From 52102ed8abc9f72a33ba284904e71f269422ea12 Mon Sep 17 00:00:00 2001
From: JustinMissmahl <github@emeruslabs.com~>
Date: Sat, 11 Apr 2026 22:22:21 +0200
Subject: [PATCH 1/6] self_host1

---
 .env.selfhost.example                         |  44 +++++++
 .gitignore                                    |   1 +
 README.md                                     |  29 ++++-
 apps/api/src/index.ts                         |   8 +-
 apps/api/src/lib/cors-origins.ts              |  39 ++++++
 apps/api/src/routes/public/index.ts           |   3 +-
 apps/api/src/routes/webhooks/autumn.ts        |  20 ++-
 .../src/lib/request-validation-logic.test.ts  |  30 +++++
 apps/basket/src/lib/request-validation.ts     |   9 +-
 .../dashboard/app/(dby)/dby/l/[slug]/page.tsx |   3 +-
 .../(main)/billing/utils/stripe-metadata.ts   |  10 +-
 .../app/(main)/home/hooks/use-pulse-status.ts |   9 +-
 apps/dashboard/app/(main)/monitors/page.tsx   |  11 +-
 .../_components/step-create-website.tsx       |   7 +-
 .../_components/step-install-tracking.tsx     |  30 +++--
 .../_components/step-invite-team.tsx          |   5 +-
 .../notifications/_components/alarm-sheet.tsx |   7 +-
 .../(main)/settings/notifications/page.tsx    |   8 +-
 .../[id]/_components/utils/code-generators.ts |  33 +++--
 apps/dashboard/app/databuddy.js/route.ts      |  15 +++
 apps/dashboard/app/errors.js/route.ts         |  15 +++
 apps/dashboard/app/layout.tsx                 |  16 +--
 apps/dashboard/app/providers.tsx              |   7 +-
 apps/dashboard/app/sitemap.ts                 |   6 +-
 apps/dashboard/app/vitals.js/route.ts         |  15 +++
 .../providers/organizations-provider.tsx      |  55 ++++++++-
 apps/dashboard/components/website-dialog.tsx  |   7 +-
 apps/dashboard/hooks/use-links.ts             |  34 ++++--
 apps/dashboard/hooks/use-monitors.ts          |  12 +-
 apps/dashboard/hooks/use-websites.ts          |  46 +++++--
 apps/dashboard/lib/tracker-script.ts          |  69 +++++++++++
 apps/dashboard/next.config.ts                 |  31 ++++-
 apps/dashboard/proxy.ts                       |   2 +-
 apps/links/src/index.ts                       |   5 +-
 apps/links/src/routes/redirect.ts             |  10 +-
 apps/uptime/src/uptime-transition-emails.ts   |   5 +-
 dashboard.Dockerfile                          |  60 +++++++++
 docker-compose.selfhost.yml                   | 115 +++++++++++++++++-
 packages/auth/src/auth.ts                     |  88 ++++++++++++--
 packages/db/package.json                      |   2 +-
 packages/env/src/base.ts                      |   1 +
 packages/redis/redis.ts                       |  12 +-
 packages/rpc/src/orpc.ts                      |   3 +-
 packages/shared/package.json                  |   1 +
 packages/shared/src/utils/index.ts            |   1 +
 packages/shared/src/utils/origins.ts          |  87 +++++++++++++
 turbo.json                                    |   1 +
 47 files changed, 910 insertions(+), 117 deletions(-)
 create mode 100644 .env.selfhost.example
 create mode 100644 apps/api/src/lib/cors-origins.ts
 create mode 100644 apps/dashboard/app/databuddy.js/route.ts
 create mode 100644 apps/dashboard/app/errors.js/route.ts
 create mode 100644 apps/dashboard/app/vitals.js/route.ts
 create mode 100644 apps/dashboard/lib/tracker-script.ts
 create mode 100644 dashboard.Dockerfile
 create mode 100644 packages/shared/src/utils/origins.ts

diff --git a/.env.selfhost.example b/.env.selfhost.example
new file mode 100644
index 000000000..457e39f5f
--- /dev/null
+++ b/.env.selfhost.example
@@ -0,0 +1,44 @@
+BETTER_AUTH_SECRET=""
+POSTGRES_PASSWORD=""
+CLICKHOUSE_PASSWORD=""
+REDIS_PASSWORD=""
+DATABASE_URL="postgres://databuddy:<POSTGRES_PASSWORD>@postgres:5432/databuddy"
+REDIS_URL="redis://:<REDIS_PASSWORD>@redis:6379"
+CLICKHOUSE_URL="http://default:<CLICKHOUSE_PASSWORD>@clickhouse:8123"
+GITHUB_CLIENT_ID=""
+GITHUB_CLIENT_SECRET=""
+GOOGLE_CLIENT_ID=""
+GOOGLE_CLIENT_SECRET=""
+RESEND_API_KEY=""
+
+POSTGRES_DB=databuddy
+POSTGRES_USER=databuddy
+POSTGRES_PORT=5432
+
+CLICKHOUSE_DB=databuddy_analytics
+CLICKHOUSE_USER=default
+CLICKHOUSE_PORT=8123
+
+REDIS_PORT=6379
+
+BETTER_AUTH_URL=http://localhost:3100
+DASHBOARD_URL=http://localhost:3100
+NEXT_PUBLIC_API_URL=http://localhost:3001
+NEXT_PUBLIC_APP_URL=http://localhost:3100
+NEXT_PUBLIC_BASKET_URL=http://localhost:4000
+NEXT_PUBLIC_SCRIPT_URL=http://localhost:3100/databuddy.js
+NEXT_PUBLIC_BETTER_AUTH_URL=http://localhost:3100
+AUTH_TRUSTED_ORIGINS=http://localhost:3100,http://localhost:3000,http://localhost:3001
+CLIENT_APP_ALLOWED_ORIGINS=
+AUTH_COOKIE_DOMAIN=
+APP_URL=http://localhost:3100
+
+DASHBOARD_PORT=3100
+API_PORT=3001
+BASKET_PORT=4000
+LINKS_PORT=2500
+
+AI_API_KEY=placeholder
+LINKS_ROOT_REDIRECT_URL=http://localhost:3100
+IMAGE_TAG=edge
+NODE_ENV=production
diff --git a/.gitignore b/.gitignore
index 6746e7bf3..c246395f2 100644
--- a/.gitignore
+++ b/.gitignore
@@ -9,6 +9,7 @@ admin
 
 # Local env files
 .env
+.env.prod
 .mcp.json
 .env.local
 .env.development.local
diff --git a/README.md b/README.md
index fc27674b5..1bcdefe7a 100644
--- a/README.md
+++ b/README.md
@@ -93,6 +93,33 @@ Services started:
 
 All ports are configurable via env vars (`API_PORT`, `BASKET_PORT`, etc.). See the compose file comments for the full env var reference.
 
+### Troubleshooting
+
+If the `init` job fails and Postgres logs show `password authentication failed for user "databuddy"`, the Postgres volume was likely initialized with an older password.
+
+Changing `POSTGRES_PASSWORD` or `DATABASE_URL` in your environment does not update the password stored inside an existing Postgres data volume.
+
+To keep the existing data, update the password inside the running Postgres container to match your current environment and redeploy:
+
+```bash
+docker exec -it databuddy-postgres psql -U databuddy -d databuddy
+```
+
+Then inside `psql`:
+
+```sql
+ALTER USER databuddy WITH PASSWORD 'your-current-postgres-password';
+```
+
+Make sure the password in `DATABASE_URL` matches the same value.
+
+If you do not need to preserve the database, remove the existing volume and start fresh so Postgres initializes with the current environment values:
+
+```bash
+docker compose -f docker-compose.selfhost.yml down -v
+docker compose -f docker-compose.selfhost.yml up -d
+```
+
 ## 🤝 Contributing
 
 See [CONTRIBUTING.md](CONTRIBUTING.md) for guidelines.
@@ -137,4 +164,4 @@ See [SECURITY.md](SECURITY.md) for reporting vulnerabilities.
 
 This project is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). See the [LICENSE](LICENSE) file for details.
 
-Copyright (c) 2025 Databuddy Analytics, Inc.
+Copyright (c) 2025 Databuddy Analytics, Inc.
\ No newline at end of file
diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index 0b38f15d3..bf97e408f 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -19,6 +19,7 @@ import { initLogger, log, parseError } from "evlog";
 import { evlog, useLogger } from "evlog/elysia";
 import { applyAuthWideEvent } from "@/lib/auth-wide-event";
 import { AUTUMN_API_PREFIX, withAutumnApiPath } from "@/lib/autumn-mount";
+import { getAllowedCorsOrigins } from "@/lib/cors-origins";
 import {
 	apiLoggerDrain,
 	enrichApiWideEvent,
@@ -260,12 +261,7 @@ const app = new Elysia({ precompile: true })
 	.use(
 		cors({
 			credentials: true,
-			origin: [
-				/(?:^|\.)databuddy\.cc$/,
-				...(process.env.NODE_ENV === "development"
-					? ["http://localhost:3000"]
-					: []),
-			],
+			origin: getAllowedCorsOrigins(),
 		})
 	)
 	.use(publicApi)
diff --git a/apps/api/src/lib/cors-origins.ts b/apps/api/src/lib/cors-origins.ts
new file mode 100644
index 000000000..89415f17b
--- /dev/null
+++ b/apps/api/src/lib/cors-origins.ts
@@ -0,0 +1,39 @@
+import {
+	getClientAppAllowedOrigins,
+	normalizeOrigin,
+} from "@databuddy/shared/utils/origins";
+
+const DATABUDDY_DOMAIN_REGEX = /(?:^|\.)databuddy\.cc$/;
+
+export function getAllowedCorsOrigins(): Array<string | RegExp> {
+	const defaults = [
+		process.env.BETTER_AUTH_URL,
+		process.env.NEXT_PUBLIC_APP_URL,
+		process.env.NEXT_PUBLIC_API_URL,
+		process.env.DASHBOARD_URL,
+		process.env.APP_URL,
+		process.env.NODE_ENV === "development"
+			? "http://localhost:3000"
+			: undefined,
+		process.env.NODE_ENV === "development"
+			? "http://localhost:3100"
+			: undefined,
+		process.env.NODE_ENV === "development"
+			? "http://localhost:3001"
+			: undefined,
+	]
+		.filter((value): value is string => Boolean(value))
+		.map((value) => normalizeOrigin(value))
+		.filter((value): value is string => Boolean(value));
+
+	const extraOrigins = getClientAppAllowedOrigins();
+	const authTrustedOrigins = (process.env.AUTH_TRUSTED_ORIGINS ?? "")
+		.split(",")
+		.map((origin) => normalizeOrigin(origin))
+		.filter((origin): origin is string => Boolean(origin));
+
+	return [
+		DATABUDDY_DOMAIN_REGEX,
+		...new Set([...defaults, ...authTrustedOrigins, ...extraOrigins]),
+	];
+}
diff --git a/apps/api/src/routes/public/index.ts b/apps/api/src/routes/public/index.ts
index b56972b15..795d72fde 100644
--- a/apps/api/src/routes/public/index.ts
+++ b/apps/api/src/routes/public/index.ts
@@ -2,6 +2,7 @@ import cors from "@elysiajs/cors";
 import { serverTiming } from "@elysiajs/server-timing";
 import { Elysia } from "elysia";
 import { parseError } from "evlog";
+import { getAllowedCorsOrigins } from "@/lib/cors-origins";
 import { captureError, mergeWideEvent } from "@/lib/tracing";
 import { agentTelemetryRoute } from "./agent-telemetry";
 import { flagsRoute } from "./flags";
@@ -22,7 +23,7 @@ export const publicApi = new Elysia({ prefix: "/public" })
 	.use(
 		cors({
 			credentials: false,
-			origin: true,
+			origin: getAllowedCorsOrigins(),
 		})
 	)
 	.options("*", () => new Response(null, { status: 204 }))
diff --git a/apps/api/src/routes/webhooks/autumn.ts b/apps/api/src/routes/webhooks/autumn.ts
index 7f7a36a5b..86c7a6ffd 100644
--- a/apps/api/src/routes/webhooks/autumn.ts
+++ b/apps/api/src/routes/webhooks/autumn.ts
@@ -10,11 +10,18 @@ import { Resend } from "resend";
 import { Webhook } from "svix";
 import { mergeWideEvent } from "../../lib/tracing";
 
-const resend = new Resend(process.env.RESEND_API_KEY);
 const SVIX_SECRET = process.env.AUTUMN_WEBHOOK_SECRET;
 const SLACK_URL = process.env.SLACK_WEBHOOK_URL ?? "";
 const COOLDOWN_DAYS = 7;
 
+function getResendClient(): Resend | null {
+	const apiKey = process.env.RESEND_API_KEY;
+	if (!apiKey) {
+		return null;
+	}
+	return new Resend(apiKey);
+}
+
 interface LimitReachedData {
 	customer_id: string;
 	entity_id?: string;
@@ -145,6 +152,17 @@ async function sendAlertEmailAction(opts: {
 		return { success: false, message: "No email found" };
 	}
 
+	const resend = getResendClient();
+	if (!resend) {
+		useLogger().warn(
+			"Skipping alert email - RESEND_API_KEY is not configured",
+			{
+				autumn: { customerId, cooldownKey },
+			}
+		);
+		return { success: true, message: "Email provider not configured" };
+	}
+
 	const result = await resend.emails.send({
 		from: "Databuddy <alerts@databuddy.cc>",
 		to: userData.email,
diff --git a/apps/basket/src/lib/request-validation-logic.test.ts b/apps/basket/src/lib/request-validation-logic.test.ts
index 7404dda2c..cc736b49e 100644
--- a/apps/basket/src/lib/request-validation-logic.test.ts
+++ b/apps/basket/src/lib/request-validation-logic.test.ts
@@ -83,9 +83,16 @@ vi.mock("@lib/tracing", () => ({
 	record: (_name: string, fn: Function) => Promise.resolve().then(() => fn()),
 	captureError: vi.fn(),
 }));
+mock.module("@databuddy/shared/utils/origins", () => ({
+	getClientAppAllowedOrigins: mock(() => []),
+	isOriginInList: mock(() => false),
+}));
 
 // Import after mocks
 const { validateRequest, checkForBot } = await import("./request-validation");
+const { getClientAppAllowedOrigins, isOriginInList } = await import(
+	"@databuddy/shared/utils/origins"
+);
 
 function makeReq(
 	url = "https://example.com?client_id=ws_1",
@@ -112,6 +119,8 @@ describe("validateRequest", () => {
 		mockIsValidIpFromSettings.mockReset();
 		mockLogBlockedTraffic.mockReset();
 		mockLoggerSet.mockReset();
+		(getClientAppAllowedOrigins as any).mockReset();
+		(isOriginInList as any).mockReset();
 
