diff --git a/.env.example b/.env.example
index 6ce8d97..60c3c73 100644
--- a/.env.example
+++ b/.env.example
@@ -1,7 +1,7 @@
 AUTH_DB_PATH=~/.nanobot/auth_service.sqlite3
 AUTH_JWT_SECRET=change-this-secret
 AUTH_TOKEN_TTL_HOURS=24
-AUTH_CORS_ORIGINS=*
+AUTH_CORS_ORIGINS=http://127.0.0.1:5173,http://localhost:5173,http://47.122.113.65:5173
 AUTH_VERIFICATION_CODES=code-a,code-b
 AUTH_ADMIN_KEY=change-this-admin-key
 AUTH_HOST=0.0.0.0
diff --git a/app/main.py b/app/main.py
index 7106a75..f88681d 100644
--- a/app/main.py
+++ b/app/main.py
@@ -35,6 +35,16 @@ AUTH_VERIFICATION_CODES = {
 AUTH_ADMIN_KEY = os.getenv("AUTH_ADMIN_KEY", "")
 
 
+def _parse_cors_origins(raw: str) -> tuple[bool, list[str]]:
+    value = str(raw or "").strip()
+    if not value:
+        return True, ["*"]
+    items = [o.strip() for o in value.split(",") if o.strip()]
+    if not items or "*" in items:
+        return True, ["*"]
+    return False, items
+
+
 def _ensure_db(path_str: str) -> Path:
     path = Path(path_str).expanduser()
     path.parent.mkdir(parents=True, exist_ok=True)
@@ -268,11 +278,12 @@ def _reject_request_with_conn(conn: sqlite3.Connection, request_id: int, note: s
 
 app = FastAPI(title="nanobot-auth-service", version="0.1.0")
 
-origins = ["*"] if AUTH_CORS_ORIGINS.strip() == "*" else [o.strip() for o in AUTH_CORS_ORIGINS.split(",") if o.strip()]
+allow_all_origins, origins = _parse_cors_origins(AUTH_CORS_ORIGINS)
 app.add_middleware(
     CORSMiddleware,
     allow_origins=origins,
-    allow_credentials=True,
+    # Browsers reject credentialed CORS with wildcard origin.
+    allow_credentials=not allow_all_origins,
     allow_methods=["*"],
     allow_headers=["*"],
 )