUrl` origin while preserving callback path/query/hash, then continue through `/auth/oauth/cross-domain/authorize`.
+
+Q: How should `app.urls.signIn`/`signOut` behave for hosted cross-domain flows?
+A: In browser contexts, `app.urls` should return redirect-ready handler URLs for `signIn`, `signUp`, `onboarding`, and `signOut`: include `after_auth_return_to`, preserve existing cross-domain handoff params, and for hosted sign-in/up/onboarding populate cross-domain callback targets (`/handler/oauth-callback` with `stack_cross_domain_auth=1`) so plain `router.push(app.urls.signIn)` / `<Link href={app.urls.signOut}>` keeps return-to-domain behavior.
+
+Q: What should happen if hosted `after_auth_return_to` requires cross-domain handoff but URL params are missing?
+A: In `planRedirectToHandler` (`redirect-page-urls.ts`), do not throw immediately. Generate missing PKCE handoff `state`/`codeChallenge` via `getCrossDomainHandoffParams(currentUrl)` and default `afterCallbackRedirectUrl` to `currentUrl.toString()`, then continue with cross-domain authorize planning.
+
+Q: What is the cleanest split for `_redirectToHandler`?
+A: Put branching/policy into a pure planner (`planRedirectToHandler`) in `redirect-page-urls.ts` that returns either a direct redirect URL or a cross-domain authorize payload; keep `client-app-impl` as the executor for side effects (calling authorize endpoint and navigating).
+
+Q: Should query parsing like `_getCrossDomainHandoffParamsForUrlsGetter` live in client-app-impl?
+A: Prefer moving pure query parsing into `redirect-page-urls.ts` (for example `getCrossDomainHandoffParamsFromCurrentUrl`) and keep `client-app-impl` focused on fallback/prefetch/stateful concerns only.
+
+Q: How should we carry cross-domain refresh-token reuse data without corrupting URL semantics?
+A: Keep `afterCallbackRedirectUrl` as a URL-only field and persist refresh-token linkage in a dedicated DB column (`ProjectUserAuthorizationCode.grantedRefreshTokenId`). Then return that column as `user.refreshTokenId` in `getAuthorizationCode` so token issuance can safely reuse and ownership-check it.
+
+Q: How can cross-domain handoff require proof of refresh-token possession without adding extra body fields?
+A: Reuse the existing `X-Stack-Refresh-Token` header already sent by the client interface. In `/auth/oauth/cross-domain/authorize`, require this header, resolve the refresh-token row by token string, and verify it matches auth context (`auth.refreshTokenId`, `auth.user.id`, `auth.tenancy.id`) and validity before issuing the handoff code.
+
+Q: Why can cross-domain e2e tests fail after adding a new file under template implementations?
+A: E2E JS tests import `@stackframe/js` from built `dist`, so new helper files copied to `packages/js/src` still fail at runtime until package dist is rebuilt and includes the new module path.
+
 Q: How should dashboard pages update project config values?
 A: Do not call `project.updateConfig(...)` directly from dashboard pages; lint enforces using `useUpdateConfig()` from `apps/dashboard/src/lib/config-update.tsx` so pushable-config confirmation flows are handled consistently.
 
+Q: How should EventTracker behave in test environments with partial DOM mocks?
+A: In `packages/template/src/lib/stack-app/apps/implementations/event-tracker.ts`, gate `start()` behind runtime capability checks (DOM listener APIs and screen dimensions), and patch `window.history` instead of global `history`. This prevents crashes like `Cannot read properties of undefined (reading 'width')` in non-browser test stubs while keeping browser behavior unchanged.
+
 Q: How can the dashboard find resumable onboarding state without SDK type changes?
 A: Query `/internal/projects` via `stackAppInternalsSymbol` and read each project's `onboarding_status`; this avoids relying on `AdminOwnedProject` fields that may lag until generated package copies are rebuilt.
 
@@ -102,3 +141,15 @@ A: Only write `onboardingStatus` when the `Project.onboardingStatus` column exis
 
 Q: Where is the private sign-up risk engine generated entrypoint in backend now?
 A: The generator script writes `apps/backend/src/private/implementation.generated.ts` (not `src/generated/private-sign-up-risk-engine.ts`), and backend runtime imports should target `@/private/implementation.generated`.
+
+Q: Why did EventTracker throw `Reflect.get called on non-object` in JS cookie tests?
+A: Partial browser mocks can expose `window` without a real `history` object. Calling `Reflect.get(historyObject, "pushState")` throws before type checks. Use normal guarded access (`Object.getOwnPropertyDescriptor(window, "history")?.value`) plus type guards for `pushState`/`replaceState`, and patch/restore methods directly without `Reflect`.
+
+Q: How are custom handler URL target versions validated?
+A: In `packages/template/src/lib/stack-app/url-targets.ts`, custom targets are only allowed for handler names listed in `customPagePrompts` (not for `handler`). For allowed pages, `version: 0` is always accepted and non-zero versions must exist in `customPagePrompts[handlerName].versions`; otherwise an error is thrown.
+
+Q: How should `StackHandlerClient.redirectIfNotHandler` avoid SSR `window` crashes?
+A: In `packages/template/src/components-page/stack-handler-client.tsx`, parse handler URLs with a placeholder origin (`http://example.com`) and avoid reading `window` on the server path. For SSR, compare only handler path shape; for browser, keep origin+path checks using `window.location.origin`.
+
+Q: What is the current `app.urls` contract after deprecating runtime URL mutation?
+A: `app.urls` is now static (`getUrls(...)` only) and no longer injects runtime `after_auth_return_to` / `stack_cross_domain_*` params from `window.location`. For navigation flows, examples and consumers should use `redirectToXyz()` methods instead (for example `redirectToSignIn()` / `redirectToSignOut()`), while tests for hosted flows should assert dynamic params on actual redirect methods, not on `app.urls`.
diff --git a/examples/demo/.env.development b/examples/demo/.env.development
index 7f04eaa9d9..0220ad2bcc 100644
--- a/examples/demo/.env.development
+++ b/examples/demo/.env.development
@@ -4,3 +4,4 @@ NEXT_PUBLIC_STACK_API_URL=http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}0
 NEXT_PUBLIC_STACK_PROJECT_ID=internal
 NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=this-publishable-client-key-is-for-local-development-only
 STACK_SECRET_SERVER_KEY=this-secret-server-key-is-for-local-development-only
+NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE=http://{projectId}.localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}09/{hostedPath}
diff --git a/examples/demo/src/app/cross-domain-handoff/page.tsx b/examples/demo/src/app/cross-domain-handoff/page.tsx
new file mode 100644
index 0000000000..2b95bf086b
--- /dev/null
+++ b/examples/demo/src/app/cross-domain-handoff/page.tsx
@@ -0,0 +1,183 @@
+'use client';
+
+import { useStackApp, useUser } from "@stackframe/stack";
+import { runAsynchronouslyWithAlert } from "@stackframe/stack-shared/dist/utils/promises";
+import { Button, Card, CardContent, CardHeader, Typography } from "@stackframe/stack-ui";
+import Link from "next/link";
+
+export default function CrossDomainHandoffPage() {
+  const app = useStackApp();
+  const user = useUser();
+
+  const currentUrl = typeof window === "undefined" ? "unknown" : window.location.href;
+  const extraRedirectActions: Array<{ label: string, run: () => Promise<void> }> = [
+    { label: "redirectToAccountSettings()", run: async () => await app.redirectToAccountSettings() },
+    { label: "redirectToHome()", run: async () => await app.redirectToHome() },
+    { label: "redirectToAfterSignIn()", run: async () => await app.redirectToAfterSignIn() },
+    { label: "redirectToAfterSignUp()", run: async () => await app.redirectToAfterSignUp() },
+    { label: "redirectToAfterSignOut()", run: async () => await app.redirectToAfterSignOut() },
+    { label: "redirectToForgotPassword()", run: async () => await app.redirectToForgotPassword() },
+    { label: "redirectToPasswordReset()", run: async () => await app.redirectToPasswordReset() },
+    { label: "redirectToEmailVerification()", run: async () => await app.redirectToEmailVerification() },
+    { label: "redirectToTeamInvitation()", run: async () => await app.redirectToTeamInvitation() },
+    { label: "redirectToMfa()", run: async () => await app.redirectToMfa() },
+    { label: "redirectToOnboarding()", run: async () => await app.redirectToOnboarding() },
+    { label: "redirectToError()", run: async () => await app.redirectToError() },
+  ];
+  const rawUrlActions: Array<{ label: string, href: string }> = [
+    { label: "Account Settings URL", href: "/handler/account-settings" },
+    { label: "OAuth Callback URL", href: "/handler/oauth-callback" },
+    { label: "Team Invitation URL", href: "/handler/team-invitation" },
+    { label: "MFA URL", href: "/handler/mfa" },
+    { label: "Error URL", href: "/handler/error" },
+  ];
+
+  return (
+    <div className="container mx-auto p-6 max-w-4xl">
+      <Typography type="h1" className="mb-2">Cross-Domain Auth Handoff Demo</Typography>
+      <Typography className="mb-6 text-gray-600">
+        Use this page to manually validate redirect + callback behavior when sign-in is hosted on another domain.
+      </Typography>
+
+      <div className="grid gap-6">
+        <Card>
+          <CardHeader>
+            <Typography type="h3">Current Runtime State</Typography>
+          </CardHeader>
+          <CardContent>
+            <div className="space-y-2 text-sm">
+              <div><span className="font-semibold">Signed in:</span> {user ? "yes" : "no"}</div>
+              <div><span className="font-semibold">Current URL:</span> <code>{currentUrl}</code></div>
+              <div><span className="font-semibold">Sign-in route:</span> <code>/handler/sign-in</code></div>
+              <div><span className="font-semibold">OAuth callback route:</span> <code>/handler/oauth-callback</code></div>
+              <div>
+                <span className="font-semibold">Cross-domain mode:</span> driven by redirect methods and current URL state
+              </div>
+            </div>
+          </CardContent>
+        </Card>
+
+        <Card>
+          <CardHeader>
+            <Typography type="h3">Main Flow Triggers</Typography>
+          </CardHeader>
+          <CardContent>
+            <div className="flex flex-wrap gap-2">
+              <Button
+                variant="secondary"
+                onClick={() => runAsynchronouslyWithAlert(async () => {
+                  await user?.signOut({ redirectUrl: "/cross-domain-handoff" });
+                })}
+              >
+                Sign Out (Reset)
+              </Button>
+
+              <Button
+                onClick={() => runAsynchronouslyWithAlert(async () => {
+                  await app.redirectToSignIn();
+                })}
+              >
+                Trigger Client `redirectToSignIn()`
+              </Button>
+
+              <Button
+                onClick={() => runAsynchronouslyWithAlert(async () => {
+                  await app.redirectToSignUp();
+                })}
+              >
+                Trigger Client `redirectToSignUp()`
+              </Button>
+
+              <Link href="/protected" className="inline-flex">
+                <Button variant="outline">
+                  Open `/protected` (server redirect flow)
+                </Button>
+              </Link>
+            </div>
+          </CardContent>
+        </Card>
+
+        <Card>
+          <CardHeader>
+            <Typography type="h3">OAuth Provider Flow Trigger</Typography>
+          </CardHeader>
+          <CardContent>
+            <div className="flex flex-wrap gap-2 items-center">
+              <Button
+                onClick={() => runAsynchronouslyWithAlert(async () => {
+                  await app.signInWithOAuth("github");
+                })}
+              >
+                Trigger OAuth Sign-In (GitHub)
+              </Button>
+              <Button
+                variant="outline"
+                onClick={() => runAsynchronouslyWithAlert(async () => {
+                  await app.signInWithOAuth("google");
+                })}
+              >
+                Trigger OAuth Sign-In (Google)
+              </Button>
+              <Button
+                variant="outline"
+                onClick={() => runAsynchronouslyWithAlert(async () => {
+                  await app.signInWithOAuth("spotify");
+                })}
+              >
+                Trigger OAuth Sign-In (Spotify)
+              </Button>
+            </div>
+          </CardContent>
+        </Card>
+
+        <Card>
+          <CardHeader>
+            <Typography type="h3">Additional Redirect Method Triggers</Typography>
+          </CardHeader>
+          <CardContent>
+            <div className="flex flex-wrap gap-2">
+              {extraRedirectActions.map((action) => (
+                <Button
+                  key={action.label}
+                  variant="outline"
+                  onClick={() => runAsynchronouslyWithAlert(action.run)}
+                >
+                  {action.label}
+                </Button>
+              ))}
+            </div>
+          </CardContent>
+        </Card>
+
+        <Card>
+          <CardHeader>
+            <Typography type="h3">Raw URL Targets</Typography>
+          </CardHeader>
+          <CardContent>
+            <div className="flex flex-wrap gap-2">
+              {rawUrlActions.map((action) => (
+                <Link key={action.label} href={action.href} className="inline-flex">
+                  <Button variant="secondary">{action.label}</Button>
+                </Link>
+              ))}
+            </div>
+          </CardContent>
+        </Card>
+
+        <Card>
+          <CardHeader>
+            <Typography type="h3">Quick Checklist</Typography>
+          </CardHeader>
+          <CardContent>
+            <ol className="list-decimal list-inside text-sm space-y-1">
+              <li>Sign out first.</li>
+              <li>Run one trigger, complete auth, verify you land back at the original page.</li>
+              <li>Repeat with OAuth sign-in.</li>
+              <li>Confirm you stay signed in after browser refresh.</li>
+            </ol>
+          </CardContent>
+        </Card>
+      </div>
+    </div>
+  );
+}
diff --git a/examples/demo/src/app/page-client.tsx b/examples/demo/src/app/page-client.tsx
index 11092fbb95..4d876ef31e 100644
--- a/examples/demo/src/app/page-client.tsx
+++ b/examples/demo/src/app/page-client.tsx
@@ -4,11 +4,9 @@ import { UserAvatar, useStackApp, useUser } from '@stackframe/stack';
 import { Button, buttonVariants, Card, CardContent, CardFooter, CardHeader, Typography } from '@stackframe/stack-ui';
 import Image from 'next/image';
 import Link from 'next/link';
-import { useRouter } from 'next/navigation';
 
 export default function PageClient() {
   const user = useUser({ includeRestricted: true });
-  const router = useRouter();
   const app = useStackApp();
 