 		// Defaults: everything passes
 		mockGetWebsiteByIdV2.mockResolvedValue({
@@ -127,6 +136,8 @@ describe("validateRequest", () => {
 		mockIsValidOrigin.mockReturnValue(true);
 		mockIsValidOriginFromSettings.mockReturnValue(true);
 		mockIsValidIpFromSettings.mockReturnValue(true);
+		(getClientAppAllowedOrigins as any).mockReturnValue([]);
+		(isOriginInList as any).mockReturnValue(false);
 	});
 
 	test("happy path → returns ValidatedRequest", async () => {
@@ -270,6 +281,25 @@ describe("validateRequest", () => {
 		}
 	});
 
+	test("globally allowed client app origin bypasses website origin checks", async () => {
+		(getClientAppAllowedOrigins as any).mockReturnValue([
+			"https://starter1.emeruslabs.com",
+		]);
+		(isOriginInList as any).mockReturnValue(true);
+
+		const result = await validateRequest(
+			{},
+			{ client_id: "ws_1" },
+			makeReq("https://example.com", {
+				origin: "https://starter1.emeruslabs.com",
+			})
+		);
+
+		expect(result.clientId).toBe("ws_1");
+		expect(mockIsValidOrigin).not.toHaveBeenCalled();
+		expect(mockIsValidOriginFromSettings).not.toHaveBeenCalled();
+	});
+
 	test("IP not authorized → throws 403", async () => {
 		mockGetWebsiteByIdV2.mockResolvedValue({
 			id: "ws_1",
diff --git a/apps/basket/src/lib/request-validation.ts b/apps/basket/src/lib/request-validation.ts
index 531cac6ee..a850f48f7 100644
--- a/apps/basket/src/lib/request-validation.ts
+++ b/apps/basket/src/lib/request-validation.ts
@@ -16,6 +16,10 @@ import {
 	VALIDATION_LIMITS,
 	validatePayloadSize,
 } from "@utils/validation";
+import {
+	getClientAppAllowedOrigins,
+	isOriginInList,
+} from "@databuddy/shared/utils/origins";
 import { useLogger } from "evlog/elysia";
 
 export interface ValidatedRequest {
@@ -141,12 +145,15 @@ export function validateRequest(
 
 		const origin = request.headers.get("origin");
 		const ip = extractIpFromRequest(request);
+		const clientAppAllowedOrigins = getClientAppAllowedOrigins();
 
 		const securitySettings = getWebsiteSecuritySettings(website.settings);
 		const allowedOrigins = securitySettings?.allowedOrigins;
 		const allowedIps = securitySettings?.allowedIps;
 
-		if (origin && allowedOrigins && allowedOrigins.length > 0) {
+		if (origin && isOriginInList(origin, clientAppAllowedOrigins)) {
+			log.set({ validation: { clientAppOriginAllowed: true, origin } });
+		} else if (origin && allowedOrigins && allowedOrigins.length > 0) {
 			if (
 				!(await record("isValidOriginFromSettings", () =>
 					isValidOriginFromSettings(origin, allowedOrigins)
diff --git a/apps/dashboard/app/(dby)/dby/l/[slug]/page.tsx b/apps/dashboard/app/(dby)/dby/l/[slug]/page.tsx
index 0c40b38c0..af1535830 100644
--- a/apps/dashboard/app/(dby)/dby/l/[slug]/page.tsx
+++ b/apps/dashboard/app/(dby)/dby/l/[slug]/page.tsx
@@ -1,4 +1,3 @@
-import { db } from "@databuddy/db";
 import {
 	type CachedLink,
 	getCachedLink,
@@ -15,6 +14,8 @@ async function getLinkBySlug(slug: string): Promise<CachedLink | null> {
 		return cached;
 	}
 
+	const { db } = await import("@databuddy/db");
+
 	const dbLink = await db.query.links.findFirst({
 		where: (links, { and, eq, isNull }) =>
 			and(eq(links.slug, slug), isNull(links.deletedAt)),
diff --git a/apps/dashboard/app/(main)/billing/utils/stripe-metadata.ts b/apps/dashboard/app/(main)/billing/utils/stripe-metadata.ts
index b8f2d0d26..415dc428d 100644
--- a/apps/dashboard/app/(main)/billing/utils/stripe-metadata.ts
+++ b/apps/dashboard/app/(main)/billing/utils/stripe-metadata.ts
@@ -1,13 +1,13 @@
 import { getTrackingIds } from "@databuddy/sdk";
 
-const DATABUDDY_CLIENT_ID =
-	process.env.NEXT_PUBLIC_DATABUDDY_CLIENT_ID ?? "OXmNQsViBT-FOS_wZCTHc";
+const DATABUDDY_CLIENT_ID = process.env.NEXT_PUBLIC_DATABUDDY_CLIENT_ID;
 
 export function getStripeMetadata(): Record<string, string> {
 	const { anonId, sessionId } = getTrackingIds();
-	const metadata: Record<string, string> = {
-		databuddy_client_id: DATABUDDY_CLIENT_ID,
-	};
+	const metadata: Record<string, string> = {};
+	if (DATABUDDY_CLIENT_ID) {
+		metadata.databuddy_client_id = DATABUDDY_CLIENT_ID;
+	}
 	if (sessionId) {
 		metadata.databuddy_session_id = sessionId;
 	}
diff --git a/apps/dashboard/app/(main)/home/hooks/use-pulse-status.ts b/apps/dashboard/app/(main)/home/hooks/use-pulse-status.ts
index f1089154a..378dceb2e 100644
--- a/apps/dashboard/app/(main)/home/hooks/use-pulse-status.ts
+++ b/apps/dashboard/app/(main)/home/hooks/use-pulse-status.ts
@@ -2,6 +2,7 @@
 
 import { useQuery } from "@tanstack/react-query";
 import { useMemo } from "react";
+import { useOrganizationsContext } from "@/components/providers/organizations-provider";
 import { useFeatureAccess } from "@/hooks/use-feature-access";
 import { orpc } from "@/lib/orpc";
 
@@ -23,12 +24,16 @@ export interface PulseStatus {
 export function usePulseStatus() {
 	const { hasAccess, isLoading: isAccessLoading } =
 		useFeatureAccess("monitors");
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
 
 	const query = useQuery({
 		...orpc.uptime.listSchedules.queryOptions({
-			input: {},
+			input: organizationId ? { organizationId } : {},
 		}),
-		enabled: hasAccess,
+		enabled: hasAccess && !!organizationId,
 	});
 
 	type ScheduleRow = PulseStatus["monitors"][number];
diff --git a/apps/dashboard/app/(main)/monitors/page.tsx b/apps/dashboard/app/(main)/monitors/page.tsx
index 81a6cde57..7cbc29afb 100644
--- a/apps/dashboard/app/(main)/monitors/page.tsx
+++ b/apps/dashboard/app/(main)/monitors/page.tsx
@@ -7,6 +7,7 @@ import { UserPlusIcon } from "@phosphor-icons/react";
 import { useQuery } from "@tanstack/react-query";
 import { Suspense, useState } from "react";
 import { PageHeader } from "@/app/(main)/websites/_components/page-header";
+import { useOrganizationsContext } from "@/components/providers/organizations-provider";
 import { ErrorBoundary } from "@/components/error-boundary";
 import { FeatureAccessGate } from "@/components/feature-access-gate";
 import { MonitorRow } from "@/components/monitors/monitor-row";
@@ -45,6 +46,10 @@ export interface Monitor {
 export default function MonitorsPage() {
 	const { hasAccess, isLoading: isAccessLoading } =
 		useFeatureAccess("monitors");
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
 	const [isSheetOpen, setIsSheetOpen] = useState(false);
 	const [showInviteDialog, setShowInviteDialog] = useState(false);
 	const [editingSchedule, setEditingSchedule] = useState<{
@@ -60,8 +65,10 @@ export default function MonitorsPage() {
 	} | null>(null);
 
 	const schedulesQuery = useQuery({
-		...orpc.uptime.listSchedules.queryOptions({ input: {} }),
-		enabled: hasAccess,
+		...orpc.uptime.listSchedules.queryOptions({
+			input: organizationId ? { organizationId } : {},
+		}),
+		enabled: hasAccess && !!organizationId,
 	});
 
 	const handleCreate = () => {
diff --git a/apps/dashboard/app/(main)/onboarding/_components/step-create-website.tsx b/apps/dashboard/app/(main)/onboarding/_components/step-create-website.tsx
index d8cdda4d0..8a90bec8e 100644
--- a/apps/dashboard/app/(main)/onboarding/_components/step-create-website.tsx
+++ b/apps/dashboard/app/(main)/onboarding/_components/step-create-website.tsx
@@ -42,7 +42,10 @@ interface StepCreateWebsiteProps {
 }
 
 export function StepCreateWebsite({ onComplete }: StepCreateWebsiteProps) {
-	const { activeOrganization } = useOrganizationsContext();
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
 	const createWebsiteMutation = useCreateWebsite();
 
 	const form = useForm<FormData>({
@@ -59,7 +62,7 @@ export function StepCreateWebsite({ onComplete }: StepCreateWebsiteProps) {
 			const result = await createWebsiteMutation.mutateAsync({
 				name: formData.name,
 				domain: formData.domain,
-				organizationId: activeOrganization?.id,
+				organizationId,
 			});
 			toast.success("Website created!");
 			try {
diff --git a/apps/dashboard/app/(main)/onboarding/_components/step-install-tracking.tsx b/apps/dashboard/app/(main)/onboarding/_components/step-install-tracking.tsx
index 89a6058ac..4e40ec0ed 100644
--- a/apps/dashboard/app/(main)/onboarding/_components/step-install-tracking.tsx
+++ b/apps/dashboard/app/(main)/onboarding/_components/step-install-tracking.tsx
@@ -37,6 +37,20 @@ import {
 
 // TODO: Replace with published skill URL once available
 const SKILL_URL = "https://github.com/databuddy-cc/skill";
+const TRACKER_SCRIPT_URL =
+	process.env.NEXT_PUBLIC_SCRIPT_URL || "https://cdn.databuddy.cc/databuddy.js";
+const TRACKER_API_URL =
+	process.env.NEXT_PUBLIC_BASKET_URL || "https://basket.databuddy.cc";
+const PUBLIC_API_URL =
+	process.env.NEXT_PUBLIC_API_URL || "https://api.databuddy.cc";
+
+function toOrigin(value: string) {
+	try {
+		return new URL(value).origin;
+	} catch {
+		return value;
+	}
+}
 
 function generateAgentPrompt(websiteId: string): string {
 	return `Add Databuddy analytics to this repository. Client ID: ${websiteId}
@@ -70,7 +84,7 @@ import { Databuddy } from "@databuddy/sdk/vue";
 
 **Vanilla JS / HTML** — CDN script in \`<head>\`:
 \`\`\`html
-<script src="https://cdn.databuddy.cc/databuddy.js" data-client-id="${websiteId}" crossorigin="anonymous" async></script>
+<script src="${TRACKER_SCRIPT_URL}" data-api-url="${TRACKER_API_URL}" data-client-id="${websiteId}" crossorigin="anonymous" async></script>
 \`\`\`
 
 Store the Client ID in an env var — never hardcode it.
@@ -116,8 +130,8 @@ Use snake_case event names. Track decisions and milestones (signup_completed, pu
 ## Verification — How to Confirm It Works
 
 1. Open DevTools → Network tab, reload the page
-2. Look for a request to cdn.databuddy.cc/databuddy.js (script loading)
-3. Look for requests to basket.databuddy.cc (events being sent)
+2. Look for a request to ${TRACKER_SCRIPT_URL} (script loading)
+3. Look for requests to ${TRACKER_API_URL} (events being sent)
 4. Both should return 200. If events show the correct Client ID in the payload, tracking is working.
 
 ## Common Issues & Fixes
@@ -125,8 +139,8 @@ Use snake_case event names. Track decisions and milestones (signup_completed, pu
 **Domain mismatch**: Events are rejected if sent from a domain that doesn't match the website configured in Databuddy. The domain in settings must match the domain the script runs on.
 
 **Content Security Policy (CSP)**: If the site has strict CSP headers, add these directives:
-- script-src: https://cdn.databuddy.cc
-- connect-src: https://basket.databuddy.cc
+- script-src: ${toOrigin(TRACKER_SCRIPT_URL)}
+- connect-src: ${toOrigin(TRACKER_API_URL)}
 
 **Ad blockers**: uBlock Origin, Privacy Badger, and similar extensions may block analytics scripts. Test with extensions disabled. For production, consider a custom tracking domain (proxy through your own domain).
 
@@ -134,7 +148,7 @@ Use snake_case event names. Track decisions and milestones (signup_completed, pu
 
 **Script not loading**: Verify the script tag is in <head> (not <body>), the src URL is correct, and no CSP or network error appears in the console.
 
-**Events not appearing in dashboard**: Data typically appears within 30 seconds. Check the Network tab for failed requests to basket.databuddy.cc. Verify the Client ID matches. Check for console errors.
+**Events not appearing in dashboard**: Data typically appears within 30 seconds. Check the Network tab for failed requests to ${TRACKER_API_URL}. Verify the Client ID matches. Check for console errors.
 
 **If another analytics tool is present**: Both can run in parallel. No conflicts. Optionally disable the other tool's page view tracking if Databuddy handles it.
 
@@ -143,7 +157,7 @@ Use snake_case event names. Track decisions and milestones (signup_completed, pu
 After installation (success or failure), send a POST to report what happened. This helps us improve the setup experience.
 
