diff --git a/services/mana-core-auth/src/auth/oidc-login.controller.ts b/services/mana-core-auth/src/auth/oidc-login.controller.ts
index c2aa44e99..4c83ad607 100644
--- a/services/mana-core-auth/src/auth/oidc-login.controller.ts
+++ b/services/mana-core-auth/src/auth/oidc-login.controller.ts
@@ -223,7 +223,8 @@ export class OidcLoginController {
             submitBtn.textContent = 'Signing in...';
 
             try {
-                const response = await fetch('/api/v1/auth/login', {
+                // Use Better Auth's native sign-in endpoint which sets session cookies
+                const response = await fetch('/api/auth/sign-in/email', {
                     method: 'POST',
                     headers: {
                         'Content-Type': 'application/json',
@@ -232,13 +233,12 @@ export class OidcLoginController {
                     credentials: 'include',
                 });
 
-                const data = await response.json();
-
-                if (response.ok && data.accessToken) {
-                    // Login successful - redirect to authorization endpoint
-                    // The oidc_login_prompt cookie will be used to continue the flow
+                if (response.ok) {
+                    // Login successful - session cookie is now set
+                    // Redirect to authorization endpoint to continue OIDC flow
                     window.location.href = returnUrl;
                 } else {
+                    const data = await response.json().catch(() => ({}));
                     throw new Error(data.message || 'Invalid email or password');
                 }
             } catch (error) {
diff --git a/services/mana-core-auth/src/auth/oidc.controller.ts b/services/mana-core-auth/src/auth/oidc.controller.ts
index 046fc4323..ff37f7c1c 100644
--- a/services/mana-core-auth/src/auth/oidc.controller.ts
+++ b/services/mana-core-auth/src/auth/oidc.controller.ts
@@ -80,6 +80,18 @@ export class OidcController {
 		return this.handleOidcRequest(req, res);
 	}
 
+	/**
+	 * Better Auth Sign-in Endpoint
+	 *
+	 * This endpoint is needed for OIDC login flow.
+	 * When users log in via the /login page, it posts to this endpoint
+	 * which sets the session cookie needed for the OAuth2 flow.
+	 */
+	@Post('api/auth/sign-in/email')
+	async signInEmail(@Req() req: Request, @Res() res: Response) {
+		return this.handleOidcRequest(req, res);
+	}
+
 	// ============================================
 	// Alternative /api/oidc/* paths
 	// For backwards compatibility and convenience
diff --git a/services/mana-core-auth/src/main.ts b/services/mana-core-auth/src/main.ts
index b46253a6a..5a403a74b 100644
--- a/services/mana-core-auth/src/main.ts
+++ b/services/mana-core-auth/src/main.ts
@@ -100,9 +100,10 @@ async function bootstrap() {
 			{ path: 'health', method: RequestMethod.ALL },
 			// OIDC login page
 			{ path: 'login', method: RequestMethod.ALL },
-			// Better Auth routes (verification emails, password reset)
+			// Better Auth routes (verification emails, password reset, sign-in)
 			{ path: 'api/auth/verify-email', method: RequestMethod.ALL },
 			{ path: 'api/auth/reset-password/(.*)', method: RequestMethod.ALL },
+			{ path: 'api/auth/sign-in/(.*)', method: RequestMethod.ALL },
 			// Better Auth OIDC/OAuth2 routes (native paths from discovery document)
 			{ path: 'api/auth/jwks', method: RequestMethod.ALL },
 			{ path: 'api/auth/oauth2/(.*)', method: RequestMethod.ALL },