   const authButtons = (
@@ -18,8 +16,8 @@ export default function PageClient() {
       <Typography>Try signing in/up with the buttons below!</Typography>
       <Typography>Also feel free to check out the things on the top right corner.</Typography>
       <div className='flex gap-2'>
-        <Button onClick={() => router.push(app.urls.signIn)}>Sign In</Button>
-        <Button onClick={() => router.push(app.urls.signUp)}>Sign Up</Button>
+        <Button onClick={async () => await app.redirectToSignIn()}>Sign In</Button>
+        <Button onClick={async () => await app.redirectToSignUp()}>Sign Up</Button>
       </div>
     </div>
   );
@@ -72,9 +70,9 @@ export default function PageClient() {
                 <Link href="https://app.stack-auth.com" className={buttonVariants()}>
                   Visit Stack Auth
                 </Link>
-                <Link href={app.urls.signOut} className={buttonVariants({ variant: 'destructive' })}>
+                <Button variant='destructive' onClick={async () => await app.redirectToSignOut()}>
                   Sign Out
-                </Link>
+                </Button>
               </div>
             </CardFooter>
           </Card>
diff --git a/examples/demo/src/app/turnstile-signup/page-client.tsx b/examples/demo/src/app/turnstile-signup/page-client.tsx
index a448702f1a..4d46a291c1 100644
--- a/examples/demo/src/app/turnstile-signup/page-client.tsx
+++ b/examples/demo/src/app/turnstile-signup/page-client.tsx
@@ -21,6 +21,11 @@ const testKeys = {
 };
 
 const authReturnStorageKey = "turnstile-auth-demo-last-redirect";
+const handlerRoutes = {
+  oauthCallback: "/handler/oauth-callback",
+  magicLinkCallback: "/handler/magic-link-callback",
+  error: "/handler/error",
+};
 
 type FlowResult = {
   status: "success" | "error" | "info",
@@ -317,7 +322,7 @@ export default function TurnstileSignupPageClient() {
   }
 
   function getOAuthCallbackUrlForTurnstileLab() {
-    const callbackUrl = new URL(getAppAbsoluteUrl(app.urls.oauthCallback));
+    const callbackUrl = new URL(getAppAbsoluteUrl(handlerRoutes.oauthCallback));
     callbackUrl.searchParams.set("after_auth_return_to", getCurrentRelativeUrl());
     return callbackUrl.toString();
   }
@@ -409,7 +414,7 @@ export default function TurnstileSignupPageClient() {
 
   async function handleMagicLinkVisibleDrill(): Promise<FlowResult> {
     const drillEmail = freshEmail();
-    const callbackUrl = getAppAbsoluteUrl(app.urls.magicLinkCallback);
+    const callbackUrl = getAppAbsoluteUrl(handlerRoutes.magicLinkCallback);
 
     const firstRes = await debugMagicLinkSend(sendRequest, {
       email: drillEmail,
@@ -451,7 +456,7 @@ export default function TurnstileSignupPageClient() {
       codeChallenge: oauthDebugState.codeChallenge,
       state: oauthDebugState.state,
       redirectUrl: getOAuthCallbackUrlForTurnstileLab(),
-      errorRedirectUrl: getAppAbsoluteUrl(app.urls.error),
+      errorRedirectUrl: getAppAbsoluteUrl(handlerRoutes.error),
       turnstileToken: "mock-turnstile-invalid",
       turnstilePhase: "invisible",
     });
@@ -469,7 +474,7 @@ export default function TurnstileSignupPageClient() {
       codeChallenge: oauthDebugState.codeChallenge,
       state: oauthDebugState.state,
       redirectUrl: getOAuthCallbackUrlForTurnstileLab(),
-      errorRedirectUrl: getAppAbsoluteUrl(app.urls.error),
+      errorRedirectUrl: getAppAbsoluteUrl(handlerRoutes.error),
       turnstileToken: visibleToken,
       turnstilePhase: "visible",
     });
@@ -820,12 +825,12 @@ export default function TurnstileSignupPageClient() {
                 </Typography>
               </CardContent>
               <CardFooter className="flex gap-2">
-                <Link href={app.urls.signUp} className="inline-flex items-center rounded-md border px-4 py-2 text-sm font-medium">
+                <Button variant="secondary" onClick={async () => await app.redirectToSignUp()}>
                   Hosted sign-up
-                </Link>
-                <Link href={app.urls.signIn} className="inline-flex items-center rounded-md border px-4 py-2 text-sm font-medium">
+                </Button>
+                <Button variant="secondary" onClick={async () => await app.redirectToSignIn()}>
                   Hosted sign-in
-                </Link>
+                </Button>
               </CardFooter>
             </Card>
 
@@ -1052,12 +1057,12 @@ export default function TurnstileSignupPageClient() {
           <Link href="/" className="inline-flex items-center rounded-md border px-4 py-2 text-sm font-medium">
             Back to home
           </Link>
-          <Link href={app.urls.signUp} className="inline-flex items-center rounded-md border px-4 py-2 text-sm font-medium">
+          <Button variant="secondary" onClick={async () => await app.redirectToSignUp()}>
             Open hosted sign-up
-          </Link>
-          <Link href={app.urls.signIn} className="inline-flex items-center rounded-md border px-4 py-2 text-sm font-medium">
+          </Button>
+          <Button variant="secondary" onClick={async () => await app.redirectToSignIn()}>
             Open hosted sign-in
-          </Link>
+          </Button>
         </CardFooter>
       </Card>
     </div>
diff --git a/examples/demo/src/stack.tsx b/examples/demo/src/stack.tsx
index aa80bb72cb..57a87b229f 100644
--- a/examples/demo/src/stack.tsx
+++ b/examples/demo/src/stack.tsx
@@ -6,5 +6,8 @@ export const stackServerApp = new StackServerApp({
   tokenStore: "nextjs-cookie",
   urls: {
     accountSettings: '/settings',
-  },
+    default: {
+      "type": "hosted",
+    },
+  }
 });
diff --git a/examples/docs-examples/src/app/page-client.tsx b/examples/docs-examples/src/app/page-client.tsx
index f91c560ee2..b9ac1a4170 100644
--- a/examples/docs-examples/src/app/page-client.tsx
+++ b/examples/docs-examples/src/app/page-client.tsx
@@ -2,19 +2,16 @@
 
 import { useStackApp, useUser } from '@stackframe/stack';
 import { Button } from '@stackframe/stack-ui';
-import Link from 'next/link';
-import { useRouter } from 'next/navigation';
 
 export default function PageClient() {
   const user = useUser();
-  const router = useRouter();
   const app = useStackApp();
 
   const authButtons = (
     <div className='flex flex-col gap-5 justify-center items-center'>
       <div className='flex gap-5'>
-        <Button onClick={() => router.push(app.urls.signIn)}>Sign In</Button>
-        <Button onClick={() => router.push('/handler/signup')}>Sign Up</Button>
+        <Button onClick={async () => await app.redirectToSignIn()}>Sign In</Button>
+        <Button onClick={async () => await app.redirectToSignUp()}>Sign Up</Button>
       </div>
     </div>
   );
@@ -23,9 +20,9 @@ export default function PageClient() {
     <div className='flex flex-col items-center justify-center h-full w-full gap-10'>
       {user ? (
         <div className='flex flex-col gap-5 justify-center items-center'>
-          <Link href={app.urls.signOut}>
+          <Button variant="secondary" onClick={async () => await app.redirectToSignOut()}>
             Sign Out
-          </Link>
+          </Button>
         </div>
       ) : authButtons}
     </div>
diff --git a/examples/docs-examples/src/app/signin/page.tsx b/examples/docs-examples/src/app/signin/page.tsx
index f6652522d0..5608256a29 100644
--- a/examples/docs-examples/src/app/signin/page.tsx
+++ b/examples/docs-examples/src/app/signin/page.tsx
@@ -42,7 +42,7 @@
 //       setError('Please enter your password');
 //       return;
 //     }
-//     // this will redirect to app.urls.afterSignIn if successful, you can customize it in the StackServerApp constructor
+//     // this redirects to your configured post-sign-in destination on success
 //     const result = await app.signInWithCredential({ email, password });
 //     // It is better to handle each error code separately, but we will just show the error code directly for simplicity here
 //     if (result.status === 'error') {
@@ -73,7 +73,7 @@ export default function CustomCredentialSignIn() {
   const app = useStackApp();
 
   const onSubmit = async () => {
-    // this will redirect to app.urls.afterSignIn if successful, you can customize it in the StackServerApp constructor
+    // this redirects to your configured post-sign-in destination on success
     const result = await app.sendMagicLinkEmail(email);
     // It is better to handle each error code separately, but we will just show the error code directly for simplicity here
     if (result.status === 'error') {
diff --git a/examples/docs-examples/src/app/signup/page.tsx b/examples/docs-examples/src/app/signup/page.tsx
index 2429476c19..a22d483ba0 100644
--- a/examples/docs-examples/src/app/signup/page.tsx
+++ b/examples/docs-examples/src/app/signup/page.tsx
@@ -24,7 +24,7 @@ export default function CustomCredentialSignUp() {
       setError('Please enter your password');
       return;
     }
-    // this will redirect to app.urls.afterSignUp if successful, you can customize it in the StackServerApp constructor
+    // this redirects to your configured post-sign-up destination on success
     const result = await app.signUpWithCredential({ email, password });
     // It is better to handle each error code separately, but we will just show the error code directly for simplicity here
     if (result.status === 'error') {
diff --git a/examples/supabase/app/page.tsx b/examples/supabase/app/page.tsx
index dde58174ea..bfeecef7f2 100644
--- a/examples/supabase/app/page.tsx
+++ b/examples/supabase/app/page.tsx
@@ -2,7 +2,6 @@
 
 import { createSupabaseClient } from "@/utils/supabase-client";
 import { useStackApp, useUser } from "@stackframe/stack";
-import Link from "next/link";
 import { useEffect, useState } from "react";
 
 export default function Page() {
@@ -28,9 +27,9 @@ export default function Page() {
         <>
           <p>You are signed in</p>
           <p>User ID: {user.id}</p>
-          <Link href={app.urls.signOut}>Sign Out</Link>
+          <button onClick={async () => await app.redirectToSignOut()}>Sign Out</button>
         </> : 
-        <Link href={app.urls.signIn}>Sign In</Link>
+        <button onClick={async () => await app.redirectToSignIn()}>Sign In</button>
       }
       <h3>Supabase data</h3>
       <ul>{listContent}</ul>
diff --git a/packages/template/.eslintrc.cjs b/packages/template/.eslintrc.cjs
index 2cf8c3da8e..1dba82cad8 100644
--- a/packages/template/.eslintrc.cjs
+++ b/packages/template/.eslintrc.cjs
@@ -9,5 +9,21 @@ module.exports = {
     "no-restricted-syntax": [
       ...defaults.rules["no-restricted-syntax"],
     ],
+    "no-restricted-properties": [
+      "error",
+      {
+        "object": "process",
+        "property": "env",
+        "message": "Use envVars from src/lib/env.ts instead of reading process.env directly.",
+      },
+    ],
   },
+  "overrides": [
+    {
+      "files": ["src/lib/env.ts"],
+      "rules": {
+        "no-restricted-properties": "off",
+      },
+    },
+  ],
 };
diff --git a/packages/template/src/components-page/account-settings/payments/payments-panel.tsx b/packages/template/src/components-page/account-settings/payments/payments-panel.tsx
index 7050ed4ac8..8ef9247c0e 100644
--- a/packages/template/src/components-page/account-settings/payments/payments-panel.tsx
+++ b/packages/template/src/components-page/account-settings/payments/payments-panel.tsx
@@ -7,6 +7,7 @@ import { CardElement, Elements, useElements, useStripe } from "@stripe/react-str
 import { loadStripe } from "@stripe/stripe-js";
 import { useMemo, useState } from "react";
 import { useStackApp } from "../../..";
+import { envVars } from "../../../lib/env";
 import { useTranslation } from "../../../lib/translations";
 import { Section } from "../section";
 import { Result } from "@stackframe/stack-shared/dist/utils/results";
@@ -244,7 +245,7 @@ function RealPaymentsPanel(props: { title?: string, customer: CustomerLike, cust
 
   const stripePromise = useMemo(() => {
     if (!setupIntentStripeAccountId) return null;
-    const publishableKey = process.env.NEXT_PUBLIC_STACK_STRIPE_PUBLISHABLE_KEY;
+    const publishableKey = envVars.NEXT_PUBLIC_STACK_STRIPE_PUBLISHABLE_KEY;
     if (!publishableKey) return null;
     return loadStripe(publishableKey, { stripeAccount: setupIntentStripeAccountId });
   }, [setupIntentStripeAccountId]);
@@ -258,7 +259,7 @@ function RealPaymentsPanel(props: { title?: string, customer: CustomerLike, cust
       });
       return;
     }
-    alert(`An unhandled error occurred. Please ${process.env.NODE_ENV === "development" ? "check the browser console for the full error." : "report this to the developer."}\n\n${error}`);
+    alert(`An unhandled error occurred. Please ${envVars.NODE_ENV === "development" ? "check the browser console for the full error." : "report this to the developer."}\n\n${error}`);
   };
 
   const openPaymentDialog = () => {
diff --git a/packages/template/src/components-page/oauth-callback.tsx b/packages/template/src/components-page/oauth-callback.tsx
index 297095d762..44694ee9f0 100644
--- a/packages/template/src/components-page/oauth-callback.tsx
+++ b/packages/template/src/components-page/oauth-callback.tsx
@@ -7,6 +7,7 @@ import { useEffect, useRef, useState } from "react";
 import { useStackApp } from "..";
 import { MaybeFullPage } from "../components/elements/maybe-full-page";
 import { StyledLink } from "../components/link";
+import { envVars } from "../lib/env";
 import { useTranslation } from "../lib/translations";
 
 export function OAuthCallback({ fullPage }: { fullPage?: boolean }) {
@@ -20,13 +21,15 @@ export function OAuthCallback({ fullPage }: { fullPage?: boolean }) {
     if (called.current) return;
     called.current = true;
     let hasRedirected = false;
+    let callbackError: unknown = null;
     try {
       hasRedirected = await app.callOAuthCallback();
     } catch (e) {
+      callbackError = e;
       captureError("<OAuthCallback />", e);
       setError(e);
     }
-    if (!hasRedirected && (!error || process.env.NODE_ENV === 'production')) {
+    if (!hasRedirected && (callbackError == null || envVars.NODE_ENV === "production")) {
       await app.redirectToSignIn({ noRedirectBack: true });
     }
   }), []);
diff --git a/packages/template/src/components-page/stack-handler-client.tsx b/packages/template/src/components-page/stack-handler-client.tsx
index 79f1896520..e0558df41e 100644
--- a/packages/template/src/components-page/stack-handler-client.tsx
+++ b/packages/template/src/components-page/stack-handler-client.tsx
@@ -7,7 +7,8 @@ import { notFound, redirect, RedirectType, usePathname, useSearchParams } from '
 import { useMemo } from 'react';
 import { SignIn, SignUp, StackServerApp } from "..";
 import { useStackApp } from "../lib/hooks";
-import { HandlerUrls, StackClientApp } from "../lib/stack-app";
+import { HandlerUrls, StackClientApp, stackAppInternalsSymbol } from "../lib/stack-app";
+import { resolveUnknownHandlerPathFallbackUrl } from "../lib/stack-app/url-targets";
 import { AccountSettings } from "./account-settings";
 import { CliAuthConfirmation } from "./cli-auth-confirm";
 import { EmailVerification } from "./email-verification";
@@ -64,6 +65,8 @@ const availablePaths = {
   onboarding: 'onboarding',
 } as const;
 