 \`\`\`bash
-curl -X POST https://api.databuddy.cc/public/v1/agent-telemetry \\
+curl -X POST ${PUBLIC_API_URL}/public/v1/agent-telemetry \\
   -H "Content-Type: application/json" \\
   -d '{
     "websiteId": "${websiteId}",
@@ -164,7 +178,7 @@ Fields:
 - **framework**: What framework was detected (nextjs, react, vue, vanilla, etc.)
 - **installMethod**: "sdk" or "script-tag"
 - **stepsCompleted**: Array of steps that succeeded: "install", "mount", "env-var", "verify"
-- **issues**: Array of problems encountered, e.g. [{"type": "csp", "detail": "blocked cdn.databuddy.cc", "resolved": true}]
+- **issues**: Array of problems encountered, e.g. [{"type": "csp", "detail": "blocked ${TRACKER_SCRIPT_URL}", "resolved": true}]
   - Common issue types: csp, adblocker, domain-mismatch, script-blocked, build-error, type-error, env-var-missing
 - **errorMessage**: Final error message if status is "failed"
 - **metadata**: Any extra context (package manager used, versions, etc.)
diff --git a/apps/dashboard/app/(main)/onboarding/_components/step-invite-team.tsx b/apps/dashboard/app/(main)/onboarding/_components/step-invite-team.tsx
index b481166bc..1694d852f 100644
--- a/apps/dashboard/app/(main)/onboarding/_components/step-invite-team.tsx
+++ b/apps/dashboard/app/(main)/onboarding/_components/step-invite-team.tsx
@@ -44,8 +44,9 @@ interface SentInvite {
 }
 
 export function StepInviteTeam() {
-	const { activeOrganization } = useOrganizationsContext();
-	const organizationId = activeOrganization?.id ?? "";
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId = activeOrganization?.id ?? activeOrganizationId ?? "";
 	const { inviteMember, isInviting } =
 		useOrganizationInvitations(organizationId);
 	const [sentInvites, setSentInvites] = useState<SentInvite[]>([]);
diff --git a/apps/dashboard/app/(main)/settings/notifications/_components/alarm-sheet.tsx b/apps/dashboard/app/(main)/settings/notifications/_components/alarm-sheet.tsx
index 799ce07d7..0e87e702f 100644
--- a/apps/dashboard/app/(main)/settings/notifications/_components/alarm-sheet.tsx
+++ b/apps/dashboard/app/(main)/settings/notifications/_components/alarm-sheet.tsx
@@ -143,13 +143,14 @@ export function AlarmSheet({
 	const isEditing = !!alarm;
 	const { activeOrganization, activeOrganizationId } =
 		useOrganizationsContext();
+	const organizationId = activeOrganization?.id ?? activeOrganizationId ?? null;
 	const queryClient = useQueryClient();
 
 	const { data: websites } = useQuery({
 		...orpc.websites.list.queryOptions({
-			input: {},
+			input: organizationId ? { organizationId } : {},
 		}),
-		enabled: open,
+		enabled: open && !!organizationId,
 	});
 
 	const form = useForm<AlarmFormData>({
@@ -178,8 +179,6 @@ export function AlarmSheet({
 	const isPending = createMutation.isPending || updateMutation.isPending;
 
 	const handleSubmit = async (data: AlarmFormData) => {
-		const organizationId =
-			activeOrganization?.id ?? activeOrganizationId ?? null;
 		if (!organizationId) {
 			return;
 		}
diff --git a/apps/dashboard/app/(main)/settings/notifications/page.tsx b/apps/dashboard/app/(main)/settings/notifications/page.tsx
index 8e7ef459e..58b1807e3 100644
--- a/apps/dashboard/app/(main)/settings/notifications/page.tsx
+++ b/apps/dashboard/app/(main)/settings/notifications/page.tsx
@@ -23,6 +23,7 @@ import {
 } from "@/components/ui/dropdown-menu";
 import { Skeleton } from "@/components/ui/skeleton";
 import { Switch } from "@/components/ui/switch";
+import { useOrganizationsContext } from "@/components/providers/organizations-provider";
 import { orpc } from "@/lib/orpc";
 import { AlarmSheet } from "./_components/alarm-sheet";
 
@@ -101,6 +102,10 @@ function parseAlarms(rows: readonly Record<string, unknown>[]): Alarm[] {
 
 export default function NotificationsSettingsPage() {
 	const queryClient = useQueryClient();
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
 	const [sheetOpen, setSheetOpen] = useState(false);
 	const [editingAlarm, setEditingAlarm] = useState<Alarm | null>(null);
 	const [deletingAlarm, setDeletingAlarm] = useState<Alarm | null>(null);
@@ -108,8 +113,9 @@ export default function NotificationsSettingsPage() {
 
 	const { data: alarms, isLoading } = useQuery({
 		...orpc.alarms.list.queryOptions({
-			input: {},
+			input: organizationId ? { organizationId } : {},
 		}),
+		enabled: !!organizationId,
 	});
 
 	const deleteMutation = useMutation({
diff --git a/apps/dashboard/app/(main)/websites/[id]/_components/utils/code-generators.ts b/apps/dashboard/app/(main)/websites/[id]/_components/utils/code-generators.ts
index 922133799..1d3b0dbd4 100644
--- a/apps/dashboard/app/(main)/websites/[id]/_components/utils/code-generators.ts
+++ b/apps/dashboard/app/(main)/websites/[id]/_components/utils/code-generators.ts
@@ -1,6 +1,21 @@
 import { ACTUAL_LIBRARY_DEFAULTS } from "./tracking-defaults";
 import type { TrackingOptions } from "./types";
 
+function getTrackerEndpoints() {
+	const isLocalhost = process.env.NODE_ENV === "development";
+
+	return {
+		scriptUrl:
+			process.env.NEXT_PUBLIC_SCRIPT_URL ??
+			(isLocalhost
+				? "http://localhost:3000/databuddy.js"
+				: "https://cdn.databuddy.cc/databuddy.js"),
+		apiUrl:
+			process.env.NEXT_PUBLIC_BASKET_URL ??
+			(isLocalhost ? "http://localhost:4000" : "https://basket.databuddy.cc"),
+	};
+}
+
 /**
  * Generate HTML script tag for tracking
  */
@@ -8,13 +23,7 @@ export function generateScriptTag(
 	websiteId: string,
 	trackingOptions: TrackingOptions
 ): string {
-	const isLocalhost = process.env.NODE_ENV === "development";
-	const scriptUrl = isLocalhost
-		? "http://localhost:3000/databuddy.js"
-		: "https://cdn.databuddy.cc/databuddy.js";
-	const _apiUrl = isLocalhost
-		? "http://localhost:4000"
-		: "https://basket.databuddy.cc";
+	const { apiUrl, scriptUrl } = getTrackerEndpoints();
 
 	const options = Object.entries(trackingOptions)
 		.filter(([key, value]) => {
@@ -38,6 +47,7 @@ export function generateScriptTag(
 
 	return `<script
     src="${scriptUrl}"
+    data-api-url="${apiUrl}"
     data-client-id="${websiteId}"
 ${optionsLine}    crossorigin="anonymous"
     async
@@ -51,6 +61,7 @@ export function generateNpmCode(
 	websiteId: string,
 	trackingOptions: TrackingOptions
 ): string {
+	const { apiUrl, scriptUrl } = getTrackerEndpoints();
 	const meaningfulProps = Object.entries(trackingOptions)
 		.filter(([key, value]) => {
 			const actualDefault =
@@ -83,6 +94,8 @@ function AppLayout({ children }) {
     <>
       {children}
       <Databuddy
+        apiUrl="${apiUrl}"
+        scriptUrl="${scriptUrl}"
         clientId="${websiteId}"${propsString}/>
     </>
   );
@@ -96,6 +109,7 @@ export function generateNpmComponentCode(
 	websiteId: string,
 	trackingOptions: TrackingOptions
 ): string {
+	const { apiUrl, scriptUrl } = getTrackerEndpoints();
 	const meaningfulProps = Object.entries(trackingOptions)
 		.filter(([key, value]) => {
 			const actualDefault =
@@ -122,5 +136,8 @@ export function generateNpmComponentCode(
 		meaningfulProps.length > 0 ? `\n${meaningfulProps.join("\n")}\n` : "";
 
 	return `<Databuddy
-  clientId="${websiteId}"${propsString}/>`;
+  apiUrl="${apiUrl}"
+  scriptUrl="${scriptUrl}"
+  clientId="${websiteId}"${propsString}
+/>`;
 }
diff --git a/apps/dashboard/app/databuddy.js/route.ts b/apps/dashboard/app/databuddy.js/route.ts
new file mode 100644
index 000000000..a68cb0cab
--- /dev/null
+++ b/apps/dashboard/app/databuddy.js/route.ts
@@ -0,0 +1,15 @@
+import type { NextRequest } from "next/server";
+import {
+	handleTrackerScriptOptions,
+	serveTrackerScript,
+} from "@/lib/tracker-script";
+
+export const runtime = "nodejs";
+
+export function GET(request: NextRequest) {
+	return serveTrackerScript(request, "databuddy.js");
+}
+
+export function OPTIONS(request: NextRequest) {
+	return handleTrackerScriptOptions(request);
+}
diff --git a/apps/dashboard/app/errors.js/route.ts b/apps/dashboard/app/errors.js/route.ts
new file mode 100644
index 000000000..0273e0b9a
--- /dev/null
+++ b/apps/dashboard/app/errors.js/route.ts
@@ -0,0 +1,15 @@
+import type { NextRequest } from "next/server";
+import {
+	handleTrackerScriptOptions,
+	serveTrackerScript,
+} from "@/lib/tracker-script";
+
+export const runtime = "nodejs";
+
+export function GET(request: NextRequest) {
+	return serveTrackerScript(request, "errors.js");
+}
+
+export function OPTIONS(request: NextRequest) {
+	return handleTrackerScriptOptions(request);
+}
diff --git a/apps/dashboard/app/layout.tsx b/apps/dashboard/app/layout.tsx
index 190a4f391..140f98664 100644
--- a/apps/dashboard/app/layout.tsx
+++ b/apps/dashboard/app/layout.tsx
@@ -115,6 +115,10 @@ export default function RootLayout({
 	children: React.ReactNode;
 }>) {
 	const isLocalhost = process.env.NODE_ENV === "development";
+	const basketUrl =
+		process.env.NEXT_PUBLIC_BASKET_URL ??
+		(isLocalhost ? "http://localhost:4000" : "https://basket.databuddy.cc");
+	const trackingClientId = process.env.NEXT_PUBLIC_DATABUDDY_CLIENT_ID;
 
 	return (
 		<html
@@ -130,16 +134,8 @@ export default function RootLayout({
 				</Providers>
 				<Toaster />
 				<Databuddy
-					apiUrl={
-						isLocalhost
-							? "http://localhost:4000"
-							: "https://basket.databuddy.cc"
-					}
-					clientId={
-						isLocalhost
-							? "5ced32e5-0219-4e75-a18a-ad9826f85698"
-							: "3ed1fce1-5a56-4cb6-a977-66864f6d18e3"
-					}
+					apiUrl={basketUrl}
+					clientId={trackingClientId}
 					trackAttributes={true}
 					trackErrors={true}
 					trackPerformance={true}
diff --git a/apps/dashboard/app/providers.tsx b/apps/dashboard/app/providers.tsx
index 00277854c..06fbecf61 100644
--- a/apps/dashboard/app/providers.tsx
+++ b/apps/dashboard/app/providers.tsx
@@ -144,13 +144,16 @@ function FlagsProviderWrapper({ children }: { children: React.ReactNode }) {
 	const { data: session, isPending } = authClient.useSession();
 
 	const apiUrl = process.env.NEXT_PUBLIC_API_URL ?? "http://localhost:3001";
-	const clientId =
-		process.env.NEXT_PUBLIC_DATABUDDY_CLIENT_ID ?? "OXmNQsViBT-FOS_wZCTHc";
+	const clientId = process.env.NEXT_PUBLIC_DATABUDDY_CLIENT_ID;
 
 	const user = session?.user
 		? { userId: session.user.id, email: session.user.email }
 		: undefined;
 
+	if (!clientId) {
+		return <>{children}</>;
+	}
+
 	return (
 		<FlagsProvider
 			apiUrl={apiUrl}
diff --git a/apps/dashboard/app/sitemap.ts b/apps/dashboard/app/sitemap.ts
index 9c54820d8..a790cdec2 100644
--- a/apps/dashboard/app/sitemap.ts
+++ b/apps/dashboard/app/sitemap.ts
@@ -1,5 +1,3 @@
-import { and, db, eq } from "@databuddy/db";
-import { organization, uptimeSchedules } from "@databuddy/db/schema";
 import type { MetadataRoute } from "next";
 import { unstable_cache } from "next/cache";
 import { APP_URL } from "@/lib/app-url";
@@ -9,6 +7,10 @@ export const revalidate = 86_400;
 
 const getPublicStatusPages = unstable_cache(
 	async (): Promise<StatusSitemapRow[]> => {
+		const { and, db, eq, organization, uptimeSchedules } = await import(
+			"@databuddy/db"
+		);
+
 		const rows = await db
 			.select({
 				slug: organization.slug,
diff --git a/apps/dashboard/app/vitals.js/route.ts b/apps/dashboard/app/vitals.js/route.ts
new file mode 100644
index 000000000..1c5a38269
--- /dev/null
+++ b/apps/dashboard/app/vitals.js/route.ts
@@ -0,0 +1,15 @@
+import type { NextRequest } from "next/server";
+import {
+	handleTrackerScriptOptions,
+	serveTrackerScript,
+} from "@/lib/tracker-script";
+
+export const runtime = "nodejs";
+
+export function GET(request: NextRequest) {
+	return serveTrackerScript(request, "vitals.js");
+}
+
+export function OPTIONS(request: NextRequest) {
+	return handleTrackerScriptOptions(request);
+}
diff --git a/apps/dashboard/components/providers/organizations-provider.tsx b/apps/dashboard/components/providers/organizations-provider.tsx
index 30341b1d4..a8ae5bfe0 100644
--- a/apps/dashboard/components/providers/organizations-provider.tsx
+++ b/apps/dashboard/components/providers/organizations-provider.tsx
@@ -1,9 +1,9 @@
 "use client";
 
 import { authClient, useSession } from "@databuddy/auth/client";
-import { useQuery } from "@tanstack/react-query";
+import { useQuery, useQueryClient } from "@tanstack/react-query";
 import { useAtom, useAtomValue, useSetAtom } from "jotai";
-import { type ReactNode, useEffect, useMemo } from "react";
+import { type ReactNode, useEffect, useMemo, useRef } from "react";
 import {
 	activeOrganizationAtom,
 	getOrganizationBySlugAtom,
@@ -21,9 +21,11 @@ export const AUTH_QUERY_KEYS = {
 } as const;
 
 export function OrganizationsProvider({ children }: { children: ReactNode }) {
+	const queryClient = useQueryClient();
 	const setOrganizations = useSetAtom(organizationsAtom);
 	const setActiveOrganization = useSetAtom(activeOrganizationAtom);
 	const setIsLoading = useSetAtom(isLoadingOrganizationsAtom);
+	const hasSyncedInitialOrganization = useRef(false);
 
 	const { data: session, isPending: isLoadingSession } = useSession();
 
@@ -42,7 +44,7 @@ export function OrganizationsProvider({ children }: { children: ReactNode }) {
 			session?.session as { activeOrganizationId?: string | null } | undefined
 		)?.activeOrganizationId;
 		if (!activeId) {
-			return null;
+			return organizationsData?.[0] ?? null;
 		}
 		return organizationsData?.find((org) => org.id === activeId) ?? null;
 	}, [session, organizationsData]);
@@ -61,6 +63,49 @@ export function OrganizationsProvider({ children }: { children: ReactNode }) {
 		setIsLoading(isLoadingSession || isLoadingOrgs);
 	}, [isLoadingSession, isLoadingOrgs, setIsLoading]);
 
