diff --git a/deployments/ai-stack/.env.example b/deployments/ai-stack/.env.example
index 0f12c4e..54b8f28 100644
--- a/deployments/ai-stack/.env.example
+++ b/deployments/ai-stack/.env.example
@@ -1,6 +1,14 @@
 # Copy to .env and fill in. docker compose picks .env up automatically.
 # Never commit the populated .env — it's in .gitignore at repo root.
 
+# Public URL Open WebUI is reached at, with scheme. Used for auth redirects
+# and email-link generation.
+WEBUI_URL=https://chat.example.com
+
+# Bare hostname (no scheme) for the same Open WebUI host. Used as the cookie
+# domain by the Anubis sidecar so its session cookie scopes correctly.
+LLM_URL=chat.example.com
+
 # Cookie-signing key for Open WebUI sessions. Generate once with:
 #   openssl rand -hex 32
 # Must stay stable across restarts — rotating it logs every user out.
diff --git a/deployments/ai-stack/README.md b/deployments/ai-stack/README.md
index 7228309..73a69bd 100644
--- a/deployments/ai-stack/README.md
+++ b/deployments/ai-stack/README.md
@@ -44,9 +44,13 @@ cp .env.example .env
 
 Then edit:
 
-- **`.env`** — fill in `WEBUI_SECRET_KEY` and (if using Anubis) `ANUBIS_OWUI_KEY`.
-  Optionally pin `COMFYUI_IMAGE_TAG` to a specific `v*` release instead of
-  `latest`.
+- **`.env`** — fill in:
+    - `WEBUI_URL` (full URL with scheme) and `LLM_URL` (bare hostname). Both
+      point at the same Open WebUI host; Open WebUI wants the URL form for
+      auth redirects, Anubis wants the bare hostname for its cookie domain.
+    - `WEBUI_SECRET_KEY` and (if using Anubis) `ANUBIS_OWUI_KEY` —
+      `openssl rand -hex 32` for each.
+    - Optionally pin `COMFYUI_IMAGE_TAG` to a specific `v*` release.
 - **`Caddyfile`** — replace the `chat.example.com` and `comfyui.example.com`
   hostnames with yours; replace `REPLACE_WITH_BCRYPT_HASH` with a real
   bcrypt hash:
@@ -57,8 +61,6 @@ Then edit:
 - **`init-models.sh`** — keep the LLMs you want preseeded, drop the rest.
   Check sizes at <https://ollama.com/library> first; the host needs disk
   for everything listed.
-- **`docker-compose.yml`** — update `WEBUI_URL` and `COOKIE_DOMAIN` to
-  match the hostnames you set in the Caddyfile.
 
 ## 3. Bring it up
 
diff --git a/deployments/ai-stack/docker-compose.yml b/deployments/ai-stack/docker-compose.yml
index fecc3f7..66c63c3 100644
--- a/deployments/ai-stack/docker-compose.yml
+++ b/deployments/ai-stack/docker-compose.yml
@@ -142,7 +142,7 @@ services:
       WEBUI_AUTH: "true"
       ENABLE_SIGNUP: "false"
       DEFAULT_USER_ROLE: "pending"
-      WEBUI_URL: "https://chat.example.com"
+      WEBUI_URL: "${WEBUI_URL}"
       WEBUI_SECRET_KEY: "${WEBUI_SECRET_KEY}"
       OLLAMA_BASE_URL: "http://ollama:11434"
       ENABLE_IMAGE_GENERATION: "true"
@@ -182,6 +182,6 @@ services:
       BIND: ":8923"
       TARGET: "http://open-webui:8080"
       DIFFICULTY: "4"                          # SHA-256 leading zeros; 4 = ~1s client work
-      COOKIE_DOMAIN: "chat.example.com"
+      COOKIE_DOMAIN: "${LLM_URL}"
       METRICS_BIND: ":9090"
       ED25519_PRIVATE_KEY_HEX: "${ANUBIS_OWUI_KEY}"