+const placeholderOrigin = "http://example.com";
+
 const pathAliases = {
   // also includes the uppercase and non-dashed versions
   ...Object.fromEntries(Object.entries(availablePaths).map(([key, value]) => [value, value])),
@@ -84,10 +87,11 @@ function renderComponent(props: {
   fullPage: boolean,
   componentProps?: BaseHandlerProps['componentProps'],
   redirectIfNotHandler?: (name: keyof HandlerUrls) => void,
+  getDefaultUnknownPathUrl?: (path: string) => string | null,
   onNotFound: () => any,
   app: StackClientApp<any> | StackServerApp<any>,
 }) {
-  const { path, searchParams, fullPage, componentProps, redirectIfNotHandler, onNotFound, app } = props;
+  const { path, searchParams, fullPage, componentProps, redirectIfNotHandler, getDefaultUnknownPathUrl, onNotFound, app } = props;
 
   switch (path) {
     case availablePaths.signIn: {
@@ -202,6 +206,14 @@ function renderComponent(props: {
           return { redirect: redirectUrl };
         }
       }
+      const defaultUnknownPathUrl = getDefaultUnknownPathUrl?.(path);
+      if (defaultUnknownPathUrl != null) {
+        const defaultUnknownPathUrlObject = new URL(defaultUnknownPathUrl, "http://example.com");
+        for (const [key, value] of Object.entries(searchParams)) {
+          defaultUnknownPathUrlObject.searchParams.set(key, value);
+        }
+        return { redirect: toAbsoluteOrRelativeRedirectTarget(defaultUnknownPathUrlObject) };
+      }
       return onNotFound();
     }
   }
@@ -221,7 +233,7 @@ export function StackHandlerClient(props: BaseHandlerProps & Partial<RouteProps>
   const searchParamsSource = new URLSearchParams(window.location.search);
   END_PLATFORM */
 
-  const { path, searchParams } = useMemo(() => {
+  const { path, searchParams, handlerPath } = useMemo(() => {
     const handlerPath = new URL(stackApp.urls.handler, 'http://example.com').pathname;
     const relativePath = currentLocation.startsWith(handlerPath)
       ? currentLocation.slice(handlerPath.length).replace(/^\/+/, '')
@@ -229,27 +241,43 @@ export function StackHandlerClient(props: BaseHandlerProps & Partial<RouteProps>
 
     return {
       path: relativePath,
-      searchParams: Object.fromEntries(searchParamsSource.entries())
+      searchParams: Object.fromEntries(searchParamsSource.entries()),
+      handlerPath,
     };
   }, [currentLocation, searchParamsSource, stackApp.urls.handler]);
 
+  const getDefaultUnknownPathUrl = (unknownPath: string): string | null => {
+    return resolveUnknownHandlerPathFallbackUrl({
+      defaultTarget: stackApp[stackAppInternalsSymbol].getConstructorOptions().urls?.default,
+      projectId: stackApp.projectId,
+      unknownPath,
+    });
+  };
+
   const redirectIfNotHandler = (name: keyof HandlerUrls) => {
     const url = stackApp.urls[name];
-    const handlerUrl = stackApp.urls.handler;
-
-    if (url !== handlerUrl && url.startsWith(handlerUrl + "/")) {
+    const isCrossDomainLocalOauthCallback = name === "oauthCallback" && searchParams.stack_cross_domain_auth === "1";
+    if (isCrossDomainLocalOauthCallback) {
+      return;
+    }
+    const urlObject = new URL(url, placeholderOrigin);
+    const isHandlerPathTarget = urlObject.pathname === handlerPath || urlObject.pathname.startsWith(`${handlerPath}/`);
+    const isLocalHandlerTarget = typeof window === "undefined"
+      ? isHandlerPathTarget
+      : urlObject.origin === window.location.origin && isHandlerPathTarget;
+    if (isLocalHandlerTarget) {
       return;
     }
 
-    const urlObj = new URL(url, 'http://example.com');
+    const urlObj = new URL(url, placeholderOrigin);
     for (const [key, value] of Object.entries(searchParams)) {
       urlObj.searchParams.set(key, value);
     }
 
     // IF_PLATFORM next
-    redirect(getRelativePart(urlObj), RedirectType.replace);
+    redirect(toAbsoluteOrRelativeRedirectTarget(urlObj), RedirectType.replace);
     /* ELSE_IF_PLATFORM react
-    window.location.href = getRelativePart(urlObj);
+    window.location.href = toAbsoluteOrRelativeRedirectTarget(urlObj);
     END_PLATFORM */
   };
 
@@ -259,6 +287,7 @@ export function StackHandlerClient(props: BaseHandlerProps & Partial<RouteProps>
     fullPage: props.fullPage,
     componentProps: props.componentProps,
     redirectIfNotHandler,
+    getDefaultUnknownPathUrl,
     onNotFound: () =>
       // IF_PLATFORM next
       notFound()
@@ -294,3 +323,7 @@ export function StackHandlerClient(props: BaseHandlerProps & Partial<RouteProps>
 function filterUndefinedINU<T extends {}>(value: T | undefined): FilterUndefined<T> | undefined {
   return value === undefined ? value : filterUndefined(value);
 }
+
+function toAbsoluteOrRelativeRedirectTarget(url: URL): string {
+  return url.origin === "http://example.com" ? getRelativePart(url) : url.toString();
+}
diff --git a/packages/template/src/lib/auth.ts b/packages/template/src/lib/auth.ts
index 981048762b..be1ed15d93 100644
--- a/packages/template/src/lib/auth.ts
+++ b/packages/template/src/lib/auth.ts
@@ -1,5 +1,4 @@
 import { KnownError, StackClientInterface } from "@stackframe/stack-shared";
-import { KnownErrors } from "@stackframe/stack-shared";
 import { InternalSession } from "@stackframe/stack-shared/dist/sessions";
 import { StackAssertionError, throwErr } from "@stackframe/stack-shared/dist/utils/errors";
 import { neverResolve } from "@stackframe/stack-shared/dist/utils/promises";
@@ -7,7 +6,6 @@ import { Result } from "@stackframe/stack-shared/dist/utils/results";
 import { deindent } from "@stackframe/stack-shared/dist/utils/strings";
 import { constructRedirectUrl } from "../utils/url";
 import { consumeVerifierAndStateCookie, saveVerifierAndState } from "./cookie";
-
 export async function addNewOAuthProviderOrScope(
   iface: StackClientInterface,
   options: {
diff --git a/packages/template/src/lib/env.ts b/packages/template/src/lib/env.ts
new file mode 100644
index 0000000000..e876adaa8b
--- /dev/null
+++ b/packages/template/src/lib/env.ts
@@ -0,0 +1,80 @@
+/**
+ * Centralized environment-variable reads for the SDK.
+ *
+ * Keep each key explicit and reference `process.env.KEY` directly so bundlers
+ * like Next.js can inline values at build time.
+ */
+export const envVars = {
+  get NEXT_PUBLIC_STACK_PORT_PREFIX() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_PORT_PREFIX : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_PROJECT_ID() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_PROJECT_ID : undefined) ?? undefined;
+  },
+  get STACK_PROJECT_ID() {
+    return (typeof process !== "undefined" ? process.env.STACK_PROJECT_ID : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY : undefined) ?? undefined;
+  },
+  get STACK_PUBLISHABLE_CLIENT_KEY() {
+    return (typeof process !== "undefined" ? process.env.STACK_PUBLISHABLE_CLIENT_KEY : undefined) ?? undefined;
+  },
+  get STACK_SECRET_SERVER_KEY() {
+    return (typeof process !== "undefined" ? process.env.STACK_SECRET_SERVER_KEY : undefined) ?? undefined;
+  },
+  get STACK_SUPER_SECRET_ADMIN_KEY() {
+    return (typeof process !== "undefined" ? process.env.STACK_SUPER_SECRET_ADMIN_KEY : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_EXTRA_REQUEST_HEADERS() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_EXTRA_REQUEST_HEADERS : undefined) ?? undefined;
+  },
+  get STACK_EXTRA_REQUEST_HEADERS() {
+    return (typeof process !== "undefined" ? process.env.STACK_EXTRA_REQUEST_HEADERS : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_BROWSER_STACK_API_URL() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_BROWSER_STACK_API_URL : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_API_URL_BROWSER() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_API_URL_BROWSER : undefined) ?? undefined;
+  },
+  get STACK_API_URL_BROWSER() {
+    return (typeof process !== "undefined" ? process.env.STACK_API_URL_BROWSER : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_SERVER_STACK_API_URL() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_SERVER_STACK_API_URL : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_API_URL_SERVER() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_API_URL_SERVER : undefined) ?? undefined;
+  },
+  get STACK_API_URL_SERVER() {
+    return (typeof process !== "undefined" ? process.env.STACK_API_URL_SERVER : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_API_URL() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_API_URL : undefined) ?? undefined;
+  },
+  get STACK_API_URL() {
+    return (typeof process !== "undefined" ? process.env.STACK_API_URL : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_URL() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_URL : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_STRIPE_PUBLISHABLE_KEY() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_STRIPE_PUBLISHABLE_KEY : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY : undefined) ?? undefined;
+  },
+  get NEXT_PUBLIC_STACK_BOT_CHALLENGE_INVISIBLE_SITE_KEY() {
+    return (typeof process !== "undefined" ? process.env.NEXT_PUBLIC_STACK_BOT_CHALLENGE_INVISIBLE_SITE_KEY : undefined) ?? undefined;
+  },
+  get NODE_ENV() {
+    return (typeof process !== "undefined" ? process.env.NODE_ENV : undefined) ?? undefined;
+  },
+};
diff --git a/packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts b/packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts
index 391a509a95..2fa132dfda 100644
--- a/packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts
+++ b/packages/template/src/lib/stack-app/apps/implementations/client-app-impl.ts
@@ -33,7 +33,7 @@ import { Store, storeLock } from "@stackframe/stack-shared/dist/utils/stores";
 import { deindent, mergeScopeStrings } from "@stackframe/stack-shared/dist/utils/strings";
 import { BotChallengeExecutionFailedError, BotChallengeUserCancelledError, withBotChallengeFlow } from "@stackframe/stack-shared/dist/utils/turnstile-flow";
 import type { TurnstileAction } from "@stackframe/stack-shared/dist/utils/turnstile";
-import { getRelativePart, isRelative } from "@stackframe/stack-shared/dist/utils/urls";
+import { isRelative } from "@stackframe/stack-shared/dist/utils/urls";
 import { generateUuid } from "@stackframe/stack-shared/dist/utils/uuids";
 import * as cookie from "cookie";
 import * as NextNavigationUnscrambled from "next/navigation"; // import the entire module to get around some static compiler warnings emitted by Next.js in some cases | THIS_LINE_PLATFORM next
@@ -42,8 +42,9 @@ import type * as yup from "yup";
 import { constructRedirectUrl } from "../../../../utils/url";
 import { addNewOAuthProviderOrScope, callOAuthCallback } from "../../../auth";
 import { CookieHelper, createBrowserCookieHelper, createCookieHelper, createPlaceholderCookieHelper, deleteCookie, deleteCookieClient, isSecure as isSecureCookieContext, saveVerifierAndState, setOrDeleteCookie, setOrDeleteCookieClient } from "../../../cookie";
+import { envVars } from "../../../env";
 import { ApiKey, ApiKeyCreationOptions, ApiKeyUpdateOptions, apiKeyCreationOptionsToCrud } from "../../api-keys";
-import { ConvexCtx, GetCurrentPartialUserOptions, GetCurrentUserOptions, HandlerUrls, OAuthScopesOnSignIn, RedirectMethod, RedirectToOptions, RequestLike, TokenStoreInit, stackAppInternalsSymbol } from "../../common";
+import { ConvexCtx, GetCurrentPartialUserOptions, GetCurrentUserOptions, HandlerUrlOptions, HandlerUrls, OAuthScopesOnSignIn, RedirectMethod, RedirectToOptions, RequestLike, ResolvedHandlerUrls, TokenStoreInit, stackAppInternalsSymbol } from "../../common";
 import { DeprecatedOAuthConnection, OAuthConnection } from "../../connected-accounts";
 import { ContactChannel, ContactChannelCreateOptions, ContactChannelUpdateOptions, contactChannelCreateOptionsToCrud, contactChannelUpdateOptionsToCrud } from "../../contact-channels";
 import { Customer, CustomerBilling, CustomerDefaultPaymentMethod, CustomerInvoiceStatus, CustomerInvoicesList, CustomerInvoicesListOptions, CustomerInvoicesRequestOptions, CustomerPaymentMethodSetupIntent, CustomerProductsList, CustomerProductsListOptions, CustomerProductsRequestOptions, Item } from "../../customers";
@@ -51,11 +52,14 @@ import { NotificationCategory } from "../../notification-categories";
 import { TeamPermission } from "../../permissions";
 import { AdminOwnedProject, AdminProjectUpdateOptions, Project, adminProjectCreateOptionsToCrud } from "../../projects";
 import { EditableTeamMemberProfile, ReceivedTeamInvitation, SentTeamInvitation, Team, TeamCreateOptions, TeamUpdateOptions, TeamUser, teamCreateOptionsToCrud, teamUpdateOptionsToCrud } from "../../teams";
+import { isHostedHandlerUrlForProject, resolveHandlerUrls } from "../../url-targets";
 import { ActiveSession, Auth, BaseUser, CurrentUser, InternalUserExtra, OAuthProvider, ProjectCurrentUser, SyncedPartialUser, TokenPartialUser, UserExtra, UserUpdateOptions, userUpdateOptionsToCrud, withUserDestructureGuard } from "../../users";
 import { StackClientApp, StackClientAppConstructorOptions, StackClientAppJson } from "../interfaces/client-app";
 import { _StackAdminAppImplIncomplete } from "./admin-app-impl";
 import { TokenObject, clientVersion, createCache, createCacheBySession, createEmptyTokenStore, getAnalyticsBaseUrl, getBaseUrl, getDefaultExtraRequestHeaders, getDefaultProjectId, getDefaultPublishableClientKey, getUrls, resolveConstructorOptions } from "./common";
 import { EventTracker } from "./event-tracker";
+import { crossDomainAuthQueryParams, getCrossDomainHandoffParamsFromCurrentUrl, planRedirectToHandler } from "./redirect-page-urls";
+import type { CrossDomainHandoffParams } from "./redirect-page-urls";
 import { AnalyticsOptions, SessionRecorder, analyticsOptionsFromJson, analyticsOptionsToJson } from "./session-replay";
 