+	useEffect(() => {
+		const activeId = (
+			session?.session as { activeOrganizationId?: string | null } | undefined
+		)?.activeOrganizationId;
+		const fallbackOrganizationId = organizationsData?.[0]?.id;
+
+		if (isLoadingSession || isLoadingOrgs) {
+			return;
+		}
+
+		if (
+			activeId ||
+			!fallbackOrganizationId ||
+			hasSyncedInitialOrganization.current
+		) {
+			return;
+		}
+
+		hasSyncedInitialOrganization.current = true;
+
+		authClient.organization
+			.setActive({
+				organizationId: fallbackOrganizationId,
+			})
+			.then(() => {
+				queryClient.invalidateQueries({
+					queryKey: AUTH_QUERY_KEYS.activeOrganization,
+				});
+				queryClient.invalidateQueries({
+					queryKey: AUTH_QUERY_KEYS.organizations,
+				});
+			})
+			.catch(() => {
+				hasSyncedInitialOrganization.current = false;
+			});
+	}, [
+		isLoadingOrgs,
+		isLoadingSession,
+		organizationsData,
+		queryClient,
+		session,
+	]);
+
 	return <>{children}</>;
 }
 
@@ -73,11 +118,13 @@ export function useOrganizationsContext() {
 	const { data: sessionData } = useSession();
 
 	const activeOrganizationId =
+		activeOrganization?.id ??
 		(
 			sessionData?.session as
 				| { activeOrganizationId?: string | null }
 				| undefined
-		)?.activeOrganizationId ?? null;
+		)?.activeOrganizationId ??
+		null;
 
 	return {
 		organizations,
diff --git a/apps/dashboard/components/website-dialog.tsx b/apps/dashboard/components/website-dialog.tsx
index 0456af9f0..543758341 100644
--- a/apps/dashboard/components/website-dialog.tsx
+++ b/apps/dashboard/components/website-dialog.tsx
@@ -70,7 +70,10 @@ export function WebsiteDialog({
 	onSave,
 }: WebsiteDialogProps) {
 	const isEditing = !!website;
-	const { activeOrganization } = useOrganizationsContext();
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
 
 	const createWebsiteMutation = useCreateWebsite();
 	const updateWebsiteMutation = useUpdateWebsite();
@@ -127,7 +130,7 @@ export function WebsiteDialog({
 		const submissionData: CreateWebsiteData = {
 			name: formData.name,
 			domain: formData.domain,
-			organizationId: activeOrganization?.id,
+			organizationId,
 		};
 
 		try {
diff --git a/apps/dashboard/hooks/use-links.ts b/apps/dashboard/hooks/use-links.ts
index fbfe2f9c2..f86e7f8e6 100644
--- a/apps/dashboard/hooks/use-links.ts
+++ b/apps/dashboard/hooks/use-links.ts
@@ -5,6 +5,7 @@ import type { DateRange } from "@databuddy/shared/types/analytics";
 import type { QueryKey } from "@tanstack/react-query";
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
 import { useMemo } from "react";
+import { useOrganizationsContext } from "@/components/providers/organizations-provider";
 import { useBatchDynamicQuery } from "@/hooks/use-dynamic-query";
 import { orpc } from "@/lib/orpc";
 
@@ -49,8 +50,10 @@ export interface LinkStats {
 	totalClicks: number;
 }
 
-export const getLinksListKey = (): QueryKey =>
-	orpc.links.list.queryKey({ input: {} });
+export const getLinksListKey = (organizationId?: string): QueryKey =>
+	orpc.links.list.queryKey({
+		input: organizationId ? { organizationId } : {},
+	});
 
 export const getLinkByIdKey = (id: string): QueryKey =>
 	orpc.links.get.queryKey({ input: { id } });
@@ -86,11 +89,16 @@ const removeLinkFromList = (
 };
 
 export function useLinks(options?: { enabled?: boolean }) {
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+
 	const query = useQuery({
 		...orpc.links.list.queryOptions({
-			input: {},
+			input: organizationId ? { organizationId } : {},
 		}),
-		enabled: options?.enabled !== false,
+		enabled: options?.enabled !== false && !!organizationId,
 	});
 
 	return {
@@ -221,11 +229,15 @@ export function useLinkStats(linkId: string, dateRange: DateRange) {
 
 export function useCreateLink() {
 	const queryClient = useQueryClient();
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
 
 	return useMutation({
 		...orpc.links.create.mutationOptions(),
 		onSuccess: (newLink: Link) => {
-			const listKey = getLinksListKey();
+			const listKey = getLinksListKey(organizationId);
 			queryClient.setQueryData<Link[]>(listKey, (old) =>
 				addLinkToList(old, newLink)
 			);
@@ -235,11 +247,15 @@ export function useCreateLink() {
 
 export function useUpdateLink() {
 	const queryClient = useQueryClient();
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
 
 	return useMutation({
 		...orpc.links.update.mutationOptions(),
 		onSuccess: (updatedLink: Link) => {
-			const listKey = getLinksListKey();
+			const listKey = getLinksListKey(organizationId);
 			queryClient.setQueryData<Link[]>(listKey, (old) =>
 				updateLinkInList(old, updatedLink)
 			);
@@ -251,11 +267,15 @@ export function useUpdateLink() {
 
 export function useDeleteLink() {
 	const queryClient = useQueryClient();
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
 
 	return useMutation({
 		...orpc.links.delete.mutationOptions(),
 		onMutate: async ({ id }) => {
-			const listKey = getLinksListKey();
+			const listKey = getLinksListKey(organizationId);
 			await queryClient.cancelQueries({ queryKey: listKey });
 			const previousData = queryClient.getQueryData<Link[]>(listKey);
 
diff --git a/apps/dashboard/hooks/use-monitors.ts b/apps/dashboard/hooks/use-monitors.ts
index 7c7e43c3f..315ea4d6a 100644
--- a/apps/dashboard/hooks/use-monitors.ts
+++ b/apps/dashboard/hooks/use-monitors.ts
@@ -1,12 +1,20 @@
 "use client";
 
 import { useQuery } from "@tanstack/react-query";
+import { useOrganizationsContext } from "@/components/providers/organizations-provider";
 import { orpc } from "@/lib/orpc";
 
 export function useMonitorsLight(options?: { enabled?: boolean }) {
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+
 	const query = useQuery({
-		...orpc.uptime.listSchedules.queryOptions({ input: {} }),
-		enabled: options?.enabled !== false,
+		...orpc.uptime.listSchedules.queryOptions({
+			input: organizationId ? { organizationId } : {},
+		}),
+		enabled: options?.enabled !== false && !!organizationId,
 		staleTime: 5 * 60 * 1000,
 	});
 
diff --git a/apps/dashboard/hooks/use-websites.ts b/apps/dashboard/hooks/use-websites.ts
index 358f51e77..b3c7feb4a 100644
--- a/apps/dashboard/hooks/use-websites.ts
+++ b/apps/dashboard/hooks/use-websites.ts
@@ -5,6 +5,7 @@ import type { ProcessedMiniChartData } from "@databuddy/shared/types/website";
 
 import type { QueryKey } from "@tanstack/react-query";
 import { useMutation, useQuery, useQueryClient } from "@tanstack/react-query";
+import { useOrganizationsContext } from "@/components/providers/organizations-provider";
 import { orpc } from "@/lib/orpc";
 
 export type { Website } from "@databuddy/db/schema";
@@ -18,9 +19,9 @@ export interface WebsitesListData {
 export const getWebsiteByIdKey = (id: string): QueryKey =>
 	orpc.websites.getById.queryKey({ input: { id } });
 
-export const getWebsitesListKey = (): QueryKey =>
+export const getWebsitesListKey = (organizationId?: string): QueryKey =>
 	orpc.websites.listWithCharts.queryKey({
-		input: {},
+		input: organizationId ? { organizationId } : {},
 	});
 
 export const updateWebsiteInList = (
@@ -86,11 +87,16 @@ const removeWebsiteFromList = (
 };
 
 export function useWebsites(options?: { enabled?: boolean }) {
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+
 	const query = useQuery({
 		...orpc.websites.listWithCharts.queryOptions({
-			input: {},
+			input: organizationId ? { organizationId } : {},
 		}),
-		enabled: options?.enabled !== false,
+		enabled: options?.enabled !== false && !!organizationId,
 	});
 
 	return {
@@ -105,11 +111,16 @@ export function useWebsites(options?: { enabled?: boolean }) {
 }
 
 export function useWebsitesLight(options?: { enabled?: boolean }) {
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+
 	const query = useQuery({
 		...orpc.websites.list.queryOptions({
-			input: {},
+			input: organizationId ? { organizationId } : {},
 		}),
-		enabled: options?.enabled !== false,
+		enabled: options?.enabled !== false && !!organizationId,
 		staleTime: 5 * 60 * 1000,
 	});
 
@@ -133,12 +144,16 @@ export function useWebsite(id: string) {
 
 export function useCreateWebsite() {
 	const queryClient = useQueryClient();
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
 
 	return useMutation({
 		...orpc.websites.create.mutationOptions(),
 		onSuccess: (data) => {
 			const newWebsite = data as Website;
-			const listKey = getWebsitesListKey();
+			const listKey = getWebsitesListKey(organizationId);
 			queryClient.setQueryData<WebsitesListData>(listKey, (old) =>
 				addWebsiteToList(old, newWebsite)
 			);
@@ -148,10 +163,11 @@ export function useCreateWebsite() {
 
 export const updateWebsiteCache = (
 	queryClient: ReturnType<typeof useQueryClient>,
-	updatedWebsite: Website
+	updatedWebsite: Website,
+	organizationId?: string
 ) => {
 	const getByIdKey = getWebsiteByIdKey(updatedWebsite.id);
-	const listKey = getWebsitesListKey();
+	const listKey = getWebsitesListKey(organizationId);
 
 	queryClient.setQueryData<WebsitesListData>(listKey, (old) =>
 		updateWebsiteInList(old, updatedWebsite)
@@ -161,17 +177,25 @@ export const updateWebsiteCache = (
 
 export function useUpdateWebsite() {
 	const queryClient = useQueryClient();
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
 	return useMutation({
 		...orpc.websites.update.mutationOptions(),
 		onSuccess: (data) => {
 			const updatedWebsite = data as Website;
-			updateWebsiteCache(queryClient, updatedWebsite);
+			updateWebsiteCache(queryClient, updatedWebsite, organizationId);
 		},
 	});
 }
 
 export function useDeleteWebsite() {
 	const queryClient = useQueryClient();
+	const { activeOrganization, activeOrganizationId } =
+		useOrganizationsContext();
+	const organizationId =
+		activeOrganization?.id ?? activeOrganizationId ?? undefined;
 
 	return useMutation({
 		...orpc.websites.delete.mutationOptions(),
@@ -179,7 +203,7 @@ export function useDeleteWebsite() {
 			const getByIdKey = getWebsiteByIdKey(id);
 			const _previousWebsite = queryClient.getQueryData<Website>(getByIdKey);
 
-			const listKey = getWebsitesListKey();
+			const listKey = getWebsitesListKey(organizationId);
 
 			await queryClient.cancelQueries({ queryKey: listKey });
 			const previousData = queryClient.getQueryData<WebsitesListData>(listKey);
diff --git a/apps/dashboard/lib/tracker-script.ts b/apps/dashboard/lib/tracker-script.ts
new file mode 100644
index 000000000..10a08e339
--- /dev/null
+++ b/apps/dashboard/lib/tracker-script.ts
@@ -0,0 +1,69 @@
+import { readFile } from "node:fs/promises";
+import path from "node:path";
+import {
+	getClientAppAllowedOrigins,
+	isAllowedTrackerAssetOrigin,
+} from "@databuddy/shared/utils/origins";
+import { type NextRequest, NextResponse } from "next/server";
+
+const TRACKER_DIST_DIR = path.resolve(
+	process.cwd(),
+	"../../packages/tracker/dist"
+);
+
+function createCorsHeaders(request: NextRequest): Headers {
+	const headers = new Headers({
+		"Cache-Control": "public, max-age=3600, s-maxage=3600",
+		"Content-Type": "application/javascript; charset=utf-8",
+		"X-Content-Type-Options": "nosniff",
+		"Access-Control-Allow-Methods": "GET, HEAD, OPTIONS",
+		"Access-Control-Allow-Headers": "Content-Type",
+		"Cross-Origin-Resource-Policy": "cross-origin",
+		Vary: "Origin",
+	});
+	const origin = request.headers.get("origin");
+	const allowedOrigins = getClientAppAllowedOrigins();
+
+	if (origin && isAllowedTrackerAssetOrigin(origin, allowedOrigins)) {
+		headers.set("Access-Control-Allow-Origin", origin);
+	}
+
+	return headers;
+}
+
+export async function serveTrackerScript(
+	request: NextRequest,
+	filename: string
+): Promise<NextResponse> {
+	const origin = request.headers.get("origin");
+	const allowedOrigins = getClientAppAllowedOrigins();
+
+	if (origin && !isAllowedTrackerAssetOrigin(origin, allowedOrigins)) {
+		return new NextResponse("Forbidden", {
+			status: 403,
+			headers: createCorsHeaders(request),
+		});
+	}
+
+	try {
+		const filePath = path.join(TRACKER_DIST_DIR, filename);
+		const contents = await readFile(filePath, "utf8");
+
+		return new NextResponse(contents, {
+			status: 200,
+			headers: createCorsHeaders(request),
+		});
+	} catch {
+		return new NextResponse("Tracker asset not available", {
+			status: 503,
+			headers: createCorsHeaders(request),
+		});
+	}
+}
+
+export function handleTrackerScriptOptions(request: NextRequest): NextResponse {
+	return new NextResponse(null, {
+		status: 204,
+		headers: createCorsHeaders(request),
+	});
+}
diff --git a/apps/dashboard/next.config.ts b/apps/dashboard/next.config.ts
index 6e096e552..c75b9f05a 100644
--- a/apps/dashboard/next.config.ts
+++ b/apps/dashboard/next.config.ts
@@ -1,5 +1,17 @@
 import type { NextConfig } from "next";
 
