diff --git a/server.py b/server.py
index 850641e..ea79e53 100644
--- a/server.py
+++ b/server.py
@@ -3839,7 +3839,34 @@ def render_ui_html(actor_id: Optional[str] = None, tab: str = "runs") -> str:
 
 
 # Auth - L1 doesn't handle login (user logs in at their L2 server)
-# Shared cookie authenticates across L1 and L2
+# Token can be passed via URL from L2 redirect, then L1 sets its own cookie
+
+@app.get("/auth")
+async def auth_callback(auth_token: str = None):
+    """
+    Receive auth token from L2 redirect and set local cookie.
+    This enables cross-subdomain auth on iOS Safari which blocks shared cookies.
+    """
+    if not auth_token:
+        return RedirectResponse(url="/", status_code=302)
+
+    # Verify the token is valid
+    ctx = await get_verified_user_context(auth_token)
+    if not ctx:
+        return RedirectResponse(url="/", status_code=302)
+
+    # Set local first-party cookie and redirect to home
+    response = RedirectResponse(url="/runs", status_code=302)
+    response.set_cookie(
+        key="auth_token",
+        value=auth_token,
+        httponly=True,
+        max_age=60 * 60 * 24 * 30,  # 30 days
+        samesite="lax",
+        secure=True
+    )
+    return response
+
 
 @app.get("/logout")
 async def logout():