 // IF_PLATFORM react-like
@@ -72,8 +76,7 @@ isReactServer = sc.isReactServer;
 const NextNavigation = scrambleDuringCompileTime(NextNavigationUnscrambled);
 // END_PLATFORM
 
-// hack to make sure process is defined in non-node environments
-const process = (globalThis as any).process ?? { env: {} }; // THIS_LINE_PLATFORM js react
+const prefetchedCrossDomainHandoffTtlMs = 55 * 60 * 1000;
 
 const allClientApps = new Map<string, [checkString: string | undefined, app: StackClientApp<any, any>]>();
 
@@ -95,7 +98,7 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
   protected _interface: StackClientInterface;
   protected readonly _tokenStoreInit: TokenStoreInit<HasTokenStore>;
   protected readonly _redirectMethod: RedirectMethod | undefined;
-  protected readonly _urlOptions: Partial<HandlerUrls>;
+  protected readonly _urlOptions: HandlerUrlOptions;
   protected readonly _oauthScopesOnSignIn: Partial<OAuthScopesOnSignIn>;
 
   private readonly _analyticsOptions: AnalyticsOptions | undefined;
@@ -374,6 +377,9 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
   );
 
   private _anonymousSignUpInProgress: Promise<{ accessToken: string, refreshToken: string }> | null = null;
+  private _prefetchedCrossDomainHandoffParams: CrossDomainHandoffParams | null = null;
+  private _prefetchedCrossDomainHandoffParamsFetchedAt = 0;
+  private _isPrefetchingCrossDomainHandoffParams = false;
 
   protected async _createCookieHelper(overrideTokenStoreInit?: TokenStoreInit): Promise<CookieHelper> {
     const tokenStoreInit = overrideTokenStoreInit === undefined ? this._tokenStoreInit : overrideTokenStoreInit;
@@ -528,6 +534,7 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
     this._redirectMethod = resolvedOptions.redirectMethod || "nextjs"; // THIS_LINE_PLATFORM next
     this._urlOptions = resolvedOptions.urls ?? {};
     this._oauthScopesOnSignIn = resolvedOptions.oauthScopesOnSignIn ?? {};
+    this._prefetchCrossDomainHandoffParamsIfNeeded();
 
     if (extraOptions && extraOptions.uniqueIdentifier) {
       this._uniqueIdentifier = extraOptions.uniqueIdentifier;
@@ -2137,7 +2144,7 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
   private _getBotChallengeSiteKeys(): { visibleSiteKey: string, invisibleSiteKey: string } | null {
     if (!isBrowserLike()) return null;
 
-    const visibleSiteKey = process.env.NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY;
+    const visibleSiteKey = envVars.NEXT_PUBLIC_STACK_BOT_CHALLENGE_SITE_KEY;
     if (!visibleSiteKey) {
       if (!this._botChallengeSiteKeysWarned) {
         this._botChallengeSiteKeysWarned = true;
@@ -2146,7 +2153,7 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
       return null;
     }
 
-    const invisibleSiteKey = process.env.NEXT_PUBLIC_STACK_BOT_CHALLENGE_INVISIBLE_SITE_KEY ?? visibleSiteKey;
+    const invisibleSiteKey = envVars.NEXT_PUBLIC_STACK_BOT_CHALLENGE_INVISIBLE_SITE_KEY ?? visibleSiteKey;
 
     return { visibleSiteKey, invisibleSiteKey };
   }
@@ -2227,11 +2234,129 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
   protected async _isTrusted(url: string): Promise<boolean> {
     // TODO: At some point, we should use the project's trusted domains for this instead of just requiring the URL to be relative
     // (note that when we do this, that should be on-top of the relativity check, not replacing it)
-    return isRelative(url) || (typeof window !== "undefined" && window.location.origin === new URL(url).origin);
+    if (isRelative(url)) {
+      return true;
+    }
+    if (typeof window !== "undefined" && window.location.origin === new URL(url).origin) {
+      return true;
+    }
+    return isHostedHandlerUrlForProject({ url, projectId: this.projectId });
+  }
+
+  get urls(): Readonly<ResolvedHandlerUrls> {
+    return getUrls(this._urlOptions, { projectId: this.projectId });
+  }
+
+  protected _prefetchCrossDomainHandoffParamsIfNeeded() {
+    const canWriteOauthVerifierCookie = this._tokenStoreInit === "cookie" || this._tokenStoreInit === "nextjs-cookie";
+    if (
+      !isBrowserLike()
+      || !canWriteOauthVerifierCookie
+      || this._isPrefetchingCrossDomainHandoffParams
+      || this._getFreshPrefetchedCrossDomainHandoffParams() != null
+    ) {
+      return;
+    }
+    this._isPrefetchingCrossDomainHandoffParams = true;
+    runAsynchronously(async () => {
+      try {
+        if (!isBrowserLike()) {
+          return;
+        }
+        const { state, codeChallenge } = await saveVerifierAndState();
+        this._prefetchedCrossDomainHandoffParams = { state, codeChallenge };
+        this._prefetchedCrossDomainHandoffParamsFetchedAt = performance.now();
+      } finally {
+        this._isPrefetchingCrossDomainHandoffParams = false;
+      }
+    });
+  }
+
+  protected _getCrossDomainHandoffParamsForUrlsGetter(currentUrl: URL): CrossDomainHandoffParams | null {
+    const fromQuery = getCrossDomainHandoffParamsFromCurrentUrl(currentUrl);
+    if (fromQuery != null) {
+      return fromQuery;
+    }
+
+    const prefetched = this._getFreshPrefetchedCrossDomainHandoffParams();
+    if (prefetched != null) {
+      return prefetched;
+    }
+
+    this._prefetchCrossDomainHandoffParamsIfNeeded();
+    return null;
+  }
+
+  protected async _getCrossDomainHandoffParamsForRedirect(currentUrl: URL): Promise<CrossDomainHandoffParams> {
+    const fromQuery = getCrossDomainHandoffParamsFromCurrentUrl(currentUrl);
+    if (fromQuery != null) {
+      return fromQuery;
+    }
+    const prefetched = this._getFreshPrefetchedCrossDomainHandoffParams();
+    if (prefetched != null) {
+      return prefetched;
+    }
+    const { state, codeChallenge } = await saveVerifierAndState();
+    this._prefetchedCrossDomainHandoffParams = { state, codeChallenge };
+    this._prefetchedCrossDomainHandoffParamsFetchedAt = performance.now();
+    return { state, codeChallenge };
+  }
+
+  protected _getLocalOAuthCallbackHandlerUrl(): string {
+    return resolveHandlerUrls({
+      urls: {
+        ...this._urlOptions,
+        default: { type: "handler-component" },
+        oauthCallback: { type: "handler-component" },
+      },
+      projectId: this.projectId,
+    }).oauthCallback;
+  }
+
+  protected async _createCrossDomainAuthRedirectUrl(options: {
+    redirectUri: string,
+    state: string,
+    codeChallenge: string,
+    afterCallbackRedirectUrl: string,
+  }): Promise<string> {
+    const session = await this._getSession();
+    const response = await this._interface.sendClientRequest(
+      "/auth/oauth/cross-domain/authorize",
+      {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          redirect_uri: options.redirectUri,
+          state: options.state,
+          code_challenge: options.codeChallenge,
+          code_challenge_method: "S256",
+          after_callback_redirect_url: options.afterCallbackRedirectUrl,
+        }),
+      },
+      session,
+    );
+    if (!response.ok) {
+      throw new StackAssertionError(`Cross-domain authorization endpoint failed: ${response.status} ${await response.text()}`);
+    }
+    const result = await response.json();
+    if (!("redirect_url" in result) || typeof result.redirect_url !== "string") {
+      throw new StackAssertionError("Cross-domain authorization endpoint returned an invalid payload", { result });
+    }
+    return result.redirect_url;
   }
 
-  get urls(): Readonly<HandlerUrls> {
-    return getUrls(this._urlOptions);
+  protected _getFreshPrefetchedCrossDomainHandoffParams(): CrossDomainHandoffParams | null {
+    if (this._prefetchedCrossDomainHandoffParams == null) {
+      return null;
+    }
+    if (performance.now() - this._prefetchedCrossDomainHandoffParamsFetchedAt > prefetchedCrossDomainHandoffTtlMs) {
+      this._prefetchedCrossDomainHandoffParams = null;
+      this._prefetchedCrossDomainHandoffParamsFetchedAt = 0;
+      return null;
+    }
+    return this._prefetchedCrossDomainHandoffParams;
   }
 
   protected async _getCurrentUrl() {
@@ -2285,37 +2410,36 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
   }
 
   protected async _redirectToHandler(handlerName: keyof HandlerUrls, options?: RedirectToOptions) {
-    let url = this.urls[handlerName];
-    if (!url) {
+    const rawUrls = getUrls(this._urlOptions, { projectId: this.projectId });
+    const rawHandlerUrl = rawUrls[handlerName];
+    if (!rawHandlerUrl) {
       throw new Error(`No URL for handler name ${handlerName}`);
     }
 
-    if (!options?.noRedirectBack) {
-      if (handlerName === "afterSignIn" || handlerName === "afterSignUp") {
-        if (isReactServer || typeof window === "undefined") {
-          // TODO implement this
-        } else {
-          const queryParams = new URLSearchParams(window.location.search);
-          url = queryParams.get("after_auth_return_to") || url;
-        }
-      } else if (handlerName === "signIn" || handlerName === "signUp" || handlerName === "onboarding") {
-        // For signIn, signUp, and onboarding, preserve the return URL so user can be redirected back after completing the flow
-        if (isReactServer || typeof window === "undefined") {
-          // TODO implement this
-        } else {
-          const currentUrl = new URL(window.location.href);
-          const nextUrl = new URL(url, currentUrl);
-          if (currentUrl.searchParams.has("after_auth_return_to")) {
-            nextUrl.searchParams.set("after_auth_return_to", currentUrl.searchParams.get("after_auth_return_to")!);
-          } else if (currentUrl.protocol === nextUrl.protocol && currentUrl.host === nextUrl.host) {
-            nextUrl.searchParams.set("after_auth_return_to", getRelativePart(currentUrl));
-          }
-          url = getRelativePart(nextUrl);
-        }
-      }
+    const currentUrl = isReactServer || typeof window === "undefined"
+      ? null
+      : new URL(window.location.href);
+    const plan = await planRedirectToHandler({
+      handlerName,
+      rawHandlerUrl,
+      noRedirectBack: options?.noRedirectBack === true,
+      currentUrl,
+      localOAuthCallbackUrl: this._getLocalOAuthCallbackHandlerUrl(),
+      getCrossDomainHandoffParams: async (href) => await this._getCrossDomainHandoffParamsForRedirect(href),
+    });
+
+    if (plan.type === "cross-domain-authorize") {
+      const crossDomainRedirectUrl = await this._createCrossDomainAuthRedirectUrl({
+        redirectUri: plan.redirectUri,
+        state: plan.state,
+        codeChallenge: plan.codeChallenge,
+        afterCallbackRedirectUrl: plan.afterCallbackRedirectUrl,
+      });
+      await this._redirectTo({ url: crossDomainRedirectUrl, ...options });
+      return;
     }
 
-    await this._redirectIfTrusted(url, options);
+    await this._redirectIfTrusted(plan.url, options);
   }
 
   async redirectToSignIn(options?: RedirectToOptions) { return await this._redirectToHandler("signIn", options); }
@@ -2617,6 +2741,10 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
 
     this._ensurePersistentTokenStore();
     const session = await this._getSession();
+    const currentUrl = new URL(window.location.href);
+    const afterCallbackRedirectUrl = currentUrl.searchParams.has("after_auth_return_to")
+      ? currentUrl.toString()
+      : undefined;
     const siteKeys = this._getBotChallengeSiteKeys();
     const { codeChallenge, state } = await saveVerifierAndState();
 