+function toOrigin(value?: string): string | null {
+	if (!value) {
+		return null;
+	}
+
+	try {
+		return new URL(value).origin;
+	} catch {
+		return null;
+	}
+}
+
 const nextConfig: NextConfig = {
 	experimental: {
 		optimizePackageImports: ["@phosphor-icons/react"],
@@ -73,14 +85,25 @@ const nextConfig: NextConfig = {
 		const localhostFrameAncestors = isDev
 			? "http://localhost:* http://127.0.0.1:*"
 			: "";
+		const envScriptSrc = [toOrigin(process.env.NEXT_PUBLIC_SCRIPT_URL)]
+			.filter((value): value is string => Boolean(value))
+			.join(" ");
+		const envConnectSrc = [
+			toOrigin(process.env.NEXT_PUBLIC_API_URL),
+			toOrigin(process.env.NEXT_PUBLIC_APP_URL),
+			toOrigin(process.env.BETTER_AUTH_URL),
+			toOrigin(process.env.NEXT_PUBLIC_BASKET_URL),
+		]
+			.filter((value): value is string => Boolean(value))
+			.join(" ");
 
 		const cspDirectives = [
 			"default-src 'self'",
-			"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.databuddy.cc",
+			`script-src 'self' 'unsafe-inline' 'unsafe-eval' ${envScriptSrc} https://cdn.databuddy.cc`.trim(),
 			"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
 			"font-src 'self' https://fonts.gstatic.com",
 			"img-src 'self' data: blob: https://cdn.databuddy.cc https://www.google.com https://flagcdn.com https://api.dicebear.com https://avatars.githubusercontent.com https://lh3.googleusercontent.com",
-			`connect-src 'self' ${localhostConnectSrc} https://cdn.databuddy.cc https://*.databuddy.cc wss://*.databuddy.cc https://api.microlink.io`.trim(),
+			`connect-src 'self' ${localhostConnectSrc} ${envConnectSrc} https://cdn.databuddy.cc https://*.databuddy.cc wss://*.databuddy.cc https://api.microlink.io`.trim(),
 			"frame-ancestors 'none'",
 			"base-uri 'self'",
 			"form-action 'self'",
@@ -88,11 +111,11 @@ const nextConfig: NextConfig = {
 
 		const demoCspDirectives = [
 			"default-src 'self'",
-			"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.databuddy.cc",
+			`script-src 'self' 'unsafe-inline' 'unsafe-eval' ${envScriptSrc} https://cdn.databuddy.cc`.trim(),
 			"style-src 'self' 'unsafe-inline' https://fonts.googleapis.com",
 			"font-src 'self' https://fonts.gstatic.com",
 			"img-src 'self' data: blob: https://cdn.databuddy.cc https://www.google.com https://flagcdn.com https://api.dicebear.com https://avatars.githubusercontent.com https://lh3.googleusercontent.com",
-			`connect-src 'self' ${localhostConnectSrc} https://cdn.databuddy.cc https://*.databuddy.cc wss://*.databuddy.cc`.trim(),
+			`connect-src 'self' ${localhostConnectSrc} ${envConnectSrc} https://cdn.databuddy.cc https://*.databuddy.cc wss://*.databuddy.cc`.trim(),
 			`frame-ancestors 'self' ${localhostFrameAncestors} https://*.databuddy.cc https://databuddy.cc`.trim(),
 			"base-uri 'self'",
 			"form-action 'self'",
diff --git a/apps/dashboard/proxy.ts b/apps/dashboard/proxy.ts
index 9e80fb9b8..08adaa60e 100644
--- a/apps/dashboard/proxy.ts
+++ b/apps/dashboard/proxy.ts
@@ -27,6 +27,6 @@ export function proxy(request: NextRequest) {
 
 export const config = {
 	matcher: [
-		"/((?!api|_next/static|_next/image|favicon.ico|demo|public|dby|status|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
+		"/((?!api|_next/static|_next/image|favicon.ico|demo|public|dby|status|databuddy\\.js|databuddy-debug\\.js|vitals\\.js|vitals-debug\\.js|errors\\.js|errors-debug\\.js|.*\\.(?:svg|png|jpg|jpeg|gif|webp)$).*)",
 	],
 };
diff --git a/apps/links/src/index.ts b/apps/links/src/index.ts
index dbba74919..f22840224 100644
--- a/apps/links/src/index.ts
+++ b/apps/links/src/index.ts
@@ -10,6 +10,9 @@ import { disconnectProducer } from "./lib/producer";
 import { expiredRoute } from "./routes/expired";
 import { redirectRoute } from "./routes/redirect";
 
+const LINKS_ROOT_REDIRECT_URL =
+	process.env.LINKS_ROOT_REDIRECT_URL ?? "https://databuddy.cc";
+
 initLogger({
 	env: { service: "links" },
 	drain: linksLoggerDrain,
@@ -21,7 +24,7 @@ initLogger({
 const app = new Elysia()
 	.use(evlog({ enrich: enrichLinksWideEvent }))
 	.get("/", function rootRedirect() {
-		return redirect("https://databuddy.cc", 302);
+		return redirect(LINKS_ROOT_REDIRECT_URL, 302);
 	})
 	.get("/health/status", async function linksHealthStatus() {
 		const { db, sql } = await import("@databuddy/db");
diff --git a/apps/links/src/routes/redirect.ts b/apps/links/src/routes/redirect.ts
index a98fcbe5a..a56eb92a1 100644
--- a/apps/links/src/routes/redirect.ts
+++ b/apps/links/src/routes/redirect.ts
@@ -20,9 +20,13 @@ import { extractIp, getGeo } from "../utils/geo";
 import { hashIp } from "../utils/hash";
 import { parseUserAgent } from "../utils/user-agent";
 
-const EXPIRED_URL = "https://app.databuddy.cc/dby/expired";
-const NOT_FOUND_URL = "https://app.databuddy.cc/dby/not-found";
-const PROXY_URL = "https://app.databuddy.cc/dby/l";
+const APP_URL = (process.env.APP_URL ?? "https://app.databuddy.cc").replace(
+	/\/+$/,
+	""
+);
+const EXPIRED_URL = `${APP_URL}/dby/expired`;
+const NOT_FOUND_URL = `${APP_URL}/dby/not-found`;
+const PROXY_URL = `${APP_URL}/dby/l`;
 
 /** Set to `true` to enforce per-IP Redis rate limits (100 req / 60s). */
 const RATE_LIMIT_ENABLED = true;
diff --git a/apps/uptime/src/uptime-transition-emails.ts b/apps/uptime/src/uptime-transition-emails.ts
index 07a8c7343..118720ae4 100644
--- a/apps/uptime/src/uptime-transition-emails.ts
+++ b/apps/uptime/src/uptime-transition-emails.ts
@@ -120,7 +120,10 @@ export async function sendUptimeTransitionEmailsIfNeeded(options: {
 	}
 
 	const siteLabel = buildSiteLabel(options.schedule);
-	const baseUrl = process.env.DASHBOARD_APP_URL ?? "https://app.databuddy.cc";
+	const baseUrl =
+		process.env.DASHBOARD_APP_URL ??
+		process.env.NEXT_PUBLIC_APP_URL ??
+		"https://app.databuddy.cc";
 	const dashboardUrl = `${baseUrl.replace(TRAILING_SLASH, "")}/monitors/${options.schedule.id}`;
 
 	const resend = new Resend(apiKey);
diff --git a/dashboard.Dockerfile b/dashboard.Dockerfile
new file mode 100644
index 000000000..c4736e9b8
--- /dev/null
+++ b/dashboard.Dockerfile
@@ -0,0 +1,60 @@
+FROM oven/bun:1.3.11-slim AS pruner
+
+WORKDIR /app
+
+COPY . .
+
+RUN bunx turbo prune @databuddy/dashboard @databuddy/tracker --docker
+
+FROM oven/bun:1.3.11-slim AS builder
+
+WORKDIR /app
+
+COPY --from=pruner /app/out/json/ .
+RUN bun install --ignore-scripts
+
+COPY --from=pruner /app/out/full/ .
+COPY turbo.json turbo.json
+
+ARG BETTER_AUTH_URL=http://localhost:3000
+ARG NEXT_PUBLIC_BETTER_AUTH_URL=http://localhost:3000
+ARG NEXT_PUBLIC_API_URL=http://localhost:3001
+ARG NEXT_PUBLIC_APP_URL=http://localhost:3000
+ARG NEXT_PUBLIC_BASKET_URL=http://localhost:4000
+ARG NEXT_PUBLIC_SCRIPT_URL=http://localhost:3000/databuddy.js
+
+ENV NODE_ENV=production
+ENV DATABASE_URL=postgres://databuddy:databuddy@localhost:5432/databuddy
+ENV REDIS_URL=redis://localhost:6379
+ENV BETTER_AUTH_SECRET=build-only-secret
+ENV BETTER_AUTH_URL=${BETTER_AUTH_URL}
+ENV NEXT_PUBLIC_BETTER_AUTH_URL=${NEXT_PUBLIC_BETTER_AUTH_URL}
+ENV NEXT_PUBLIC_API_URL=${NEXT_PUBLIC_API_URL}
+ENV NEXT_PUBLIC_APP_URL=${NEXT_PUBLIC_APP_URL}
+ENV NEXT_PUBLIC_BASKET_URL=${NEXT_PUBLIC_BASKET_URL}
+ENV NEXT_PUBLIC_SCRIPT_URL=${NEXT_PUBLIC_SCRIPT_URL}
+ENV GITHUB_CLIENT_ID=build-only-github-client
+ENV GITHUB_CLIENT_SECRET=build-only-github-secret
+ENV GOOGLE_CLIENT_ID=build-only-google-client
+ENV GOOGLE_CLIENT_SECRET=build-only-google-secret
+ENV RESEND_API_KEY=build-only-resend-key
+
+RUN bunx turbo build --filter=@databuddy/dashboard...
+RUN cd packages/tracker && bun run build
+
+FROM oven/bun:1.3.11-slim
+
+WORKDIR /app
+
+COPY --from=builder /app/package.json ./
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/apps/dashboard ./apps/dashboard
+COPY --from=builder /app/packages ./packages
+
+ENV NODE_ENV=production
+
+EXPOSE 3000
+
+WORKDIR /app/apps/dashboard
+
+CMD ["bun", "run", "start"]
diff --git a/docker-compose.selfhost.yml b/docker-compose.selfhost.yml
index 3404fd571..da2e66ed8 100644
--- a/docker-compose.selfhost.yml
+++ b/docker-compose.selfhost.yml
@@ -44,10 +44,15 @@ services:
         soft: 262144
         hard: 262144
     healthcheck:
-      test: [ "CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:8123/ping" ]
+      test:
+        [
+          "CMD-SHELL",
+          "clickhouse-client --host 127.0.0.1 --user \"$${CLICKHOUSE_USER:-default}\" --password \"$${CLICKHOUSE_PASSWORD}\" --query \"SELECT 1\" >/dev/null 2>&1",
+        ]
       interval: 10s
       timeout: 5s
-      retries: 5
+      start_period: 20s
+      retries: 12
     restart: unless-stopped
     networks:
       - databuddy
@@ -74,8 +79,35 @@ services:
       - databuddy
     <<: *logging
 
+  init:
+    build:
+      context: .
+      dockerfile: api.Dockerfile
+    container_name: databuddy-init
+    environment:
+      NODE_ENV: production
+      DATABASE_URL: ${DATABASE_URL}
+      CLICKHOUSE_URL: ${CLICKHOUSE_URL}
+    command:
+      [
+        "sh",
+        "-lc",
+        "cd /app/packages/db && bun run db:push && bun run clickhouse:init",
+      ]
+    depends_on:
+      postgres:
+        condition: service_healthy
+      clickhouse:
+        condition: service_healthy
+    restart: "no"
+    networks:
+      - databuddy
+    <<: *logging
+
   api:
-    image: ghcr.io/databuddy-analytics/databuddy-api:${IMAGE_TAG:-edge}
+    build:
+      context: .
+      dockerfile: api.Dockerfile
     container_name: databuddy-api
     ports:
       - "${API_PORT:-3001}:3001"
@@ -87,7 +119,14 @@ services:
       CLICKHOUSE_URL: ${CLICKHOUSE_URL}
       BETTER_AUTH_URL: ${BETTER_AUTH_URL}
       BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}
+      NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL}
+      NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL}
+      CLIENT_APP_ALLOWED_ORIGINS: ${CLIENT_APP_ALLOWED_ORIGINS:-}
+      AUTH_TRUSTED_ORIGINS: ${AUTH_TRUSTED_ORIGINS:-}
+      AUTH_COOKIE_DOMAIN: ${AUTH_COOKIE_DOMAIN:-}
       DASHBOARD_URL: ${DASHBOARD_URL:-}
+      APP_URL: ${APP_URL:-${NEXT_PUBLIC_APP_URL}}
+      AUTUMN_SECRET_KEY: ${AUTUMN_SECRET_KEY:-}
       AI_API_KEY: ${AI_API_KEY:-}
       RESEND_API_KEY: ${RESEND_API_KEY:-}
     healthcheck:
@@ -103,13 +142,17 @@ services:
         condition: service_healthy
       redis:
         condition: service_healthy
+      init:
+        condition: service_completed_successfully
     restart: unless-stopped
     networks:
       - databuddy
     <<: *logging
 
   basket:
-    image: ghcr.io/databuddy-analytics/databuddy-basket:${IMAGE_TAG:-edge}
+    build:
+      context: .
+      dockerfile: basket.Dockerfile
     container_name: databuddy-basket
     ports:
       - "${BASKET_PORT:-4000}:4000"
@@ -119,6 +162,11 @@ services:
       DATABASE_URL: ${DATABASE_URL}
       REDIS_URL: ${REDIS_URL}
       CLICKHOUSE_URL: ${CLICKHOUSE_URL}
+      BETTER_AUTH_URL: ${BETTER_AUTH_URL}
+      BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}
+      CLIENT_APP_ALLOWED_ORIGINS: ${CLIENT_APP_ALLOWED_ORIGINS:-}
+      AUTH_TRUSTED_ORIGINS: ${AUTH_TRUSTED_ORIGINS:-}
+      AUTH_COOKIE_DOMAIN: ${AUTH_COOKIE_DOMAIN:-}
       SELFHOST: "true"
     healthcheck:
       test: [ "CMD", "bun", "-e", "fetch('http://localhost:4000/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))" ]
@@ -133,13 +181,17 @@ services:
         condition: service_healthy
       redis:
         condition: service_healthy
+      init:
+        condition: service_completed_successfully
     restart: unless-stopped
     networks:
       - databuddy
     <<: *logging
 
   links:
-    image: ghcr.io/databuddy-analytics/databuddy-links:${IMAGE_TAG:-edge}
+    build:
+      context: .
+      dockerfile: links.Dockerfile
     container_name: databuddy-links
     ports:
       - "${LINKS_PORT:-2500}:2500"
@@ -161,13 +213,17 @@ services:
         condition: service_healthy
       redis:
         condition: service_healthy
+      init:
+        condition: service_completed_successfully
     restart: unless-stopped
     networks:
       - databuddy
     <<: *logging
   # Uncomment to enable uptime monitoring (requires Upstash QStash keys)
   # uptime:
-  #   image: ghcr.io/databuddy-analytics/databuddy-uptime:${IMAGE_TAG:-edge}
+  #   build:
+  #     context: .
+  #     dockerfile: uptime.Dockerfile
   #   container_name: databuddy-uptime
   #   ports:
   #     - "${UPTIME_PORT:-4001}:4000"
@@ -194,6 +250,53 @@ services:
   #     - databuddy
   #   <<: *logging
 
