guessPotentiallyProxiedOrySdkUrl breaks flows in production behind a non-Vercel reverse proxy

[rrozza-apolitical]

Preflight checklist

• I could not find a solution in the existing issues, docs, nor discussions.
• I agree to follow this project's Code of Conduct.
• I have read and am following this repository's Contribution Guidelines.
• I have joined the Ory Community Slack.
• I am signed up to the Ory Security Patch Newsletter.

Ory Network Project

https://busy-mayer-9wpd865lft.projects.oryapis.com

Describe the bug

Hi,

We're integrating Ory Network with a Next.js 16 app using @ory/nextjs@1.0.0-rc.1 and @ory/elements-react@1.1.0. Our app runs in Kubernetes behind Traefik Proxy (not Vercel).

The problem: When NODE_ENV=production, all Ory auth flows (login, registration, recovery, verification) break. The browser is redirected to the raw NEXT_PUBLIC_ORY_SDK_URL (our Ory Network custom domain) instead of going through the app's middleware proxy. This results in 404s server-side and CORS errors client-side.

AI root cause findings: guessPotentiallyProxiedOrySdkUrl in @ory/nextjs short-circuits when isProduction() returns true — it returns orySdkUrl() immediately, before ever checking the knownProxiedUrl option. This means the host-header-derived URL (which the flow functions correctly pass as knownProxiedUrl: await getPublicUrl()) is never used in production. The only non-Vercel production path assumes the SDK URL should be used directly, which doesn't work when the app sits behind a reverse proxy that needs to proxy Ory API calls.

Notably, the middleware's proxyRequest function works correctly — it derives selfUrl from request headers. The issue is isolated to the server-side flow functions (getLoginFlow, etc.) and client-side @ory/elements-react components, which both rely on guessPotentiallyProxiedOrySdkUrl.

Current workaround: Setting NEXT_PUBLIC_NODE_ENV=development to trick isProduction() into returning false, which allows the knownProxiedUrl / window.location.origin code paths to execute. This works but is semantically incorrect and fragile.

Our ask: Is there a supported way to run @ory/nextjs in production behind a non-Vercel reverse proxy (e.g. Traefik, Nginx, HAProxy)?

Environment:
@ory/nextjs@1.0.0-rc.1, @ory/elements-react@1.1.0
Next.js 16 (standalone output, App Router)
Docker Compose + Traefik Proxy
NEXT_PUBLIC_ORY_SDK_URL points to our Ory Network custom domain

Screen.Recording.2026-04-02.at.17.16.29.mov

Thanks for any guidance.

Reproducing the bug

See the video attached above

Relevant log output

Relevant configuration

Version

@ory/nextjs@1.0.0-rc.1 @ory/elements-react@1.1.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

[jonas-jonas]

Hi! Thanks for the details.

This is intentional. In production environments, we expect the project configuration to point to the correct (absolute) URL (you can configure that here https://console.ory.sh/projects/current/ui). In your case, this would be my-main-domain.com/auth/login for the Login UI URL, etc.

That way, if a flow was initiated outside the UI (e.g. by navigating to ory-cname.my-main-domain.com/self-service/login/browser), Ory can still redirect the user to the correct page.

What's the UI URL configuration for your project?

[rrozza-apolitical]

Hey @jonas-jonas, thanks for your reply.

I can confirm that on our Ory project, the Login UI URL was configured as https://[ory-project-slug].projects.oryapis.com/auth/login. After changing it to https://[staging-subdomain]/auth/login, the login flow started to work as expected, even with NEXT_PUBLIC_ORY_SDK_URL set to production instead of development. So, that's great news and seems to resolve the original issue!

However, this raises a question about multi-tenancy: if we have two subdomains (e.g. https://[staging-subdomain-1] and https://[staging-subdomain-2]) under the same Ory project, how should we configure the Login UI URL to get both environments working? I tried the relative /auth/login, but it still takes me to https://[ory-custom-domain]/auth/login and returns the previous 404 unless I set NEXT_PUBLIC_ORY_SDK_URL=development.