@@ -2625,6 +2753,7 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
         provider,
         redirectUrl: constructRedirectUrl(options?.returnTo ?? this.urls.oauthCallback, "redirectUrl"),
         errorRedirectUrl: constructRedirectUrl(this.urls.error, "errorRedirectUrl"),
+        afterCallbackRedirectUrl,
         type: "authenticate",
         providerScope: this._oauthScopesOnSignIn[provider]?.join(" "),
         codeChallenge,
@@ -3016,10 +3145,17 @@ export class _StackClientAppImplIncomplete<HasTokenStore extends boolean, Projec
       throw new Error("callOAuthCallback can currently only be called in a browser environment");
     }
     this._ensurePersistentTokenStore();
+    let oauthCallbackRedirectUri = this.urls.oauthCallback;
+    const currentUrl = new URL(window.location.href);
+    if (currentUrl.searchParams.get(crossDomainAuthQueryParams.marker) === "1") {
+      currentUrl.searchParams.delete("code");
+      currentUrl.searchParams.delete("state");
+      oauthCallbackRedirectUri = currentUrl.toString();
+    }
     let result;
     try {
       result = await this._catchMfaRequiredError(async () => {
-        return await callOAuthCallback(this._interface, this.urls.oauthCallback);
+        return await callOAuthCallback(this._interface, oauthCallbackRedirectUri);
       });
     } catch (e) {
       if (KnownErrors.InvalidTotpCode.isInstance(e)) {
diff --git a/packages/template/src/lib/stack-app/apps/implementations/common.ts b/packages/template/src/lib/stack-app/apps/implementations/common.ts
index 7faa08f441..0f83c1bd2a 100644
--- a/packages/template/src/lib/stack-app/apps/implementations/common.ts
+++ b/packages/template/src/lib/stack-app/apps/implementations/common.ts
@@ -9,10 +9,9 @@ import { suspendIfSsr, use } from "@stackframe/stack-shared/dist/utils/react";
 import { Result } from "@stackframe/stack-shared/dist/utils/results";
 import { Store } from "@stackframe/stack-shared/dist/utils/stores";
 import React, { useCallback } from "react"; // THIS_LINE_PLATFORM react-like
-import { HandlerUrls, stackAppInternalsSymbol } from "../../common";
-
-// hack to make sure process is defined in non-node environments
-const process = (globalThis as any).process ?? { env: {} }; // THIS_LINE_PLATFORM js react
+import { envVars } from "../../../env";
+import { HandlerUrlOptions, ResolvedHandlerUrls, stackAppInternalsSymbol } from "../../common";
+import { resolveHandlerUrls } from "../../url-targets";
 
 export const clientVersion = "STACK_COMPILE_TIME_CLIENT_PACKAGE_VERSION_SENTINEL";
 if (clientVersion.startsWith("STACK_COMPILE_TIME")) {
@@ -21,7 +20,7 @@ if (clientVersion.startsWith("STACK_COMPILE_TIME")) {
 
 const replaceStackPortPrefix = <T extends string | undefined>(input: T): T => {
   if (!input) return input;
-  const prefix = process.env.NEXT_PUBLIC_STACK_PORT_PREFIX;
+  const prefix = envVars.NEXT_PUBLIC_STACK_PORT_PREFIX;
   return prefix ? input.replace(/\$\{NEXT_PUBLIC_STACK_PORT_PREFIX:-81\}/g, prefix) as T : input;
 };
 
@@ -54,51 +53,31 @@ export function resolveConstructorOptions<T extends { inheritsFrom?: AppLike }>(
   };
 }
 
-export function getUrls(partial: Partial<HandlerUrls>): HandlerUrls {
-  const handler = partial.handler ?? "/handler";
-  const home = partial.home ?? "/";
-  const afterSignIn = partial.afterSignIn ?? home;
-  return {
-    handler,
-    signIn: `${handler}/sign-in`,
-    afterSignIn: home,
-    signUp: `${handler}/sign-up`,
-    afterSignUp: afterSignIn,
-    signOut: `${handler}/sign-out`,
-    afterSignOut: home,
-    emailVerification: `${handler}/email-verification`,
-    passwordReset: `${handler}/password-reset`,
-    forgotPassword: `${handler}/forgot-password`,
-    oauthCallback: `${handler}/oauth-callback`,
-    magicLinkCallback: `${handler}/magic-link-callback`,
-    home: home,
-    accountSettings: `${handler}/account-settings`,
-    error: `${handler}/error`,
-    teamInvitation: `${handler}/team-invitation`,
-    mfa: `${handler}/mfa`,
-    onboarding: `${handler}/onboarding`,
-    ...filterUndefined(partial),
-  };
+export function getUrls(partial: HandlerUrlOptions, options: { projectId: string }): ResolvedHandlerUrls {
+  return resolveHandlerUrls({
+    urls: partial,
+    projectId: options.projectId,
+  });
 }
 
 export function getDefaultProjectId() {
-  return process.env.NEXT_PUBLIC_STACK_PROJECT_ID || process.env.STACK_PROJECT_ID || throwErr(new Error("Welcome to Stack Auth! It seems that you haven't provided a project ID. Please create a project on the Stack dashboard at https://app.stack-auth.com and put it in the NEXT_PUBLIC_STACK_PROJECT_ID environment variable."));
+  return envVars.NEXT_PUBLIC_STACK_PROJECT_ID || envVars.STACK_PROJECT_ID || throwErr(new Error("Welcome to Stack Auth! It seems that you haven't provided a project ID. Please create a project on the Stack dashboard at https://app.stack-auth.com and put it in the NEXT_PUBLIC_STACK_PROJECT_ID environment variable."));
 }
 
 export function getDefaultPublishableClientKey() {
-  return process.env.NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY || process.env.STACK_PUBLISHABLE_CLIENT_KEY;
+  return envVars.NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY || envVars.STACK_PUBLISHABLE_CLIENT_KEY;
 }
 
 export function getDefaultSecretServerKey() {
-  return process.env.STACK_SECRET_SERVER_KEY || throwErr(new Error("No secret server key provided. Please copy your key from the Stack dashboard and put it in the STACK_SECRET_SERVER_KEY environment variable."));
+  return envVars.STACK_SECRET_SERVER_KEY || throwErr(new Error("No secret server key provided. Please copy your key from the Stack dashboard and put it in the STACK_SECRET_SERVER_KEY environment variable."));
 }
 
 export function getDefaultSuperSecretAdminKey() {
-  return process.env.STACK_SUPER_SECRET_ADMIN_KEY || throwErr(new Error("No super secret admin key provided. Please copy your key from the Stack dashboard and put it in the STACK_SUPER_SECRET_ADMIN_KEY environment variable."));
+  return envVars.STACK_SUPER_SECRET_ADMIN_KEY || throwErr(new Error("No super secret admin key provided. Please copy your key from the Stack dashboard and put it in the STACK_SUPER_SECRET_ADMIN_KEY environment variable."));
 }
 
 export function getDefaultExtraRequestHeaders() {
-  return JSON.parse(process.env.NEXT_PUBLIC_STACK_EXTRA_REQUEST_HEADERS || process.env.STACK_EXTRA_REQUEST_HEADERS || '{}');
+  return JSON.parse(envVars.NEXT_PUBLIC_STACK_EXTRA_REQUEST_HEADERS || envVars.STACK_EXTRA_REQUEST_HEADERS || '{}');
 }
 
 /**
@@ -134,11 +113,11 @@ export function getBaseUrl(userSpecifiedBaseUrl: string | { browser: string, ser
   } else {
     // note: NEXT_PUBLIC_BROWSER_STACK_API_URL was renamed to NEXT_PUBLIC_STACK_API_URL_BROWSER, and NEXT_PUBLIC_STACK_URL to NEXT_PUBLIC_STACK_API_URL
     if (isBrowserLike()) {
-      url = process.env.NEXT_PUBLIC_BROWSER_STACK_API_URL || process.env.NEXT_PUBLIC_STACK_API_URL_BROWSER || process.env.STACK_API_URL_BROWSER;
+      url = envVars.NEXT_PUBLIC_BROWSER_STACK_API_URL || envVars.NEXT_PUBLIC_STACK_API_URL_BROWSER || envVars.STACK_API_URL_BROWSER;
     } else {
-      url = process.env.NEXT_PUBLIC_SERVER_STACK_API_URL || process.env.NEXT_PUBLIC_STACK_API_URL_SERVER || process.env.STACK_API_URL_SERVER;
+      url = envVars.NEXT_PUBLIC_SERVER_STACK_API_URL || envVars.NEXT_PUBLIC_STACK_API_URL_SERVER || envVars.STACK_API_URL_SERVER;
     }
-    url = url || process.env.NEXT_PUBLIC_STACK_API_URL || process.env.STACK_API_URL || process.env.NEXT_PUBLIC_STACK_URL || defaultBaseUrl;
+    url = url || envVars.NEXT_PUBLIC_STACK_API_URL || envVars.STACK_API_URL || envVars.NEXT_PUBLIC_STACK_URL || defaultBaseUrl;
   }
 
   return replaceStackPortPrefix(url.endsWith('/') ? url.slice(0, -1) : url);
diff --git a/packages/template/src/lib/stack-app/apps/implementations/event-tracker.ts b/packages/template/src/lib/stack-app/apps/implementations/event-tracker.ts
index f9d063753e..04cbe403f8 100644
--- a/packages/template/src/lib/stack-app/apps/implementations/event-tracker.ts
+++ b/packages/template/src/lib/stack-app/apps/implementations/event-tracker.ts
@@ -7,6 +7,26 @@ const FLUSH_INTERVAL_MS = 10_000;
 const MAX_EVENTS_PER_BATCH = 50;
 const MAX_APPROX_BYTES_PER_BATCH = 64_000;
 
+function hasScreenDimensions(value: unknown): value is { width: number, height: number } {
+  if (value == null || typeof value !== "object") {
+    return false;
+  }
+  if (!("width" in value) || !("height" in value)) {
+    return false;
+  }
+  return typeof value.width === "number" && typeof value.height === "number";
+}
+
+function hasHistoryMethods(value: unknown): value is { pushState: History["pushState"], replaceState: History["replaceState"] } {
+  if (value == null || typeof value !== "object") {
+    return false;
+  }
+  if (!("pushState" in value) || !("replaceState" in value)) {
+    return false;
+  }
+  return typeof value.pushState === "function" && typeof value.replaceState === "function";
+}
+
 export type EventTrackerDeps = {
   projectId: string,
   getAccessToken: () => Promise<string | null>,
@@ -31,8 +51,8 @@ export class EventTracker {
   private readonly _sessionReplaySegmentId: string;
   private readonly _deps: EventTrackerDeps;
 
-  private _originalPushState: typeof history.pushState | null = null;
-  private _originalReplaceState: typeof history.replaceState | null = null;
+  private _originalPushState: History["pushState"] | null = null;
+  private _originalReplaceState: History["replaceState"] | null = null;
 
   constructor(deps: EventTrackerDeps) {
     this._deps = deps;
@@ -42,6 +62,16 @@ export class EventTracker {
   start() {
     if (this._started) return;
     if (!isBrowserLike()) return;
+    const screenObject = Object.getOwnPropertyDescriptor(window, "screen")?.value;
+    if (
+      typeof window.addEventListener !== "function"
+      || typeof window.removeEventListener !== "function"
+      || typeof document.addEventListener !== "function"
+      || typeof document.removeEventListener !== "function"
+      || !hasScreenDimensions(screenObject)
+    ) {
+      return;
+    }
     this._started = true;
 
     this._setupPageViewCapture();
@@ -75,6 +105,11 @@ export class EventTracker {
   }
 
   private _capturePageView(entryType: "initial" | "push" | "replace" | "pop") {
+    const screenObject = Object.getOwnPropertyDescriptor(window, "screen")?.value;
+    if (!hasScreenDimensions(screenObject)) {
+      return;
+    }
+
     const url = window.location.href;
     if (url === this._lastUrl && entryType !== "initial") return;
     this._lastUrl = url;
@@ -90,8 +125,8 @@ export class EventTracker {
         entry_type: entryType,
         viewport_width: window.innerWidth,
         viewport_height: window.innerHeight,
-        screen_width: window.screen.width,
-        screen_height: window.screen.height,
+        screen_width: screenObject.width,
+        screen_height: screenObject.height,
       },
     });
   }
@@ -99,17 +134,23 @@ export class EventTracker {
   private _setupPageViewCapture() {
     // Fire initial page-view
     this._capturePageView("initial");
+    const historyObject = Object.getOwnPropertyDescriptor(window, "history")?.value;
+    if (!hasHistoryMethods(historyObject)) {
+      return;
+    }
+    const originalPushState = historyObject.pushState;
+    const originalReplaceState = historyObject.replaceState;
 
     // Monkey-patch history.pushState
-    this._originalPushState = history.pushState.bind(history);
-    history.pushState = (...args: Parameters<typeof history.pushState>) => {
+    this._originalPushState = (...args: Parameters<History["pushState"]>) => originalPushState.apply(historyObject, args);
+    historyObject.pushState = (...args: Parameters<History["pushState"]>) => {
       this._originalPushState!(...args);
       this._capturePageView("push");
     };
 
     // Monkey-patch history.replaceState
-    this._originalReplaceState = history.replaceState.bind(history);
-    history.replaceState = (...args: Parameters<typeof history.replaceState>) => {
+    this._originalReplaceState = (...args: Parameters<History["replaceState"]>) => originalReplaceState.apply(historyObject, args);
+    historyObject.replaceState = (...args: Parameters<History["replaceState"]>) => {
       this._originalReplaceState!(...args);
       this._capturePageView("replace");
     };
@@ -205,14 +246,17 @@ export class EventTracker {
     }
 