+  dashboard:
+    build:
+      context: .
+      dockerfile: dashboard.Dockerfile
+      args:
+        BETTER_AUTH_URL: ${BETTER_AUTH_URL}
+        NEXT_PUBLIC_BETTER_AUTH_URL: ${NEXT_PUBLIC_BETTER_AUTH_URL:-${BETTER_AUTH_URL}}
+        NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL}
+        NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL}
+        NEXT_PUBLIC_BASKET_URL: ${NEXT_PUBLIC_BASKET_URL:-https://basket.databuddy.cc}
+        NEXT_PUBLIC_SCRIPT_URL: ${NEXT_PUBLIC_SCRIPT_URL:-https://cdn.databuddy.cc/databuddy.js}
+    container_name: databuddy-dashboard
+    ports:
+      - "127.0.0.1:${DASHBOARD_PORT:-3100}:3000"
+    environment:
+      NODE_ENV: production
+      DATABASE_URL: ${DATABASE_URL}
+      REDIS_URL: ${REDIS_URL}
+      BETTER_AUTH_URL: ${BETTER_AUTH_URL}
+      BETTER_AUTH_SECRET: ${BETTER_AUTH_SECRET}
+      AUTUMN_SECRET_KEY: ${AUTUMN_SECRET_KEY:-}
+      NEXT_PUBLIC_BETTER_AUTH_URL: ${NEXT_PUBLIC_BETTER_AUTH_URL:-${BETTER_AUTH_URL}}
+      CLIENT_APP_ALLOWED_ORIGINS: ${CLIENT_APP_ALLOWED_ORIGINS:-}
+      AUTH_TRUSTED_ORIGINS: ${AUTH_TRUSTED_ORIGINS:-}
+      AUTH_COOKIE_DOMAIN: ${AUTH_COOKIE_DOMAIN:-}
+      NEXT_PUBLIC_API_URL: ${NEXT_PUBLIC_API_URL}
+      NEXT_PUBLIC_APP_URL: ${NEXT_PUBLIC_APP_URL}
+      NEXT_PUBLIC_BASKET_URL: ${NEXT_PUBLIC_BASKET_URL:-https://basket.databuddy.cc}
+      NEXT_PUBLIC_SCRIPT_URL: ${NEXT_PUBLIC_SCRIPT_URL:-https://cdn.databuddy.cc/databuddy.js}
+      GITHUB_CLIENT_ID: ${GITHUB_CLIENT_ID:-}
+      GITHUB_CLIENT_SECRET: ${GITHUB_CLIENT_SECRET:-}
+      GOOGLE_CLIENT_ID: ${GOOGLE_CLIENT_ID:-}
+      GOOGLE_CLIENT_SECRET: ${GOOGLE_CLIENT_SECRET:-}
+      RESEND_API_KEY: ${RESEND_API_KEY:-}
+    depends_on:
+      postgres:
+        condition: service_healthy
+      redis:
+        condition: service_healthy
+      init:
+        condition: service_completed_successfully
+      api:
+        condition: service_healthy
+    restart: unless-stopped
+    networks:
+      - databuddy
+
 volumes:
   postgres_data:
   clickhouse_data:
diff --git a/packages/auth/src/auth.ts b/packages/auth/src/auth.ts
index d73761376..4d4a7f163 100644
--- a/packages/auth/src/auth.ts
+++ b/packages/auth/src/auth.ts
@@ -33,12 +33,18 @@ import {
 import { Resend } from "resend";
 import { ac, admin, member, owner, viewer } from "./permissions";
 
+const NON_SLUG_CHARACTERS_REGEX = /[^a-z0-9\s-]/g;
+const WHITESPACE_REGEX = /\s+/g;
+const MULTIPLE_DASHES_REGEX = /-+/g;
+const TRAILING_SLASHES_REGEX = /\/+$/;
+const LOCALHOST_HOSTNAMES = new Set(["localhost", "127.0.0.1", "::1"]);
+
 function generateOrgSlug(name: string): string {
 	return name
 		.toLowerCase()
-		.replace(/[^a-z0-9\s-]/g, "")
-		.replace(/\s+/g, "-")
-		.replace(/-+/g, "-")
+		.replace(NON_SLUG_CHARACTERS_REGEX, "")
+		.replace(WHITESPACE_REGEX, "-")
+		.replace(MULTIPLE_DASHES_REGEX, "-")
 		.slice(0, 48);
 }
 
@@ -54,7 +60,71 @@ function isProduction() {
 	return process.env.NODE_ENV === "production";
 }
 
+function getConfiguredAppOrigin(): URL | null {
+	const candidates = [
+		process.env.BETTER_AUTH_URL,
+		process.env.NEXT_PUBLIC_BETTER_AUTH_URL,
+		process.env.NEXT_PUBLIC_APP_URL,
+		process.env.APP_URL,
+	].filter((value): value is string => Boolean(value));
+
+	for (const candidate of candidates) {
+		try {
+			return new URL(candidate);
+		} catch {}
+	}
+
+	return null;
+}
+
+function shouldUseSecureCookies(): boolean {
+	if (!isProduction()) {
+		return false;
+	}
+
+	const appOrigin = getConfiguredAppOrigin();
+	if (!appOrigin) {
+		return true;
+	}
+
+	const isLocalhost = LOCALHOST_HOSTNAMES.has(appOrigin.hostname);
+	return !(isLocalhost && appOrigin.protocol === "http:");
+}
+
+function normalizeOrigin(value: string): string {
+	const trimmed = value.trim().replace(TRAILING_SLASHES_REGEX, "");
+
+	try {
+		return new URL(trimmed).origin;
+	} catch {
+		return trimmed;
+	}
+}
+
+function getTrustedOrigins(): string[] {
+	const defaults = [
+		process.env.BETTER_AUTH_URL,
+		process.env.NEXT_PUBLIC_APP_URL,
+		process.env.NEXT_PUBLIC_API_URL,
+		process.env.DASHBOARD_URL,
+		isProduction() ? undefined : "http://localhost:3000",
+		isProduction() ? undefined : "http://localhost:3100",
+		isProduction() ? undefined : "http://localhost:3001",
+	]
+		.filter((value): value is string => Boolean(value))
+		.map(normalizeOrigin);
+
+	const extraOrigins = (process.env.AUTH_TRUSTED_ORIGINS ?? "")
+		.split(",")
+		.map((origin) => origin.trim())
+		.filter(Boolean)
+		.map(normalizeOrigin);
+
+	return [...new Set([...defaults, ...extraOrigins])];
+}
+
 const SLACK_WEBHOOK_URL = process.env.SLACK_WEBHOOK_URL ?? "";
+const AUTH_COOKIE_DOMAIN = process.env.AUTH_COOKIE_DOMAIN;
 
 function notifySignUpSlackAction(input: {
 	userId: string;
@@ -207,17 +277,13 @@ export const auth = betterAuth({
 	},
 	advanced: {
 		crossSubDomainCookies: {
-			enabled: isProduction(),
-			domain: ".databuddy.cc",
+			enabled: isProduction() && Boolean(AUTH_COOKIE_DOMAIN),
+			domain: AUTH_COOKIE_DOMAIN,
 		},
 		cookiePrefix: isProduction() ? "databuddy" : "databuddy-dev",
-		useSecureCookies: isProduction(),
+		useSecureCookies: shouldUseSecureCookies(),
 	},
-	trustedOrigins: [
-		"https://databuddy.cc",
-		"https://app.databuddy.cc",
-		"https://api.databuddy.cc",
-	],
+	trustedOrigins: getTrustedOrigins(),
 	socialProviders: {
 		google: {
 			clientId: process.env.GOOGLE_CLIENT_ID as string,
diff --git a/packages/db/package.json b/packages/db/package.json
index a00a448c8..47a2a50a7 100644
--- a/packages/db/package.json
+++ b/packages/db/package.json
@@ -29,6 +29,6 @@
     "db:push": "dotenv -- drizzle-kit push",
     "db:studio": "dotenv -- drizzle-kit studio",
     "db:seed": "tsx src/seed.ts",
-    "clickhouse:init": "tsx src/clickhouse/setup.ts"
+    "clickhouse:init": "bun run src/clickhouse/setup.ts"
   }
 }
diff --git a/packages/env/src/base.ts b/packages/env/src/base.ts
index 4fa192bd4..7ea7e76ab 100644
--- a/packages/env/src/base.ts
+++ b/packages/env/src/base.ts
@@ -26,6 +26,7 @@ export const commonEnvSchema = {
 	NODE_ENV: z.string().default("development"),
 	DATABASE_URL: z.string(),
 	REDIS_URL: z.string(),
+	CLIENT_APP_ALLOWED_ORIGINS: z.string().optional(),
 } as const;
 
 /**
diff --git a/packages/redis/redis.ts b/packages/redis/redis.ts
index f16283618..752e23e78 100644
--- a/packages/redis/redis.ts
+++ b/packages/redis/redis.ts
@@ -30,7 +30,13 @@ export function getRedisCache() {
 }
 
 export const redis = new Proxy({} as Redis, {
-	get(_, prop) {
-		return Reflect.get(getRedisCache(), prop);
+	get(_target, prop, receiver) {
+		const client = getRedisCache();
+		const value = Reflect.get(client, prop, receiver);
+		return typeof value === "function" ? value.bind(client) : value;
 	},
-});
+	set(_target, prop, value, receiver) {
+		const client = getRedisCache();
+		return Reflect.set(client, prop, value, receiver);
+	},
+}) as Redis;
diff --git a/packages/rpc/src/orpc.ts b/packages/rpc/src/orpc.ts
index e7c00d7ac..3c05bef88 100644
--- a/packages/rpc/src/orpc.ts
+++ b/packages/rpc/src/orpc.ts
@@ -1,6 +1,5 @@
 import { getApiKeyFromHeader } from "@databuddy/api-keys/resolve";
 import { auth, type User } from "@databuddy/auth";
-import { db } from "@databuddy/db";
 import { os as createOS } from "@orpc/server";
 import { baseErrors } from "./errors";
 import {
@@ -15,6 +14,8 @@ import {
 } from "./utils/billing";
 
 export const createRPCContext = async (opts: { headers: Headers }) => {
+	const { db } = await import("@databuddy/db");
+
 	const [session, apiKey] = await Promise.all([
 		auth.api.getSession({ headers: opts.headers }),
 		getApiKeyFromHeader(opts.headers),
diff --git a/packages/shared/package.json b/packages/shared/package.json
index 378584e70..aa95a5962 100644
--- a/packages/shared/package.json
+++ b/packages/shared/package.json
@@ -36,6 +36,7 @@
     "./flags/utils": "./src/flags/utils.ts",
     "./utils/date-utils": "./src/utils/date-utils.ts",
     "./utils/ids": "./src/utils/ids.ts",
+    "./utils/origins": "./src/utils/origins.ts",
     "./utils/openrouter": "./src/utils/openrouter.ts",
     "./bot-detection": "./src/utils/bot-detection/index.ts",
     "./bot-detection/detector": "./src/utils/bot-detection/detector.ts",
diff --git a/packages/shared/src/utils/index.ts b/packages/shared/src/utils/index.ts
index 4cabbcf08..f6e94e8e1 100644
--- a/packages/shared/src/utils/index.ts
+++ b/packages/shared/src/utils/index.ts
@@ -1,2 +1,3 @@
 export * from "./date-utils";
 export * from "./ids";
+export * from "./origins";
diff --git a/packages/shared/src/utils/origins.ts b/packages/shared/src/utils/origins.ts
new file mode 100644
index 000000000..56586400e
--- /dev/null
+++ b/packages/shared/src/utils/origins.ts
@@ -0,0 +1,87 @@
+const TRAILING_SLASHES_REGEX = /\/+$/;
+const DATABUDDY_HOSTNAME_REGEX = /(?:^|\.)databuddy\.cc$/;
+
+export function normalizeOrigin(value: string): string | null {
+	const trimmed = value.trim().replace(TRAILING_SLASHES_REGEX, "");
+
+	if (!trimmed) {
+		return null;
+	}
+
+	try {
+		return new URL(trimmed).origin;
+	} catch {
+		return null;
+	}
+}
+
+export function parseOriginList(value?: string): string[] {
+	if (!value) {
+		return [];
+	}
+
+	return [
+		...new Set(
+			value
+				.split(",")
+				.map((origin) => normalizeOrigin(origin))
+				.filter((origin): origin is string => Boolean(origin))
+		),
+	];
+}
+
+export function getClientAppAllowedOrigins(
+	environment: Record<string, string | undefined> = process.env
+): string[] {
+	return parseOriginList(environment.CLIENT_APP_ALLOWED_ORIGINS);
+}
+
+export function isOriginInList(
+	originHeader: string | null | undefined,
+	allowedOrigins: string[]
+): boolean {
+	if (!originHeader || allowedOrigins.length === 0) {
+		return false;
+	}
+
+	const normalizedOrigin = normalizeOrigin(originHeader);
+	if (!normalizedOrigin) {
+		return false;
+	}
+
+	return allowedOrigins.includes(normalizedOrigin);
+}
+
+export function isDatabuddyOrigin(
+	originHeader: string | null | undefined
+): boolean {
+	if (!originHeader) {
+		return false;
+	}
+
+	const normalizedOrigin = normalizeOrigin(originHeader);
+	if (!normalizedOrigin) {
+		return false;
+	}
+
+	try {
+		return DATABUDDY_HOSTNAME_REGEX.test(new URL(normalizedOrigin).hostname);
+	} catch {
+		return false;
+	}
+}
+
+export function isAllowedTrackerAssetOrigin(
+	originHeader: string | null | undefined,
+	allowedOrigins: string[]
+): boolean {
+	if (!originHeader) {
+		return false;
+	}
+
+	if (allowedOrigins.length === 0) {
+		return isDatabuddyOrigin(originHeader);
+	}
+
+	return isOriginInList(originHeader, allowedOrigins);
+}
diff --git a/turbo.json b/turbo.json
index 8996d55c6..b6fad2f30 100644
--- a/turbo.json
+++ b/turbo.json
@@ -12,6 +12,7 @@
     "AUTUMN_SECRET_KEY",
     "BETTER_AUTH_SECRET",
     "BETTER_AUTH_URL",
+    "CLIENT_APP_ALLOWED_ORIGINS",
     "CLICKHOUSE_URL",
     "DATABASE_URL",
     "DATABUDDY_API_KEY",

