diff --git a/services/mana-core-auth/src/auth/services/better-auth.service.ts b/services/mana-core-auth/src/auth/services/better-auth.service.ts
index 322ca0051..cc5b94fc5 100644
--- a/services/mana-core-auth/src/auth/services/better-auth.service.ts
+++ b/services/mana-core-auth/src/auth/services/better-auth.service.ts
@@ -856,9 +856,10 @@ export class BetterAuthService {
 			// Create JWKS fetcher
 			const JWKS = createRemoteJWKSet(jwksUrl);
 
-			// Get issuer/audience from config (Better Auth uses BASE_URL by default)
-			const issuer = this.configService.get<string>('jwt.issuer') || baseUrl;
-			const audience = this.configService.get<string>('jwt.audience') || baseUrl;
+			// IMPORTANT: Match Better Auth signing config exactly (better-auth.config.ts)
+			// Signing uses: issuer = BASE_URL, audience = JWT_AUDIENCE || 'manacore'
+			const issuer = baseUrl; // Better Auth uses BASE_URL as issuer for OIDC compatibility
+			const audience = this.configService.get<string>('jwt.audience') || 'manacore';
 
 			// Verify using jose library with Better Auth's JWKS
 			const { payload } = await jwtVerify(token, JWKS, {
diff --git a/services/mana-core-auth/src/common/guards/jwt-auth.guard.ts b/services/mana-core-auth/src/common/guards/jwt-auth.guard.ts
index 70a69c268..ad7e458e8 100644
--- a/services/mana-core-auth/src/common/guards/jwt-auth.guard.ts
+++ b/services/mana-core-auth/src/common/guards/jwt-auth.guard.ts
@@ -42,7 +42,10 @@ export class JwtAuthGuard implements CanActivate {
 				this.jwks = createRemoteJWKSet(jwksUrl);
 			}
 
-			const issuer = this.configService.get<string>('jwt.issuer') || 'manacore';
+			// IMPORTANT: Match Better Auth signing config exactly (better-auth.config.ts)
+			// Signing uses: issuer = BASE_URL, audience = JWT_AUDIENCE || 'manacore'
+			const baseUrl = this.configService.get<string>('BASE_URL') || 'http://localhost:3001';
+			const issuer = baseUrl; // Better Auth uses BASE_URL as issuer for OIDC compatibility
 			const audience = this.configService.get<string>('jwt.audience') || 'manacore';
 
 			const { payload } = await jwtVerify(token, this.jwks, {
diff --git a/services/mana-core-auth/src/common/guards/optional-auth.guard.ts b/services/mana-core-auth/src/common/guards/optional-auth.guard.ts
index 6f8884b6b..4b557f647 100644
--- a/services/mana-core-auth/src/common/guards/optional-auth.guard.ts
+++ b/services/mana-core-auth/src/common/guards/optional-auth.guard.ts
@@ -33,7 +33,10 @@ export class OptionalAuthGuard implements CanActivate {
 				this.jwks = createRemoteJWKSet(jwksUrl);
 			}
 
-			const issuer = this.configService.get<string>('jwt.issuer') || 'manacore';
+			// IMPORTANT: Match Better Auth signing config exactly (better-auth.config.ts)
+			// Signing uses: issuer = BASE_URL, audience = JWT_AUDIENCE || 'manacore'
+			const baseUrl = this.configService.get<string>('BASE_URL') || 'http://localhost:3001';
+			const issuer = baseUrl; // Better Auth uses BASE_URL as issuer for OIDC compatibility
 			const audience = this.configService.get<string>('jwt.audience') || 'manacore';
 
 			const { payload } = await jwtVerify(token, this.jwks, {