     // Restore history methods
-    if (this._originalPushState) {
-      history.pushState = this._originalPushState;
-      this._originalPushState = null;
-    }
-    if (this._originalReplaceState) {
-      history.replaceState = this._originalReplaceState;
-      this._originalReplaceState = null;
+    const historyObject = Object.getOwnPropertyDescriptor(window, "history")?.value;
+    if (hasHistoryMethods(historyObject)) {
+      if (this._originalPushState) {
+        historyObject.pushState = this._originalPushState;
+      }
+      if (this._originalReplaceState) {
+        historyObject.replaceState = this._originalReplaceState;
+      }
     }
+    this._originalPushState = null;
+    this._originalReplaceState = null;
 
     window.removeEventListener("popstate", this._onPopState);
     document.removeEventListener("click", this._onClickCapture, { capture: true });
diff --git a/packages/template/src/lib/stack-app/apps/implementations/redirect-page-urls.ts b/packages/template/src/lib/stack-app/apps/implementations/redirect-page-urls.ts
new file mode 100644
index 0000000000..91dd69a6a6
--- /dev/null
+++ b/packages/template/src/lib/stack-app/apps/implementations/redirect-page-urls.ts
@@ -0,0 +1,323 @@
+import { StackAssertionError } from "@stackframe/stack-shared/dist/utils/errors";
+import { getRelativePart } from "@stackframe/stack-shared/dist/utils/urls";
+import { HandlerUrls } from "../../common";
+
+export const crossDomainAuthQueryParams = {
+  marker: "stack_cross_domain_auth",
+  state: "stack_cross_domain_state",
+  codeChallenge: "stack_cross_domain_code_challenge",
+  afterCallbackRedirectUrl: "stack_cross_domain_after_callback_redirect_url",
+} as const;
+
+export type CrossDomainHandoffParams = {
+  state: string,
+  codeChallenge: string,
+};
+
+export function getCrossDomainHandoffParamsFromCurrentUrl(currentUrl: URL): CrossDomainHandoffParams | null {
+  const state = currentUrl.searchParams.get(crossDomainAuthQueryParams.state);
+  const codeChallenge = currentUrl.searchParams.get(crossDomainAuthQueryParams.codeChallenge);
+  if (state == null || codeChallenge == null) {
+    return null;
+  }
+  return { state, codeChallenge };
+}
+
+type RedirectBackAwareHandlerName = "signIn" | "signUp" | "onboarding" | "signOut";
+type HandlerRedirectPolicy = "none" | "redirect-back-aware" | "after-auth-return";
+
+type CrossDomainHandoffParamsMaybeMissing = {
+  state: string | null,
+  codeChallenge: string | null,
+  afterCallbackRedirectUrl: string | null,
+};
+
+function isRedirectBackAwareHandlerName(handlerName: keyof HandlerUrls): handlerName is RedirectBackAwareHandlerName {
+  return handlerName === "signIn"
+    || handlerName === "signUp"
+    || handlerName === "onboarding"
+    || handlerName === "signOut";
+}
+
+function hasCrossDomainHandoffParams(url: URL): boolean {
+  return (
+    url.searchParams.has(crossDomainAuthQueryParams.state)
+    && url.searchParams.has(crossDomainAuthQueryParams.codeChallenge)
+    && url.searchParams.has(crossDomainAuthQueryParams.afterCallbackRedirectUrl)
+  );
+}
+
+function buildCrossDomainAuthCallbackUrl(options: {
+  currentUrl: URL,
+  localOAuthCallbackUrl: string,
+  state?: string,
+  codeChallenge?: string,
+  afterCallbackRedirectUrl?: string,
+}): URL {
+  const localOAuthCallbackUrl = new URL(options.localOAuthCallbackUrl, options.currentUrl);
+  if (localOAuthCallbackUrl.origin !== options.currentUrl.origin) {
+    throw new StackAssertionError("Cross-domain auth callback URL must stay on the current origin", {
+      localOAuthCallbackUrl: localOAuthCallbackUrl.toString(),
+      currentUrl: options.currentUrl.toString(),
+    });
+  }
+  localOAuthCallbackUrl.searchParams.set(crossDomainAuthQueryParams.marker, "1");
+  if (options.state != null) {
+    localOAuthCallbackUrl.searchParams.set(crossDomainAuthQueryParams.state, options.state);
+  }
+  if (options.codeChallenge != null) {
+    localOAuthCallbackUrl.searchParams.set(crossDomainAuthQueryParams.codeChallenge, options.codeChallenge);
+  }
+  if (options.afterCallbackRedirectUrl != null) {
+    localOAuthCallbackUrl.searchParams.set(crossDomainAuthQueryParams.afterCallbackRedirectUrl, options.afterCallbackRedirectUrl);
+  }
+  return localOAuthCallbackUrl;
+}
+
+function buildRedirectBackAwareHandlerUrl(options: {
+  handlerName: RedirectBackAwareHandlerName,
+  rawHandlerUrl: string,
+  currentUrl: URL,
+  crossDomainHandoffParams: CrossDomainHandoffParams | null,
+  localOAuthCallbackUrl: string,
+}): string {
+  const nextUrl = new URL(options.rawHandlerUrl, options.currentUrl);
+  for (const preservedParam of [
+    "after_auth_return_to",
+    crossDomainAuthQueryParams.state,
+    crossDomainAuthQueryParams.codeChallenge,
+    crossDomainAuthQueryParams.afterCallbackRedirectUrl,
+  ]) {
+    const currentValue = options.currentUrl.searchParams.get(preservedParam);
+    if (currentValue != null && !nextUrl.searchParams.has(preservedParam)) {
+      nextUrl.searchParams.set(preservedParam, currentValue);
+    }
+  }
+
+  if (options.handlerName === "signOut") {
+    if (!nextUrl.searchParams.has("after_auth_return_to")) {
+      if (options.currentUrl.protocol === nextUrl.protocol && options.currentUrl.host === nextUrl.host) {
+        nextUrl.searchParams.set("after_auth_return_to", getRelativePart(options.currentUrl));
+      } else {
+        nextUrl.searchParams.set("after_auth_return_to", options.currentUrl.toString());
+      }
+    }
+    return nextUrl.origin === options.currentUrl.origin ? getRelativePart(nextUrl) : nextUrl.toString();
+  }
+
+  const isCrossDomainHandlerRedirect = options.currentUrl.origin !== nextUrl.origin;
+  if (isCrossDomainHandlerRedirect) {
+    if (!hasCrossDomainHandoffParams(nextUrl)) {
+      const inheritedAfterAuthReturnTo = options.currentUrl.searchParams.get("after_auth_return_to");
+      const afterCallbackRedirectUrl = inheritedAfterAuthReturnTo
+        ? new URL(inheritedAfterAuthReturnTo, options.currentUrl).toString()
+        : options.currentUrl.toString();
+      const callbackUrl = buildCrossDomainAuthCallbackUrl({
+        currentUrl: options.currentUrl,
+        localOAuthCallbackUrl: options.localOAuthCallbackUrl,
+        state: options.crossDomainHandoffParams?.state,
+        codeChallenge: options.crossDomainHandoffParams?.codeChallenge,
+        afterCallbackRedirectUrl,
+      });
+
+      nextUrl.searchParams.set("after_auth_return_to", callbackUrl.toString());
+      nextUrl.searchParams.set(crossDomainAuthQueryParams.afterCallbackRedirectUrl, afterCallbackRedirectUrl);
+      if (options.crossDomainHandoffParams != null) {
+        nextUrl.searchParams.set(crossDomainAuthQueryParams.state, options.crossDomainHandoffParams.state);
+        nextUrl.searchParams.set(crossDomainAuthQueryParams.codeChallenge, options.crossDomainHandoffParams.codeChallenge);
+      }
+    }
+  } else if (options.currentUrl.protocol === nextUrl.protocol && options.currentUrl.host === nextUrl.host && !nextUrl.searchParams.has("after_auth_return_to")) {
+    nextUrl.searchParams.set("after_auth_return_to", getRelativePart(options.currentUrl));
+  }
+
+  return nextUrl.origin === options.currentUrl.origin ? getRelativePart(nextUrl) : nextUrl.toString();
+}
+
+function getHandlerRedirectPolicy(handlerName: keyof HandlerUrls): HandlerRedirectPolicy {
+  if (handlerName === "afterSignIn" || handlerName === "afterSignUp") {
+    return "after-auth-return";
+  }
+  if (isRedirectBackAwareHandlerName(handlerName)) {
+    return "redirect-back-aware";
+  }
+  return "none";
+}
+
+type RedirectToHandlerPlan =
+  | { type: "redirect", url: string }
+  | {
+    type: "cross-domain-authorize",
+    redirectUri: string,
+    state: string,
+    codeChallenge: string,
+    afterCallbackRedirectUrl: string,
+  };
+
+
+async function resolveRedirectBackAwareHandlerUrlForRedirect(options: {
+  handlerName: RedirectBackAwareHandlerName,
+  rawHandlerUrl: string,
+  currentUrl: URL,
+  localOAuthCallbackUrl: string,
+  getCrossDomainHandoffParams: (currentUrl: URL) => Promise<CrossDomainHandoffParams>,
+}): Promise<string> {
+  const initial = buildRedirectBackAwareHandlerUrl({
+    handlerName: options.handlerName,
+    rawHandlerUrl: options.rawHandlerUrl,
+    currentUrl: options.currentUrl,
+    crossDomainHandoffParams: null,
+    localOAuthCallbackUrl: options.localOAuthCallbackUrl,
+  });
+  if (options.handlerName === "signOut") {
+    return initial;
+  }
+
+  const initialTarget = new URL(initial, options.currentUrl);
+  const isCrossDomainHandlerRedirect = options.currentUrl.origin !== initialTarget.origin;
+  if (!isCrossDomainHandlerRedirect || hasCrossDomainHandoffParams(initialTarget)) {
+    return initial;
+  }
+
+  const crossDomainHandoffParams = await options.getCrossDomainHandoffParams(options.currentUrl);
+  return buildRedirectBackAwareHandlerUrl({
+    handlerName: options.handlerName,
+    rawHandlerUrl: options.rawHandlerUrl,
+    currentUrl: options.currentUrl,
+    crossDomainHandoffParams,
+    localOAuthCallbackUrl: options.localOAuthCallbackUrl,
+  });
+}
+
+export async function planRedirectToHandler(options: {
+  handlerName: keyof HandlerUrls,
+  rawHandlerUrl: string,
+  noRedirectBack: boolean,
+  currentUrl: URL | null,
+  localOAuthCallbackUrl: string,
+  getCrossDomainHandoffParams: (currentUrl: URL) => Promise<CrossDomainHandoffParams>,
+}): Promise<RedirectToHandlerPlan> {
+  if (options.noRedirectBack || options.currentUrl == null) {
+    return { type: "redirect", url: options.rawHandlerUrl };
+  }
+
+  const policy = getHandlerRedirectPolicy(options.handlerName);
+  if (policy === "none") {
+    return { type: "redirect", url: options.rawHandlerUrl };
+  }
+
+  if (policy === "after-auth-return") {
+    const redirectBackUrl = options.currentUrl.searchParams.get("after_auth_return_to");
+    if (redirectBackUrl == null) {
+      return { type: "redirect", url: options.rawHandlerUrl };
+    }
+    const redirectBackTarget = new URL(redirectBackUrl, options.currentUrl);
+    const crossDomainHandoff = getCrossDomainHandoffForRedirect({
+      currentUrl: options.currentUrl,
+      redirectBackTarget,
+    });
+    if (crossDomainHandoff == null) {
+      return { type: "redirect", url: redirectBackUrl };
+    }
+    let state = crossDomainHandoff.handoffParams.state;
+    let codeChallenge = crossDomainHandoff.handoffParams.codeChallenge;
+    let afterCallbackRedirectUrl = crossDomainHandoff.handoffParams.afterCallbackRedirectUrl;
+    if (state == null || codeChallenge == null) {
+      const generatedHandoffParams = await options.getCrossDomainHandoffParams(options.currentUrl);
+      state ??= generatedHandoffParams.state;
+      codeChallenge ??= generatedHandoffParams.codeChallenge;
+    }
+    afterCallbackRedirectUrl ??= options.currentUrl.toString();
+    return {
+      type: "cross-domain-authorize",
+      redirectUri: crossDomainHandoff.redirectBackTarget.toString(),
+      state,
+      codeChallenge,
+      afterCallbackRedirectUrl,
+    };
+  }
+
+  if (
+    options.handlerName !== "signIn"
+    && options.handlerName !== "signUp"
+    && options.handlerName !== "onboarding"
+    && options.handlerName !== "signOut"
+  ) {
+    throw new StackAssertionError("Unexpected redirect-back-aware handler policy mismatch", {
+      handlerName: options.handlerName,
+      policy,
+    });
+  }
+
+  return {
+    type: "redirect",
+    url: await resolveRedirectBackAwareHandlerUrlForRedirect({
+      handlerName: options.handlerName,
+      rawHandlerUrl: options.rawHandlerUrl,
+      currentUrl: options.currentUrl,
+      localOAuthCallbackUrl: options.localOAuthCallbackUrl,
+      getCrossDomainHandoffParams: options.getCrossDomainHandoffParams,
+    }),
+  };
+}
+
+function readCrossDomainHandoffParams(currentUrl: URL, redirectBackTarget: URL): CrossDomainHandoffParamsMaybeMissing {
+  const state = currentUrl.searchParams.get(crossDomainAuthQueryParams.state)
+    ?? redirectBackTarget.searchParams.get(crossDomainAuthQueryParams.state);
+  const codeChallenge = currentUrl.searchParams.get(crossDomainAuthQueryParams.codeChallenge)
+    ?? redirectBackTarget.searchParams.get(crossDomainAuthQueryParams.codeChallenge);
+  const afterCallbackRedirectUrl = currentUrl.searchParams.get(crossDomainAuthQueryParams.afterCallbackRedirectUrl)
+    ?? redirectBackTarget.searchParams.get(crossDomainAuthQueryParams.afterCallbackRedirectUrl);
+  return {
+    state,
+    codeChallenge,
+    afterCallbackRedirectUrl,
+  };
+}
+
+function resolveCrossDomainRedirectBackTarget(options: {
+  currentUrl: URL,
+  redirectBackTarget: URL,
+  handoffParams: CrossDomainHandoffParamsMaybeMissing,
+}): URL | null {
+  if (options.redirectBackTarget.origin !== options.currentUrl.origin) {
+    return options.redirectBackTarget;
+  }
+  if (
+    options.handoffParams.state == null
+    || options.handoffParams.codeChallenge == null
+    || options.handoffParams.afterCallbackRedirectUrl == null
+  ) {
+    return null;
+  }
+  const afterCallbackRedirectTarget = new URL(options.handoffParams.afterCallbackRedirectUrl, options.currentUrl);
+  if (afterCallbackRedirectTarget.origin === options.currentUrl.origin) {
+    return null;
+  }
+  return new URL(
+    `${options.redirectBackTarget.pathname}${options.redirectBackTarget.search}${options.redirectBackTarget.hash}`,
+    afterCallbackRedirectTarget.origin,
+  );
+}
+
+function getCrossDomainHandoffForRedirect(options: {
+  currentUrl: URL,
+  redirectBackTarget: URL,
+}): {
+  redirectBackTarget: URL,
+  handoffParams: CrossDomainHandoffParamsMaybeMissing,
+} | null {
+  const handoffParams = readCrossDomainHandoffParams(options.currentUrl, options.redirectBackTarget);
+  const crossDomainRedirectBackTarget = resolveCrossDomainRedirectBackTarget({
+    currentUrl: options.currentUrl,
+    redirectBackTarget: options.redirectBackTarget,
+    handoffParams,
+  });
+  if (crossDomainRedirectBackTarget == null) {
+    return null;
+  }
+  return {
+    redirectBackTarget: crossDomainRedirectBackTarget,
+    handoffParams,
+  };
+}
diff --git a/packages/template/src/lib/stack-app/apps/interfaces/client-app.ts b/packages/template/src/lib/stack-app/apps/interfaces/client-app.ts
index f317270807..462fcf354e 100644
--- a/packages/template/src/lib/stack-app/apps/interfaces/client-app.ts
+++ b/packages/template/src/lib/stack-app/apps/interfaces/client-app.ts
@@ -1,7 +1,7 @@
 import { KnownErrors } from "@stackframe/stack-shared";
 import { CurrentUserCrud } from "@stackframe/stack-shared/dist/interface/crud/current-user";
 import { Result } from "@stackframe/stack-shared/dist/utils/results";
-import { AsyncStoreProperty, AuthLike, GetCurrentPartialUserOptions, GetCurrentUserOptions, HandlerUrls, OAuthScopesOnSignIn, RedirectMethod, RedirectToOptions, TokenStoreInit, stackAppInternalsSymbol } from "../../common";
+import { AsyncStoreProperty, AuthLike, GetCurrentPartialUserOptions, GetCurrentUserOptions, HandlerUrlOptions, HandlerUrls, OAuthScopesOnSignIn, RedirectMethod, RedirectToOptions, ResolvedHandlerUrls, stackAppInternalsSymbol, TokenStoreInit } from "../../common";
 import { CustomerInvoicesList, CustomerInvoicesRequestOptions, CustomerProductsList, CustomerProductsRequestOptions, Item } from "../../customers";
 import { Project } from "../../projects";
 import { ProjectCurrentUser, SyncedPartialUser, TokenPartialUser } from "../../users";
@@ -13,7 +13,7 @@ export type StackClientAppConstructorOptions<HasTokenStore extends boolean, Proj
   extraRequestHeaders?: Record<string, string>,
   projectId?: ProjectId,
   publishableClientKey?: string,
-  urls?: Partial<HandlerUrls>,
+  urls?: HandlerUrlOptions,
   oauthScopesOnSignIn?: Partial<OAuthScopesOnSignIn>,
   tokenStore?: TokenStoreInit<HasTokenStore>,
   redirectMethod?: RedirectMethod,
@@ -52,7 +52,11 @@ export type StackClientApp<HasTokenStore extends boolean = boolean, ProjectId ex
      */
     readonly version: string,
 