From 712e14c06b2b9b67241cd7ff54e37e7c2f502027 Mon Sep 17 00:00:00 2001
From: JustinMissmahl <github@emeruslabs.com~>
Date: Sat, 11 Apr 2026 23:07:00 +0200
Subject: [PATCH 2/6] address
 https://github.com/databuddy-analytics/Databuddy/pull/409#discussion_r3068589725

---
 .../app/(main)/home/hooks/use-pulse-status.ts |  5 +---
 .../insights/_components/cockpit-signals.tsx  |  5 ++--
 .../_components/insights-page-content.tsx     |  5 ++--
 .../insights/hooks/use-insights-feed.ts       |  9 ++-----
 .../insights/hooks/use-org-narrative.ts       |  4 +--
 .../(main)/links/_components/link-sheet.tsx   |  6 ++---
 apps/dashboard/app/(main)/monitors/page.tsx   |  5 +---
 .../[id]/_components/add-monitor-dialog.tsx   |  5 ++--
 .../app/(main)/monitors/status-pages/page.tsx |  5 ++--
 .../_components/step-create-website.tsx       |  5 +---
 .../_components/step-invite-team.tsx          |  6 ++---
 .../notifications/_components/alarm-sheet.tsx |  4 +--
 .../(main)/settings/notifications/page.tsx    |  5 +---
 .../components/monitors/monitor-sheet.tsx     |  6 ++---
 .../providers/organizations-provider.tsx      |  1 +
 .../status-pages/status-page-sheet.tsx        |  6 ++---
 apps/dashboard/components/website-dialog.tsx  |  5 +---
 apps/dashboard/hooks/use-links.ts             | 20 +++------------
 apps/dashboard/hooks/use-monitors.ts          |  5 +---
 apps/dashboard/hooks/use-websites.ts          | 25 ++++---------------
 20 files changed, 36 insertions(+), 101 deletions(-)

diff --git a/apps/dashboard/app/(main)/home/hooks/use-pulse-status.ts b/apps/dashboard/app/(main)/home/hooks/use-pulse-status.ts
index 378dceb2e..e1fcd2fef 100644
--- a/apps/dashboard/app/(main)/home/hooks/use-pulse-status.ts
+++ b/apps/dashboard/app/(main)/home/hooks/use-pulse-status.ts
@@ -24,10 +24,7 @@ export interface PulseStatus {
 export function usePulseStatus() {
 	const { hasAccess, isLoading: isAccessLoading } =
 		useFeatureAccess("monitors");
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 
 	const query = useQuery({
 		...orpc.uptime.listSchedules.queryOptions({
diff --git a/apps/dashboard/app/(main)/insights/_components/cockpit-signals.tsx b/apps/dashboard/app/(main)/insights/_components/cockpit-signals.tsx
index 41cceb9bd..2e69d7ea9 100644
--- a/apps/dashboard/app/(main)/insights/_components/cockpit-signals.tsx
+++ b/apps/dashboard/app/(main)/insights/_components/cockpit-signals.tsx
@@ -68,9 +68,8 @@ function sortInsights(items: Insight[], mode: SortMode): Insight[] {
 }
 
 export function CockpitSignals(): ReactElement {
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const orgId = activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
+	const orgId = organizationId ?? undefined;
 
 	const {
 		insights,
diff --git a/apps/dashboard/app/(main)/insights/_components/insights-page-content.tsx b/apps/dashboard/app/(main)/insights/_components/insights-page-content.tsx
index fc76f481e..bf6704b51 100644
--- a/apps/dashboard/app/(main)/insights/_components/insights-page-content.tsx
+++ b/apps/dashboard/app/(main)/insights/_components/insights-page-content.tsx
@@ -169,9 +169,8 @@ function FocusSitePicker({ websites, value, onChange }: FocusSitePickerProps) {
 
 export function InsightsPageContent() {
 	const queryClient = useQueryClient();
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const orgId = activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
+	const orgId = organizationId ?? undefined;
 
 	const { insights, isLoading, isRefreshing, refetch } = useInsightsFeed();
 
diff --git a/apps/dashboard/app/(main)/insights/hooks/use-insights-feed.ts b/apps/dashboard/app/(main)/insights/hooks/use-insights-feed.ts
index d2548f4b1..145f74cfd 100644
--- a/apps/dashboard/app/(main)/insights/hooks/use-insights-feed.ts
+++ b/apps/dashboard/app/(main)/insights/hooks/use-insights-feed.ts
@@ -50,13 +50,8 @@ function mergeAiWithHistoryPages(
 
 export function useInsightsFeed() {
 	const queryClient = useQueryClient();
-	const {
-		activeOrganization,
-		activeOrganizationId,
-		isLoading: isOrgContextLoading,
-	} = useOrganizationsContext();
-
-	const orgId = activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId: orgId, isLoading: isOrgContextLoading } =
+		useOrganizationsContext();
 
 	const historyInfinite = useInfiniteQuery({
 		queryKey: [INSIGHT_QUERY_KEYS.historyInfinite, orgId],
diff --git a/apps/dashboard/app/(main)/insights/hooks/use-org-narrative.ts b/apps/dashboard/app/(main)/insights/hooks/use-org-narrative.ts
index 277db1225..f5e1d581a 100644
--- a/apps/dashboard/app/(main)/insights/hooks/use-org-narrative.ts
+++ b/apps/dashboard/app/(main)/insights/hooks/use-org-narrative.ts
@@ -9,9 +9,7 @@ import {
 import type { TimeRange } from "../lib/time-range";
 
 export function useOrgNarrative(range: TimeRange) {
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const orgId = activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId: orgId } = useOrganizationsContext();
 
 	return useQuery({
 		queryKey: [INSIGHT_QUERY_KEYS.orgNarrative, orgId, range],
diff --git a/apps/dashboard/app/(main)/links/_components/link-sheet.tsx b/apps/dashboard/app/(main)/links/_components/link-sheet.tsx
index c8263419f..0431ed20b 100644
--- a/apps/dashboard/app/(main)/links/_components/link-sheet.tsx
+++ b/apps/dashboard/app/(main)/links/_components/link-sheet.tsx
@@ -60,8 +60,7 @@ interface LinkSheetProps {
 
 function LinkSheetInner({ open, onOpenChange, link, onSave }: LinkSheetProps) {
 	const isEditing = !!link;
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
+	const { organizationId } = useOrganizationsContext();
 
 	const createLinkMutation = useCreateLink();
 	const updateLinkMutation = useUpdateLink();
@@ -170,8 +169,7 @@ function LinkSheetInner({ open, onOpenChange, link, onSave }: LinkSheetProps) {
 	}, [targetUrlValue]);
 
 	const handleSubmit: SubmitHandler<LinkFormData> = async (formData) => {
-		const resolvedOrganizationId =
-			activeOrganization?.id ?? activeOrganizationId ?? null;
+		const resolvedOrganizationId = organizationId;
 
 		const payload = buildLinkPayload({
 			formData,
diff --git a/apps/dashboard/app/(main)/monitors/page.tsx b/apps/dashboard/app/(main)/monitors/page.tsx
index 7cbc29afb..367e2a785 100644
--- a/apps/dashboard/app/(main)/monitors/page.tsx
+++ b/apps/dashboard/app/(main)/monitors/page.tsx
@@ -46,10 +46,7 @@ export interface Monitor {
 export default function MonitorsPage() {
 	const { hasAccess, isLoading: isAccessLoading } =
 		useFeatureAccess("monitors");
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 	const [isSheetOpen, setIsSheetOpen] = useState(false);
 	const [showInviteDialog, setShowInviteDialog] = useState(false);
 	const [editingSchedule, setEditingSchedule] = useState<{
diff --git a/apps/dashboard/app/(main)/monitors/status-pages/[id]/_components/add-monitor-dialog.tsx b/apps/dashboard/app/(main)/monitors/status-pages/[id]/_components/add-monitor-dialog.tsx
index 528c50b7b..8476889e7 100644
--- a/apps/dashboard/app/(main)/monitors/status-pages/[id]/_components/add-monitor-dialog.tsx
+++ b/apps/dashboard/app/(main)/monitors/status-pages/[id]/_components/add-monitor-dialog.tsx
@@ -79,9 +79,8 @@ export function AddMonitorDialog({
 	onOpenChangeAction,
 	onCompleteAction,
 }: AddMonitorDialogProps) {
-	const { activeOrganizationId, activeOrganization } =
-		useOrganizationsContext();
-	const resolvedOrgId = activeOrganization?.id ?? activeOrganizationId ?? "";
+	const { organizationId } = useOrganizationsContext();
+	const resolvedOrgId = organizationId ?? "";
 
 	const [mode, setMode] = useState<Mode>("existing");
 	const [selectedScheduleId, setSelectedScheduleId] = useState("");
diff --git a/apps/dashboard/app/(main)/monitors/status-pages/page.tsx b/apps/dashboard/app/(main)/monitors/status-pages/page.tsx
index 11209d7e0..f0b6b0281 100644
--- a/apps/dashboard/app/(main)/monitors/status-pages/page.tsx
+++ b/apps/dashboard/app/(main)/monitors/status-pages/page.tsx
@@ -27,8 +27,7 @@ import { cn } from "@/lib/utils";
 export default function StatusPagesListPage() {
 	const { hasAccess, isLoading: isAccessLoading } =
 		useFeatureAccess("monitors");
-	const { activeOrganizationId, activeOrganization } =
-		useOrganizationsContext();
+	const { organizationId } = useOrganizationsContext();
 	const queryClient = useQueryClient();
 	const [isSheetOpen, setIsSheetOpen] = useState(false);
 	const [editingStatusPage, setEditingStatusPage] = useState<StatusPage | null>(
@@ -37,7 +36,7 @@ export default function StatusPagesListPage() {
 	const [statusPageToDelete, setStatusPageToDelete] =
 		useState<StatusPage | null>(null);
 
-	const resolvedOrgId = activeOrganization?.id ?? activeOrganizationId ?? "";
+	const resolvedOrgId = organizationId ?? "";
 
 	const statusPagesQuery = useQuery({
 		...orpc.statusPage.list.queryOptions({
diff --git a/apps/dashboard/app/(main)/onboarding/_components/step-create-website.tsx b/apps/dashboard/app/(main)/onboarding/_components/step-create-website.tsx
index 8a90bec8e..bc41fa053 100644
--- a/apps/dashboard/app/(main)/onboarding/_components/step-create-website.tsx
+++ b/apps/dashboard/app/(main)/onboarding/_components/step-create-website.tsx
@@ -42,10 +42,7 @@ interface StepCreateWebsiteProps {
 }
 
 export function StepCreateWebsite({ onComplete }: StepCreateWebsiteProps) {
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 	const createWebsiteMutation = useCreateWebsite();
 
 	const form = useForm<FormData>({
diff --git a/apps/dashboard/app/(main)/onboarding/_components/step-invite-team.tsx b/apps/dashboard/app/(main)/onboarding/_components/step-invite-team.tsx
index 1694d852f..30d13956c 100644
--- a/apps/dashboard/app/(main)/onboarding/_components/step-invite-team.tsx
+++ b/apps/dashboard/app/(main)/onboarding/_components/step-invite-team.tsx
@@ -44,11 +44,9 @@ interface SentInvite {
 }
 
 export function StepInviteTeam() {
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId = activeOrganization?.id ?? activeOrganizationId ?? "";
+	const { organizationId } = useOrganizationsContext();
 	const { inviteMember, isInviting } =
-		useOrganizationInvitations(organizationId);
+		useOrganizationInvitations(organizationId ?? "");
 	const [sentInvites, setSentInvites] = useState<SentInvite[]>([]);
 
 	const form = useForm<FormData>({
diff --git a/apps/dashboard/app/(main)/settings/notifications/_components/alarm-sheet.tsx b/apps/dashboard/app/(main)/settings/notifications/_components/alarm-sheet.tsx
index 0e87e702f..db3a76394 100644
--- a/apps/dashboard/app/(main)/settings/notifications/_components/alarm-sheet.tsx
+++ b/apps/dashboard/app/(main)/settings/notifications/_components/alarm-sheet.tsx
@@ -141,9 +141,7 @@ export function AlarmSheet({
 	alarm,
 }: AlarmSheetProps) {
 	const isEditing = !!alarm;
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId = activeOrganization?.id ?? activeOrganizationId ?? null;
+	const { organizationId } = useOrganizationsContext();
 	const queryClient = useQueryClient();
 
 	const { data: websites } = useQuery({
diff --git a/apps/dashboard/app/(main)/settings/notifications/page.tsx b/apps/dashboard/app/(main)/settings/notifications/page.tsx
index 58b1807e3..db4bb625a 100644
--- a/apps/dashboard/app/(main)/settings/notifications/page.tsx
+++ b/apps/dashboard/app/(main)/settings/notifications/page.tsx
@@ -102,10 +102,7 @@ function parseAlarms(rows: readonly Record<string, unknown>[]): Alarm[] {
 
 export default function NotificationsSettingsPage() {
 	const queryClient = useQueryClient();
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 	const [sheetOpen, setSheetOpen] = useState(false);
 	const [editingAlarm, setEditingAlarm] = useState<Alarm | null>(null);
 	const [deletingAlarm, setDeletingAlarm] = useState<Alarm | null>(null);
diff --git a/apps/dashboard/components/monitors/monitor-sheet.tsx b/apps/dashboard/components/monitors/monitor-sheet.tsx
index d5ccec315..26215b0ca 100644
--- a/apps/dashboard/components/monitors/monitor-sheet.tsx
+++ b/apps/dashboard/components/monitors/monitor-sheet.tsx
@@ -96,8 +96,7 @@ export function MonitorSheet({
 }: MonitorSheetProps) {
 	const isEditing = !!schedule;
 	const { data: website } = useWebsite(websiteId || "");
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
+	const { organizationId } = useOrganizationsContext();
 	const [isAdvancedOpen, setIsAdvancedOpen] = useState(false);
 
 	const form = useForm<MonitorFormData>({
@@ -180,8 +179,7 @@ export function MonitorSheet({
 				});
 				toast.success("Monitor updated successfully");
 			} else {
-				const resolvedOrganizationId =
-					activeOrganization?.id ?? activeOrganizationId ?? null;
+				const resolvedOrganizationId = organizationId;
 				const result = await createMutation.mutateAsync({
 					...(resolvedOrganizationId
 						? { organizationId: resolvedOrganizationId }
diff --git a/apps/dashboard/components/providers/organizations-provider.tsx b/apps/dashboard/components/providers/organizations-provider.tsx
index a8ae5bfe0..f6f88c0d3 100644
--- a/apps/dashboard/components/providers/organizations-provider.tsx
+++ b/apps/dashboard/components/providers/organizations-provider.tsx
@@ -130,6 +130,7 @@ export function useOrganizationsContext() {
 		organizations,
 		activeOrganization,
 		activeOrganizationId,
+		organizationId: activeOrganizationId ?? undefined,
 		isLoading,
 		getOrganization: getOrganizationBySlug,
 	};
diff --git a/apps/dashboard/components/status-pages/status-page-sheet.tsx b/apps/dashboard/components/status-pages/status-page-sheet.tsx
index 365b2fc7f..3ba5e42cf 100644
--- a/apps/dashboard/components/status-pages/status-page-sheet.tsx
+++ b/apps/dashboard/components/status-pages/status-page-sheet.tsx
@@ -95,8 +95,7 @@ export function StatusPageSheet({
 	statusPage,
 }: StatusPageSheetProps) {
 	const isEditing = !!statusPage;
-	const { activeOrganizationId, activeOrganization } =
-		useOrganizationsContext();
+	const { organizationId } = useOrganizationsContext();
 
