diff --git a/docker-compose.macmini.yml b/docker-compose.macmini.yml
index f5b83e469..09aac5bdb 100644
--- a/docker-compose.macmini.yml
+++ b/docker-compose.macmini.yml
@@ -250,7 +250,7 @@ services:
       # Enforced by services/mana-auth/src/auth/sso-config.spec.ts.
       # All productivity modules now live under mana.how (path-based) —
       # no per-module subdomain entries required here.
-      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://whopxl.mana.how,https://cardecky.mana.how,https://cardecky-api.mana.how,https://memoro-app.mana.how
+      CORS_ORIGINS: https://mana.how,https://auth.mana.how,https://whopxl.mana.how,https://cardecky.mana.how,https://cardecky-api.mana.how,https://memoro-app.mana.how,https://zitare.mana.how,https://zitare-api.mana.how
     ports:
       - "3001:3001"
     healthcheck:
diff --git a/services/mana-auth/src/auth/sso-origins.ts b/services/mana-auth/src/auth/sso-origins.ts
index 528d392b9..3c0ad9b03 100644
--- a/services/mana-auth/src/auth/sso-origins.ts
+++ b/services/mana-auth/src/auth/sso-origins.ts
@@ -28,6 +28,8 @@ export const PRODUCTION_TRUSTED_ORIGINS = [
 	'https://cardecky.mana.how', // Cardecky spaced-repetition spinoff (own SvelteKit container, not the unified app)
 	'https://cardecky-api.mana.how', // Cardecky marketplace + community backend (cards-server)
 	'https://memoro-app.mana.how', // Memoro web SPA (separate deploy under mana e.V.)
+	'https://zitare.mana.how', // Zitare app shell (SvelteKit static SPA, Cookie-SSO consumer)
+	'https://zitare-api.mana.how', // Zitare backend API (Hono+Bun, JWT-bearer consumer)
 ] as const;
 
 /** Local dev origins — web dev server + the auth server itself. */