-    readonly urls: Readonly<HandlerUrls>,
+    /**
+     * @deprecated `app.urls` is static and does not include runtime redirect-back parameters.
+     * For navigation, prefer `redirectToXyz()` methods (for example `redirectToSignIn()`).
+     */
+    readonly urls: Readonly<ResolvedHandlerUrls>,
 
     signInWithOAuth(provider: string, options?: { returnTo?: string }): Promise<void>,
     signInWithCredential(options: { email: string, password: string, noRedirect?: boolean }): Promise<Result<undefined, KnownErrors["EmailPasswordMismatch"] | KnownErrors["InvalidTotpCode"]>>,
diff --git a/packages/template/src/lib/stack-app/common.ts b/packages/template/src/lib/stack-app/common.ts
index 3de8179794..331db26ef6 100644
--- a/packages/template/src/lib/stack-app/common.ts
+++ b/packages/template/src/lib/stack-app/common.ts
@@ -85,26 +85,37 @@ export type TokenStoreInit<HasTokenStore extends boolean = boolean> =
   : HasTokenStore extends false ? null
   : TokenStoreInit<true> | TokenStoreInit<false>;
 
-export type HandlerUrls = {
-  handler: string,
-  signIn: string,
-  signUp: string,
-  afterSignIn: string,
-  afterSignUp: string,
-  signOut: string,
-  afterSignOut: string,
-  emailVerification: string,
-  passwordReset: string,
-  forgotPassword: string,
-  home: string,
-  oauthCallback: string,
-  magicLinkCallback: string,
-  accountSettings: string,
-  teamInvitation: string,
-  mfa: string,
-  error: string,
-  onboarding: string,
-}
+export type HandlerPageUrls = Record<
+  | "handler"
+  | "signIn"
+  | "signUp"
+  | "signOut"
+  | "emailVerification"
+  | "passwordReset"
+  | "forgotPassword"
+  | "oauthCallback"
+  | "magicLinkCallback"
+  | "accountSettings"
+  | "teamInvitation"
+  | "mfa"
+  | "error"
+  | "onboarding",
+  string | { type: "custom", url: string, version: number } | { type: "hosted" | "handler-component" }
+>;
+export type HandlerRedirectUrls = Record<
+  | "afterSignIn"
+  | "afterSignUp"
+  | "afterSignOut"
+  | "home",
+  string
+>;
+export type HandlerUrls = HandlerPageUrls & HandlerRedirectUrls;
+export type HandlerUrlTarget = HandlerUrls[keyof HandlerUrls];
+export type DefaultHandlerUrlTarget = string | { type: "hosted" | "handler-component" };
+export type HandlerUrlOptions = Partial<HandlerUrls> & { default?: DefaultHandlerUrlTarget };
+export type ResolvedHandlerUrls = {
+  [K in keyof HandlerUrls]: string;
+};
 
 export type OAuthScopesOnSignIn = {
   [key in ProviderType]: string[];
diff --git a/packages/template/src/lib/stack-app/index.ts b/packages/template/src/lib/stack-app/index.ts
index e09a9afc6f..f3aa76251e 100644
--- a/packages/template/src/lib/stack-app/index.ts
+++ b/packages/template/src/lib/stack-app/index.ts
@@ -9,7 +9,7 @@ export type {
   StackClientAppConstructorOptions,
   StackClientAppJson,
   StackServerAppConstructor,
-  StackServerAppConstructorOptions,
+  StackServerAppConstructorOptions
 } from "./apps";
 
 export type {
@@ -37,8 +37,8 @@ export type {
   GetCurrentUserOptions,
   /** @deprecated Use GetCurrentUserOptions instead */
   GetCurrentUserOptions as GetUserOptions,
-  HandlerUrls,
-  OAuthScopesOnSignIn
+  HandlerUrlOptions,
+  HandlerUrls, OAuthScopesOnSignIn, ResolvedHandlerUrls
 } from "./common";
 
 export type {
@@ -89,13 +89,10 @@ export type {
 } from "./projects";
 