 	const form = useForm<StatusPageFormData>({
 		resolver: zodResolver(statusPageFormSchema),
@@ -132,8 +131,7 @@ export function StatusPageSheet({
 				});
 				toast.success("Status page updated successfully");
 			} else {
-				const resolvedOrganizationId =
-					activeOrganization?.id ?? activeOrganizationId ?? null;
+				const resolvedOrganizationId = organizationId;
 
 				if (!resolvedOrganizationId) {
 					toast.error("No active organization selected");
diff --git a/apps/dashboard/components/website-dialog.tsx b/apps/dashboard/components/website-dialog.tsx
index 543758341..84a12cd9e 100644
--- a/apps/dashboard/components/website-dialog.tsx
+++ b/apps/dashboard/components/website-dialog.tsx
@@ -70,10 +70,7 @@ export function WebsiteDialog({
 	onSave,
 }: WebsiteDialogProps) {
 	const isEditing = !!website;
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 
 	const createWebsiteMutation = useCreateWebsite();
 	const updateWebsiteMutation = useUpdateWebsite();
diff --git a/apps/dashboard/hooks/use-links.ts b/apps/dashboard/hooks/use-links.ts
index f86e7f8e6..6539ab25c 100644
--- a/apps/dashboard/hooks/use-links.ts
+++ b/apps/dashboard/hooks/use-links.ts
@@ -89,10 +89,7 @@ const removeLinkFromList = (
 };
 
 export function useLinks(options?: { enabled?: boolean }) {
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 
 	const query = useQuery({
 		...orpc.links.list.queryOptions({
@@ -229,10 +226,7 @@ export function useLinkStats(linkId: string, dateRange: DateRange) {
 
 export function useCreateLink() {
 	const queryClient = useQueryClient();
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 
 	return useMutation({
 		...orpc.links.create.mutationOptions(),
@@ -247,10 +241,7 @@ export function useCreateLink() {
 
 export function useUpdateLink() {
 	const queryClient = useQueryClient();
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 
 	return useMutation({
 		...orpc.links.update.mutationOptions(),
@@ -267,10 +258,7 @@ export function useUpdateLink() {
 
 export function useDeleteLink() {
 	const queryClient = useQueryClient();
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 
 	return useMutation({
 		...orpc.links.delete.mutationOptions(),
diff --git a/apps/dashboard/hooks/use-monitors.ts b/apps/dashboard/hooks/use-monitors.ts
index 315ea4d6a..9d2f7989e 100644
--- a/apps/dashboard/hooks/use-monitors.ts
+++ b/apps/dashboard/hooks/use-monitors.ts
@@ -5,10 +5,7 @@ import { useOrganizationsContext } from "@/components/providers/organizations-pr
 import { orpc } from "@/lib/orpc";
 
 export function useMonitorsLight(options?: { enabled?: boolean }) {
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 
 	const query = useQuery({
 		...orpc.uptime.listSchedules.queryOptions({
diff --git a/apps/dashboard/hooks/use-websites.ts b/apps/dashboard/hooks/use-websites.ts
index b3c7feb4a..053450ab2 100644
--- a/apps/dashboard/hooks/use-websites.ts
+++ b/apps/dashboard/hooks/use-websites.ts
@@ -87,10 +87,7 @@ const removeWebsiteFromList = (
 };
 
 export function useWebsites(options?: { enabled?: boolean }) {
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 
 	const query = useQuery({
 		...orpc.websites.listWithCharts.queryOptions({
@@ -111,10 +108,7 @@ export function useWebsites(options?: { enabled?: boolean }) {
 }
 
 export function useWebsitesLight(options?: { enabled?: boolean }) {
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 
 	const query = useQuery({
 		...orpc.websites.list.queryOptions({
@@ -144,10 +138,7 @@ export function useWebsite(id: string) {
 
 export function useCreateWebsite() {
 	const queryClient = useQueryClient();
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 
 	return useMutation({
 		...orpc.websites.create.mutationOptions(),
@@ -177,10 +168,7 @@ export const updateWebsiteCache = (
 
 export function useUpdateWebsite() {
 	const queryClient = useQueryClient();
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 	return useMutation({
 		...orpc.websites.update.mutationOptions(),
 		onSuccess: (data) => {
@@ -192,10 +180,7 @@ export function useUpdateWebsite() {
 
 export function useDeleteWebsite() {
 	const queryClient = useQueryClient();
-	const { activeOrganization, activeOrganizationId } =
-		useOrganizationsContext();
-	const organizationId =
-		activeOrganization?.id ?? activeOrganizationId ?? undefined;
+	const { organizationId } = useOrganizationsContext();
 
 	return useMutation({
 		...orpc.websites.delete.mutationOptions(),

From 9c69aadcc57a43f021ba7920bbce9d9b8b7736d2 Mon Sep 17 00:00:00 2001
From: JustinMissmahl <github@emeruslabs.com~>
Date: Sat, 11 Apr 2026 23:09:44 +0200
Subject: [PATCH 3/6] address
 https://github.com/databuddy-analytics/Databuddy/pull/409#discussion_r3068589824

---
 .../providers/organizations-provider.tsx      | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/apps/dashboard/components/providers/organizations-provider.tsx b/apps/dashboard/components/providers/organizations-provider.tsx
index f6f88c0d3..28870b2af 100644
--- a/apps/dashboard/components/providers/organizations-provider.tsx
+++ b/apps/dashboard/components/providers/organizations-provider.tsx
@@ -4,6 +4,7 @@ import { authClient, useSession } from "@databuddy/auth/client";
 import { useQuery, useQueryClient } from "@tanstack/react-query";
 import { useAtom, useAtomValue, useSetAtom } from "jotai";
 import { type ReactNode, useEffect, useMemo, useRef } from "react";
+import { toast } from "sonner";
 import {
 	activeOrganizationAtom,
 	getOrganizationBySlugAtom,
@@ -26,6 +27,7 @@ export function OrganizationsProvider({ children }: { children: ReactNode }) {
 	const setActiveOrganization = useSetAtom(activeOrganizationAtom);
 	const setIsLoading = useSetAtom(isLoadingOrganizationsAtom);
 	const hasSyncedInitialOrganization = useRef(false);
+	const hasShownInitialOrganizationSyncError = useRef(false);
 
 	const { data: session, isPending: isLoadingSession } = useSession();
 
@@ -87,7 +89,13 @@ export function OrganizationsProvider({ children }: { children: ReactNode }) {
 			.setActive({
 				organizationId: fallbackOrganizationId,
 			})
-			.then(() => {
+			.then(({ error }) => {
+				if (error) {
+					throw new Error(
+						error.message || "Failed to set initial active organization"
+					);
+				}
+				hasShownInitialOrganizationSyncError.current = false;
 				queryClient.invalidateQueries({
 					queryKey: AUTH_QUERY_KEYS.activeOrganization,
 				});
@@ -95,8 +103,18 @@ export function OrganizationsProvider({ children }: { children: ReactNode }) {
 					queryKey: AUTH_QUERY_KEYS.organizations,
 				});
 			})
-			.catch(() => {
+			.catch((error) => {
 				hasSyncedInitialOrganization.current = false;
+				console.error(
+					"[OrganizationsProvider] Failed to sync initial active organization:",
+					error
+				);
+				if (!hasShownInitialOrganizationSyncError.current) {
+					hasShownInitialOrganizationSyncError.current = true;
+					toast.error(
+						"Couldn't set your active workspace automatically. Please select it manually."
+					);
+				}
 			});
 	}, [
 		isLoadingOrgs,

From 6d702a000ceec0aa47e474327d539a8d52956e0d Mon Sep 17 00:00:00 2001
From: JustinMissmahl <github@emeruslabs.com~>
Date: Sat, 11 Apr 2026 23:11:23 +0200
Subject: [PATCH 4/6] address
 https://github.com/databuddy-analytics/Databuddy/pull/409#discussion_r3068599857

---
 packages/auth/src/auth.ts | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/packages/auth/src/auth.ts b/packages/auth/src/auth.ts
index 4d4a7f163..c46e62d5c 100644
--- a/packages/auth/src/auth.ts
+++ b/packages/auth/src/auth.ts
@@ -91,13 +91,17 @@ function shouldUseSecureCookies(): boolean {
 	return !(isLocalhost && appOrigin.protocol === "http:");
 }
 
-function normalizeOrigin(value: string): string {
+function normalizeOrigin(value: string): string | null {
 	const trimmed = value.trim().replace(TRAILING_SLASHES_REGEX, "");
 
+	if (!trimmed) {
+		return null;
+	}
+
 	try {
 		return new URL(trimmed).origin;
 	} catch {
-		return trimmed;
+		return null;
 	}
 }
 
@@ -112,13 +116,15 @@ function getTrustedOrigins(): string[] {
 		isProduction() ? undefined : "http://localhost:3001",
 	]
 		.filter((value): value is string => Boolean(value))
-		.map(normalizeOrigin);
+		.map(normalizeOrigin)
+		.filter((origin): origin is string => Boolean(origin));
 
 	const extraOrigins = (process.env.AUTH_TRUSTED_ORIGINS ?? "")
 		.split(",")
 		.map((origin) => origin.trim())
 		.filter(Boolean)
-		.map(normalizeOrigin);
+		.map(normalizeOrigin)
+		.filter((origin): origin is string => Boolean(origin));
 
 	return [...new Set([...defaults, ...extraOrigins])];
 }

From c16dd5cd619618ec97f891a1f5bbf079937486b9 Mon Sep 17 00:00:00 2001
From: JustinMissmahl <github@emeruslabs.com~>
Date: Sat, 11 Apr 2026 23:12:19 +0200
Subject: [PATCH 5/6] help for
 https://github.com/databuddy-analytics/Databuddy/pull/409#discussion_r3068599831

---
 .env.selfhost.example | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.env.selfhost.example b/.env.selfhost.example
index 457e39f5f..7b953b567 100644
--- a/.env.selfhost.example
+++ b/.env.selfhost.example
@@ -42,3 +42,5 @@ AI_API_KEY=placeholder
 LINKS_ROOT_REDIRECT_URL=http://localhost:3100
 IMAGE_TAG=edge
 NODE_ENV=production
+
+NEXT_PUBLIC_DATABUDDY_CLIENT_ID=placeholder
\ No newline at end of file

From 2d35d8af1c152fba6ed3d6ea7815d66499dcb4d3 Mon Sep 17 00:00:00 2001
From: JustinMissmahl <github@emeruslabs.com~>
Date: Sat, 11 Apr 2026 23:24:15 +0200
Subject: [PATCH 6/6] better CLIENT_APP_ALLOWED_ORIGINS handling with new
 PUBLIC_API_CORS_MODE env var

---
 .env.selfhost.example               | 4 +++-
 apps/api/src/lib/cors-origins.ts    | 6 ++++++
 apps/api/src/routes/public/index.ts | 4 ++--
 packages/env/src/api.ts             | 1 +
 4 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/.env.selfhost.example b/.env.selfhost.example
index 7b953b567..0ee42e62f 100644
--- a/.env.selfhost.example
+++ b/.env.selfhost.example
@@ -43,4 +43,6 @@ LINKS_ROOT_REDIRECT_URL=http://localhost:3100
 IMAGE_TAG=edge
 NODE_ENV=production
 
-NEXT_PUBLIC_DATABUDDY_CLIENT_ID=placeholder
\ No newline at end of file
+NEXT_PUBLIC_DATABUDDY_CLIENT_ID=placeholder
+
+PUBLIC_API_CORS_MODE=restricted
\ No newline at end of file
diff --git a/apps/api/src/lib/cors-origins.ts b/apps/api/src/lib/cors-origins.ts
index 89415f17b..b1c683ee4 100644
--- a/apps/api/src/lib/cors-origins.ts
+++ b/apps/api/src/lib/cors-origins.ts
@@ -37,3 +37,9 @@ export function getAllowedCorsOrigins(): Array<string | RegExp> {
 		...new Set([...defaults, ...authTrustedOrigins, ...extraOrigins]),
 	];
 }
+
+export function getPublicCorsOrigins(): true | Array<string | RegExp> {
+	return process.env.PUBLIC_API_CORS_MODE === "restricted"
+		? getAllowedCorsOrigins()
+		: true;
+}
diff --git a/apps/api/src/routes/public/index.ts b/apps/api/src/routes/public/index.ts
index 795d72fde..d63cc6af2 100644
--- a/apps/api/src/routes/public/index.ts
+++ b/apps/api/src/routes/public/index.ts
@@ -2,7 +2,7 @@ import cors from "@elysiajs/cors";
 import { serverTiming } from "@elysiajs/server-timing";
 import { Elysia } from "elysia";
 import { parseError } from "evlog";
-import { getAllowedCorsOrigins } from "@/lib/cors-origins";
+import { getPublicCorsOrigins } from "@/lib/cors-origins";
 import { captureError, mergeWideEvent } from "@/lib/tracing";
 import { agentTelemetryRoute } from "./agent-telemetry";
 import { flagsRoute } from "./flags";
@@ -23,7 +23,7 @@ export const publicApi = new Elysia({ prefix: "/public" })
 	.use(
 		cors({
 			credentials: false,
-			origin: getAllowedCorsOrigins(),
+			origin: getPublicCorsOrigins(),
 		})
 	)
 	.options("*", () => new Response(null, { status: 204 }))
diff --git a/packages/env/src/api.ts b/packages/env/src/api.ts
index fe7620355..2e86926d2 100644
--- a/packages/env/src/api.ts
+++ b/packages/env/src/api.ts
@@ -13,6 +13,7 @@ const apiEnvSchema = z.object({
 	...commonEnvSchema,
 	...authEnvSchema,
 	AI_API_KEY: z.string(),
+	PUBLIC_API_CORS_MODE: z.enum(["any", "restricted"]).default("any"),
 	PORT: z.string().default("3001"),
 	CLICKHOUSE_URL: z.string(),
 	CLICKHOUSE_USER: z.string().default("default"),