diff --git a/cloudflared-config.yml b/cloudflared-config.yml
index b3b394a17..9449c959e 100644
--- a/cloudflared-config.yml
+++ b/cloudflared-config.yml
@@ -152,6 +152,8 @@ ingress:
     service: http://localhost:3065
   - hostname: research.mana.how
     service: http://localhost:3068
+  - hostname: cards-api.mana.how
+    service: http://localhost:3072
   - hostname: feedback.mana.how
     service: http://localhost:3064
 
diff --git a/docker-compose.macmini.yml b/docker-compose.macmini.yml
index 5b48b0124..5a4680b3f 100644
--- a/docker-compose.macmini.yml
+++ b/docker-compose.macmini.yml
@@ -250,7 +250,7 @@ services:
       # Enforced by services/mana-auth/src/auth/sso-config.spec.ts.
       # All productivity modules now live under mana.how (path-based) —
       # no per-module subdomain entries required here.
-      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://cards.mana.how
+      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://whopxl.mana.how,https://cards.mana.how,https://cards-api.mana.how
     ports:
       - "3001:3001"
     healthcheck:
@@ -350,6 +350,46 @@ services:
       - "traefik.http.routers.mana-credits.tls=true"
       - "traefik.http.services.mana-credits.loadbalancer.server.port=3002"
 
+  cards-server:
+    # Cards-Marketplace + Community backend. See
+    # apps/cards/docs/MARKETPLACE_PLAN.md for the full design.
+    build:
+      context: .
+      dockerfile: services/cards-server/Dockerfile
+    image: cards-server:local
+    container_name: mana-app-cards-server
+    restart: always
+    mem_limit: 128m
+    depends_on:
+      postgres:
+        condition: service_healthy
+      mana-auth:
+        condition: service_healthy
+    environment:
+      NODE_ENV: production
+      PORT: 3072
+      DATABASE_URL: postgresql://postgres:${POSTGRES_PASSWORD:-mana123}@postgres:5432/mana_platform
+      MANA_AUTH_URL: http://mana-auth:3001
+      MANA_CREDITS_URL: http://mana-credits:3002
+      MANA_LLM_URL: http://mana-llm:3025
+      MANA_MEDIA_URL: http://mana-media:3015
+      MANA_NOTIFY_URL: http://mana-notify:3040
+      MANA_SERVICE_KEY: ${MANA_SERVICE_KEY}
+      CORS_ORIGINS: https://cards.mana.how,https://mana.how
+      AUTHOR_PAYOUT_STANDARD_BPS: 8000
+      AUTHOR_PAYOUT_VERIFIED_BPS: 9000
+      COMMUNITY_VERIFY_STARS: 500
+      COMMUNITY_VERIFY_FEATURED: 3
+      COMMUNITY_VERIFY_SUBSCRIBERS: 200
+    ports:
+      - "3072:3072"
+    healthcheck:
+      test: ["CMD", "bun", "-e", "fetch('http://127.0.0.1:3072/health').then(r=>process.exit(r.ok?0:1)).catch(()=>process.exit(1))"]
+      interval: 120s
+      timeout: 10s
+      retries: 3
+      start_period: 15s
+
   mana-research:
     build:
       context: .
diff --git a/services/cards-server/Dockerfile b/services/cards-server/Dockerfile
new file mode 100644
index 000000000..bf217c6a8
--- /dev/null
+++ b/services/cards-server/Dockerfile
@@ -0,0 +1,40 @@
+# Install stage: use node + pnpm to resolve workspace dependencies.
+# Cards-server is bun-runtime, but pnpm is the only sane way to do
+# workspace deps with @mana/shared-hono symlinks.
+FROM node:22-alpine AS installer
+
+RUN corepack enable && corepack prepare pnpm@9.15.0 --activate
+
+WORKDIR /app
+
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY services/cards-server/package.json ./services/cards-server/
+COPY packages/shared-hono ./packages/shared-hono
+COPY packages/shared-logger ./packages/shared-logger
+COPY packages/shared-types ./packages/shared-types
+
+# Workspace name is `@mana/cards-server`; the trailing `...` includes
+# its workspace dependencies.
+RUN pnpm install --filter @mana/cards-server... --no-frozen-lockfile --ignore-scripts
+
+# Runtime stage: bun
+FROM oven/bun:1 AS production
+
+WORKDIR /app
+
+COPY --from=installer /app/node_modules ./node_modules
+COPY --from=installer /app/services/cards-server/node_modules ./services/cards-server/node_modules
+COPY --from=installer /app/packages ./packages
+
+COPY services/cards-server/package.json ./services/cards-server/
+COPY services/cards-server/src ./services/cards-server/src
+COPY services/cards-server/tsconfig.json services/cards-server/drizzle.config.ts ./services/cards-server/
+
+WORKDIR /app/services/cards-server
+
+EXPOSE 3072
+
+HEALTHCHECK --interval=30s --timeout=10s --start-period=10s --retries=3 \
+  CMD bun -e "fetch('http://localhost:3072/health').then(r => process.exit(r.ok ? 0 : 1)).catch(() => process.exit(1))"
+
+CMD ["bun", "run", "src/index.ts"]
diff --git a/services/mana-auth/src/auth/sso-origins.ts b/services/mana-auth/src/auth/sso-origins.ts
index fb5bf9d4d..adf5c88d7 100644
--- a/services/mana-auth/src/auth/sso-origins.ts
+++ b/services/mana-auth/src/auth/sso-origins.ts
@@ -26,6 +26,7 @@ export const PRODUCTION_TRUSTED_ORIGINS = [
 	// Separate apps (not part of the unified app)
 	'https://whopxl.mana.how', // Games
 	'https://cards.mana.how', // Cards spaced-repetition spinoff (own SvelteKit container, not the unified app)
+	'https://cards-api.mana.how', // Cards marketplace + community backend (cards-server)
 ] as const;
 
 /** Local dev origins — web dev server + the auth server itself. */