 export type {
-  EditableTeamMemberProfile,
-  ServerListUsersOptions,
+  EditableTeamMemberProfile, ReceivedTeamInvitation,
+  SentTeamInvitation, ServerListUsersOptions,
   ServerTeam,
-  ServerTeamCreateOptions,
-  ReceivedTeamInvitation,
-  SentTeamInvitation,
-  ServerTeamMemberProfile,
+  ServerTeamCreateOptions, ServerTeamMemberProfile,
   ServerTeamUpdateOptions,
   ServerTeamUser,
   Team,
diff --git a/packages/template/src/lib/stack-app/url-targets.test.ts b/packages/template/src/lib/stack-app/url-targets.test.ts
new file mode 100644
index 0000000000..e9333c69a5
--- /dev/null
+++ b/packages/template/src/lib/stack-app/url-targets.test.ts
@@ -0,0 +1,114 @@
+import { afterEach, describe, expect, it, vi } from "vitest";
+import { resolveHandlerUrls, resolveUnknownHandlerPathFallbackUrl } from "./url-targets";
+
+describe("handler URL targets", () => {
+  afterEach(() => {
+    vi.unstubAllEnvs();
+  });
+
+  it("treats handler-component targets the same as omitted values", () => {
+    const urls = resolveHandlerUrls({
+      projectId: "project-id",
+      urls: {
+        handler: "/custom-handler",
+        signIn: { type: "handler-component" },
+      },
+    });
+
+    expect(urls.signIn).toBe("/custom-handler/sign-in");
+  });
+
+  it("treats custom v0 page targets like legacy string targets", () => {
+    const urls = resolveHandlerUrls({
+      projectId: "project-id",
+      urls: {
+        handler: "/custom-handler",
+        signIn: { type: "handler-component" },
+        signUp: { type: "custom", url: "/sign-up-explicit", version: 0 },
+      },
+    });
+
+    expect(urls.signIn).toBe("/custom-handler/sign-in");
+    expect(urls.signUp).toBe("/sign-up-explicit");
+  });
+
+  it("throws on v0 custom target for handler page", () => {
+    expect(() => resolveHandlerUrls({
+      projectId: "project-id",
+      urls: {
+        handler: { type: "custom", url: "/custom-handler", version: 0 },
+      },
+    })).toThrowError(/cannot be a custom page/);
+  });
+
+  it("throws on unsupported non-zero custom target versions", () => {
+    expect(() => resolveHandlerUrls({
+      projectId: "project-id",
+      urls: {
+        signIn: { type: "custom", url: "/custom-sign-in", version: 1 },
+      },
+    })).toThrowError(/Unsupported custom page version/);
+  });
+
+  it("throws on non-zero custom version for handler page", () => {
+    expect(() => resolveHandlerUrls({
+      projectId: "project-id",
+      urls: {
+        handler: { type: "custom", url: "/custom-handler", version: 1 },
+      },
+    })).toThrowError(/cannot be a custom page/);
+  });
+
+  it("uses hosted defaults for unspecified URLs", () => {
+    vi.stubEnv("NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX", ".example-stack-hosted.test");
+
+    const urls = resolveHandlerUrls({
+      projectId: "project-id",
+      urls: {
+        signUp: "/sign-up",
+        default: { type: "hosted" },
+      },
+    });
+
+    expect(urls.signUp).toBe("/sign-up");
+    expect(urls.signIn).toBe("https://project-id.example-stack-hosted.test/handler/sign-in");
+  });
+
+  it("uses default target for unknown /handler/* pages", () => {
+    vi.stubEnv("NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX", ".example-stack-hosted.test");
+
+    const url = resolveUnknownHandlerPathFallbackUrl({
+      defaultTarget: { type: "hosted" },
+      projectId: "project-id",
+      unknownPath: "custom-page",
+    });
+
+    expect(url).toBe("https://project-id.example-stack-hosted.test/handler/custom-page");
+  });
+
+  it("uses the full hosted handler URL template when configured", () => {
+    vi.stubEnv("NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE", "http://localhost:${NEXT_PUBLIC_STACK_PORT_PREFIX:-81}09/{projectId}/{hostedPath}");
+    vi.stubEnv("NEXT_PUBLIC_STACK_PORT_PREFIX", "93");
+
+    const urls = resolveHandlerUrls({
+      projectId: "project-id",
+      urls: {
+        default: { type: "hosted" },
+      },
+    });
+
+    expect(urls.signIn).toBe("http://localhost:9309/project-id/handler/sign-in");
+    expect(urls.accountSettings).toBe("http://localhost:9309/project-id/handler/account-settings");
+  });
+
+  it("validates the hosted handler URL template placeholders", () => {
+    vi.stubEnv("NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE", "http://localhost:9309/{projectId}/handler");
+
+    expect(() => resolveHandlerUrls({
+      projectId: "project-id",
+      urls: {
+        default: { type: "hosted" },
+      },
+    })).toThrowError(/\{projectId\} and \{hostedPath\}/);
+  });
+});
diff --git a/packages/template/src/lib/stack-app/url-targets.ts b/packages/template/src/lib/stack-app/url-targets.ts
new file mode 100644
index 0000000000..8e5394fcc0
--- /dev/null
+++ b/packages/template/src/lib/stack-app/url-targets.ts
@@ -0,0 +1,410 @@
+import { StackAssertionError } from "@stackframe/stack-shared/dist/utils/errors";
+import { deindent } from "@stackframe/stack-shared/dist/utils/strings";
+import { envVars } from "../env";
+import { DefaultHandlerUrlTarget, HandlerPageUrls, HandlerUrlOptions, HandlerUrlTarget, HandlerUrls, ResolvedHandlerUrls } from "./common";
+
+const defaultHostedHandlerDomainSuffix = ".built-with-stack-auth.com";
+const hostedHandlerProjectIdPlaceholder = "{projectId}";
+const hostedHandlerPathPlaceholder = "{hostedPath}";
+
+type CustomPagePrompt = {
+  title: string,
+  fullPrompt: string,
+  versions: Record<number, {
+    minSdkVersion: `${number}.${number}.${number}`,
+    upgradePrompt: string,
+  }>,
+};
+
+const customPagePrompts: Record<keyof Omit<HandlerPageUrls, "handler">, CustomPagePrompt> = {
+  signIn: {
+    title: "Sign In",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  signUp: {
+    title: "Sign Up",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  signOut: {
+    title: "Sign Out",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  emailVerification: {
+    title: "Email Verification",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  passwordReset: {
+    title: "Password Reset",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  forgotPassword: {
+    title: "Forgot Password",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  oauthCallback: {
+    title: "OAuth Callback",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  magicLinkCallback: {
+    title: "Magic Link Callback",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  accountSettings: {
+    title: "Account Settings",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  teamInvitation: {
+    title: "Team Invitation",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  mfa: {
+    title: "MFA",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  error: {
+    title: "Error",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+  onboarding: {
+    title: "Onboarding",
+    fullPrompt: deindent``,
+    versions: {},
+  },
+};
+
+const replaceStackPortPrefix = <T extends string | undefined>(input: T): T => {
+  if (!input) return input;
+  const prefix = envVars.NEXT_PUBLIC_STACK_PORT_PREFIX;
+  return prefix ? input.replace(/\$\{NEXT_PUBLIC_STACK_PORT_PREFIX:-81\}/g, prefix) as T : input;
+};
+
+const joinHandlerComponentPath = (basePath: string, pagePath: string): string => {
+  const normalizedBasePath = basePath.endsWith("/") && basePath.length > 1
+    ? basePath.slice(0, -1)
+    : basePath;
+  if (pagePath.length === 0) {
+    return normalizedBasePath;
+  }
+  if (normalizedBasePath === "/") {
+    return `/${pagePath}`;
+  }
+  return `${normalizedBasePath}/${pagePath}`;
+};
+
+const getHostedPagePathForHandlerName = (handlerName: keyof HandlerUrls): string => {
+  switch (handlerName) {
+    case "handler": {
+      return "";
+    }
+    case "home": {
+      return "";
+    }
+    case "afterSignIn": {
+      return "";
+    }
+    case "afterSignUp": {
+      return "";
+    }
+    case "afterSignOut": {
+      return "";
+    }
+    case "signIn": {
+      return "sign-in";
+    }
+    case "signUp": {
+      return "sign-up";
+    }
+    case "signOut": {
+      return "sign-out";
+    }
+    case "emailVerification": {
+      return "email-verification";
+    }
+    case "passwordReset": {
+      return "password-reset";
+    }
+    case "forgotPassword": {
+      return "forgot-password";
+    }
+    case "oauthCallback": {
+      return "oauth-callback";
+    }
+    case "magicLinkCallback": {
+      return "magic-link-callback";
+    }
+    case "accountSettings": {
+      return "account-settings";
+    }
+    case "teamInvitation": {
+      return "team-invitation";
+    }
+    case "mfa": {
+      return "mfa";
+    }
+    case "error": {
+      return "error";
+    }
+    case "onboarding": {
+      return "onboarding";
+    }
+  }
+};
+
+export const getHostedHandlerDomainSuffix = (): string => {
+  const configuredValue = envVars.NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX
+    ?? defaultHostedHandlerDomainSuffix;
+  const domainSuffix = replaceStackPortPrefix(configuredValue);
+  if (!domainSuffix.startsWith(".")) {
+    throw new StackAssertionError("The hosted handler domain suffix must start with a dot.", {
+      domainSuffix,
+      hint: "Set NEXT_PUBLIC_STACK_HOSTED_HANDLER_DOMAIN_SUFFIX to a value like '.built-with-stack-auth.com'.",
+    });
+  }
+  return domainSuffix;
+};
+
+const getHostedHandlerUrlTemplate = (): string => {
+  const configuredTemplate = replaceStackPortPrefix(envVars.NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE);
+  if (configuredTemplate != null) {
+    if (!configuredTemplate.includes(hostedHandlerProjectIdPlaceholder) || !configuredTemplate.includes(hostedHandlerPathPlaceholder)) {
+      throw new StackAssertionError("The hosted handler URL template must contain {projectId} and {hostedPath}.", {
+        hostedHandlerUrlTemplate: configuredTemplate,
+        hint: "Set NEXT_PUBLIC_STACK_HOSTED_HANDLER_URL_TEMPLATE to a value like 'https://{projectId}.built-with-stack-auth.com/{hostedPath}'.",
+      });
+    }
+    return configuredTemplate;
+  }
+  return `https://${hostedHandlerProjectIdPlaceholder}${getHostedHandlerDomainSuffix()}/${hostedHandlerPathPlaceholder}`;
+};
+
+const resolveCustomTargetUrl = (options: {
+  target: { type: "custom", url: string, version: number },
+  handlerName: keyof HandlerUrls,
+}): string => {
+  const handlerName = options.handlerName;
+  if (handlerName in customPagePrompts) {
+    const customPagePrompt = customPagePrompts[handlerName as keyof typeof customPagePrompts];
+    if (options.target.version === 0 || options.target.version in customPagePrompt.versions) {
+      return options.target.url;
+    }
+
+    throw new Error(`Unsupported custom page version ${options.target.version} for ${options.handlerName} page at ${options.target.url}. The latest supported version of this page is ${Math.max(0, ...Object.keys(customPagePrompt.versions).map(Number))}. Please upgrade your Stack Auth SDK to a version that supports this version.`);
+  } else {
+    throw new Error(`URL target ${options.handlerName} cannot be a custom page. Please specify the URL as a string instead.`);
+  }
+};
+
+export const getHostedHandlerUrl = (options: { projectId: string, pagePath: string }): string => {
+  const normalizedPagePath = options.pagePath.replace(/^\/+/, "");
+  const hostedPath = normalizedPagePath.length > 0 ? `handler/${normalizedPagePath}` : "handler";
+  const template = getHostedHandlerUrlTemplate();
+  const templateFilled = template
+    .replaceAll(hostedHandlerProjectIdPlaceholder, options.projectId)
+    .replaceAll(hostedHandlerPathPlaceholder, hostedPath);
+  return new URL(templateFilled).toString();
+};
+
+const resolveUrlTarget = (options: {
+  target: HandlerUrlTarget,
+  fallbackPath: string,
+  handlerName: keyof HandlerUrls,
+  projectId: string,
+}): string => {
+  if (typeof options.target === "string") {
+    return options.target;
+  }
+
+  switch (options.target.type) {
+    case "handler-component": {
+      return options.fallbackPath;
+    }
+    case "hosted": {
+      return getHostedHandlerUrl({
+        projectId: options.projectId,
+        pagePath: getHostedPagePathForHandlerName(options.handlerName),
+      });
+    }
+    case "custom": {
+      return resolveCustomTargetUrl({
+        target: options.target,
+        handlerName: options.handlerName,
+      });
+    }
+  }
+};
+
+export const resolveHandlerUrls = (options: { urls: HandlerUrlOptions | undefined, projectId: string }): ResolvedHandlerUrls => {
+  const configuredUrls = options.urls;
+  const defaultTarget: HandlerUrlTarget = configuredUrls?.default ?? { type: "handler-component" };
+  let handlerComponentBasePath = "/handler";
+  if (typeof configuredUrls?.handler === "string") {
+    handlerComponentBasePath = configuredUrls.handler;
+  } else if (configuredUrls?.handler != null && configuredUrls.handler.type === "custom") {
+    handlerComponentBasePath = resolveCustomTargetUrl({
+      target: configuredUrls.handler,
+      handlerName: "handler",
+    });
+  }
+
+  const home = resolveUrlTarget({
+    target: configuredUrls?.home ?? defaultTarget,
+    fallbackPath: "/",
+    handlerName: "home",
+    projectId: options.projectId,
+  });
+  const afterSignIn = resolveUrlTarget({
+    target: configuredUrls?.afterSignIn ?? defaultTarget,
+    fallbackPath: home,
+    handlerName: "afterSignIn",
+    projectId: options.projectId,
+  });
+
+  return {
+    handler: resolveUrlTarget({
+      target: configuredUrls?.handler ?? defaultTarget,
+      fallbackPath: handlerComponentBasePath,
+      handlerName: "handler",
+      projectId: options.projectId,
+    }),
+    signIn: resolveUrlTarget({
+      target: configuredUrls?.signIn ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "sign-in"),
+      handlerName: "signIn",
+      projectId: options.projectId,
+    }),
+    signUp: resolveUrlTarget({
+      target: configuredUrls?.signUp ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "sign-up"),
+      handlerName: "signUp",
+      projectId: options.projectId,
+    }),
+    afterSignIn,
+    afterSignUp: resolveUrlTarget({
+      target: configuredUrls?.afterSignUp ?? defaultTarget,
+      fallbackPath: afterSignIn,
+      handlerName: "afterSignUp",
+      projectId: options.projectId,
+    }),
+    signOut: resolveUrlTarget({
+      target: configuredUrls?.signOut ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "sign-out"),
+      handlerName: "signOut",
+      projectId: options.projectId,
+    }),
+    afterSignOut: resolveUrlTarget({
+      target: configuredUrls?.afterSignOut ?? defaultTarget,
+      fallbackPath: home,
+      handlerName: "afterSignOut",
+      projectId: options.projectId,
+    }),
+    emailVerification: resolveUrlTarget({
+      target: configuredUrls?.emailVerification ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "email-verification"),
+      handlerName: "emailVerification",
+      projectId: options.projectId,
+    }),
+    passwordReset: resolveUrlTarget({
+      target: configuredUrls?.passwordReset ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "password-reset"),
+      handlerName: "passwordReset",
+      projectId: options.projectId,
+    }),
+    forgotPassword: resolveUrlTarget({
+      target: configuredUrls?.forgotPassword ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "forgot-password"),
+      handlerName: "forgotPassword",
+      projectId: options.projectId,
+    }),
+    home,
+    oauthCallback: resolveUrlTarget({
+      target: configuredUrls?.oauthCallback ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "oauth-callback"),
+      handlerName: "oauthCallback",
+      projectId: options.projectId,
+    }),
+    magicLinkCallback: resolveUrlTarget({
+      target: configuredUrls?.magicLinkCallback ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "magic-link-callback"),
+      handlerName: "magicLinkCallback",
+      projectId: options.projectId,
+    }),
+    accountSettings: resolveUrlTarget({
+      target: configuredUrls?.accountSettings ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "account-settings"),
+      handlerName: "accountSettings",
+      projectId: options.projectId,
+    }),
+    teamInvitation: resolveUrlTarget({
+      target: configuredUrls?.teamInvitation ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "team-invitation"),
+      handlerName: "teamInvitation",
+      projectId: options.projectId,
+    }),
+    mfa: resolveUrlTarget({
+      target: configuredUrls?.mfa ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "mfa"),
+      handlerName: "mfa",
+      projectId: options.projectId,
+    }),
+    error: resolveUrlTarget({
+      target: configuredUrls?.error ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "error"),
+      handlerName: "error",
+      projectId: options.projectId,
+    }),
+    onboarding: resolveUrlTarget({
+      target: configuredUrls?.onboarding ?? defaultTarget,
+      fallbackPath: joinHandlerComponentPath(handlerComponentBasePath, "onboarding"),
+      handlerName: "onboarding",
+      projectId: options.projectId,
+    }),
+  };
+};
+
+export const resolveUnknownHandlerPathFallbackUrl = (options: {
+  defaultTarget: DefaultHandlerUrlTarget | undefined,
+  projectId: string,
+  unknownPath: string,
+}): string | null => {
+  const defaultTarget = options.defaultTarget ?? { type: "handler-component" } satisfies HandlerUrlTarget;
+  if (typeof defaultTarget === "string") {
+    return defaultTarget;
+  }
+
+  switch (defaultTarget.type) {
+    case "handler-component": {
+      return null;
+    }
+    case "hosted": {
+      return getHostedHandlerUrl({
+        projectId: options.projectId,
+        pagePath: options.unknownPath,
+      });
+    }
+  }
+};
+
+export const isHostedHandlerUrlForProject = (options: { url: string, projectId: string }): boolean => {
+  let parsedUrl: URL;
+  try {
+    parsedUrl = new URL(options.url);
+  } catch {
+    return false;
+  }
+
+  const hostedBaseUrl = new URL(getHostedHandlerUrl({ projectId: options.projectId, pagePath: "" }));
+  return parsedUrl.origin === hostedBaseUrl.origin
+    && (parsedUrl.pathname === hostedBaseUrl.pathname || parsedUrl.pathname.startsWith(`${hostedBaseUrl.pathname}/`));
+};
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 026e8f0a38..8b1bac5290 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -737,7 +737,7 @@ importers:
         version: 1.166.6(crossws@0.4.4(srvx@0.8.16))
       nitro:
         specifier: ^3.0.0
-        version: 3.0.0(@electric-sql/pglite@0.3.2)(chokidar@4.0.3)(lru-cache@11.2.2)(mysql2@3.15.3)(vite@7.3.1(@types/node@22.19.0)(jiti@2.6.1)(lightningcss@1.30.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.0))
+        version: 3.0.0(@electric-sql/pglite@0.3.2)(chokidar@4.0.3)(lru-cache@11.2.2)(mysql2@3.15.3)(rolldown@1.0.0-rc.3)(vite@7.3.1(@types/node@22.19.0)(jiti@2.6.1)(lightningcss@1.30.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.0))
       react:
         specifier: 19.2.1
         version: 19.2.1
@@ -1699,12 +1699,6 @@ importers:
         specifier: ^0.20.3
         version: 0.20.3(typescript@5.9.3)
 
-  packages/private:
-    devDependencies:
-      rimraf:
-        specifier: ^6.1.2
-        version: 6.1.2
-
   packages/react:
     dependencies:
       '@hookform/resolvers':
@@ -29137,7 +29131,7 @@ snapshots:
       eslint: 8.57.1
       eslint-import-resolver-node: 0.3.9
       eslint-import-resolver-typescript: 3.6.3(@typescript-eslint/parser@8.56.1(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-node@0.3.9)(eslint-plugin-import@2.31.0)(eslint@8.57.1)
-      eslint-plugin-import: 2.31.0(@typescript-eslint/parser@8.56.1(eslint@8.57.1)(typescript@5.9.3))(eslint@8.57.1)
+      eslint-plugin-import: 2.31.0(@typescript-eslint/parser@8.56.1(eslint@8.57.1)(typescript@5.9.3))(eslint-import-resolver-typescript@3.6.3)(eslint@8.57.1)
       eslint-plugin-jsx-a11y: 6.10.2(eslint@8.57.1)
       eslint-plugin-react: 7.37.2(eslint@8.57.1)
       eslint-plugin-react-hooks: 5.1.0(eslint@8.57.1)
@@ -32518,7 +32512,7 @@ snapshots:
 
   nice-try@1.0.5: {}
 
-  nitro@3.0.0(@electric-sql/pglite@0.3.2)(chokidar@4.0.3)(lru-cache@11.2.2)(mysql2@3.15.3)(vite@7.3.1(@types/node@22.19.0)(jiti@2.6.1)(lightningcss@1.30.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.0)):
+  nitro@3.0.0(@electric-sql/pglite@0.3.2)(chokidar@4.0.3)(lru-cache@11.2.2)(mysql2@3.15.3)(rolldown@1.0.0-rc.3)(vite@7.3.1(@types/node@22.19.0)(jiti@2.6.1)(lightningcss@1.30.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.0)):
     dependencies:
       consola: 3.4.2
       cookie-es: 2.0.0
@@ -32538,6 +32532,7 @@ snapshots:
       unenv: 2.0.0-rc.21
       unstorage: 2.0.0-alpha.3(chokidar@4.0.3)(db0@0.3.4(@electric-sql/pglite@0.3.2)(mysql2@3.15.3))(lru-cache@11.2.2)(ofetch@1.5.1)
     optionalDependencies:
+      rolldown: 1.0.0-rc.3
       vite: 7.3.1(@types/node@22.19.0)(jiti@2.6.1)(lightningcss@1.30.1)(terser@5.44.0)(tsx@4.21.0)(yaml@2.8.0)
     transitivePeerDependencies:
       - '@azure/app-configuration'