diff --git a/internal/ui/handlers_auth.go b/internal/ui/handlers_auth.go
index 5c33bb9..bada966 100644
--- a/internal/ui/handlers_auth.go
+++ b/internal/ui/handlers_auth.go
@@ -211,6 +211,14 @@ func (u *UIServer) finishLogin(w http.ResponseWriter, r *http.Request, acct *mod
 	// SSO redirect flow: issue authorization code and redirect to service.
 	if ssoNonce != "" {
 		if callbackURL, ok := u.buildSSOCallback(r, ssoNonce, acct.ID); ok {
+			// Security: htmx follows 302 redirects via fetch, which fails
+			// cross-origin (no CORS on the service callback). Use HX-Redirect
+			// so htmx performs a full page navigation instead.
+			if isHTMX(r) {
+				w.Header().Set("HX-Redirect", callbackURL)
+				w.WriteHeader(http.StatusOK)
+				return
+			}
 			http.Redirect(w, r, callbackURL, http.StatusFound)
 			return
 		}