diff --git a/src/app/api/compare/route.ts b/src/app/api/compare/route.ts
index cb995df..c79a735 100644
--- a/src/app/api/compare/route.ts
+++ b/src/app/api/compare/route.ts
@@ -26,10 +26,11 @@ export async function POST(request: Request) {
   // Bypass auth.api.getSession() — Drizzle queryWithCache bug (#12)
   // Manually parse session token from cookie and query sessions table directly
   const cookieHeader = request.headers.get("cookie") ?? "";
-  const tokenMatch = cookieHeader
+  const cookieMatch = cookieHeader
     .split(";")
-    .find((c) => c.trim().startsWith("better-auth.session_token="));
-  const token = tokenMatch?.split("=")?.[1]?.trim();
+    .map((c) => c.trim())
+    .find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
+  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
 
   if (!token) {
     return Response.json({ error: "Authentication required" }, { status: 401 });
diff --git a/src/app/api/user/comparisons/route.ts b/src/app/api/user/comparisons/route.ts
index cb7b2d6..b9d46eb 100644
--- a/src/app/api/user/comparisons/route.ts
+++ b/src/app/api/user/comparisons/route.ts
@@ -7,10 +7,11 @@ export async function GET(request: Request) {
   // Bypass auth.api.getSession() — Drizzle queryWithCache bug (#12)
   const hdrs = await headers();
   const cookieHeader = hdrs.get("cookie") ?? "";
-  const tokenMatch = cookieHeader
+  const cookieMatch = cookieHeader
     .split(";")
-    .find((c) => c.trim().startsWith("better-auth.session_token="));
-  const token = tokenMatch?.split("=")?.[1]?.trim();
+    .map((c) => c.trim())
+    .find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
+  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
   if (!token) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }
diff --git a/src/app/api/user/stats/route.ts b/src/app/api/user/stats/route.ts
index f5601e9..7c1e6dd 100644
--- a/src/app/api/user/stats/route.ts
+++ b/src/app/api/user/stats/route.ts
@@ -7,10 +7,11 @@ export async function GET() {
   // Bypass auth.api.getSession() — Drizzle queryWithCache bug (#12)
   const hdrs = await headers();
   const cookieHeader = hdrs.get("cookie") ?? "";
-  const tokenMatch = cookieHeader
+  const cookieMatch = cookieHeader
     .split(";")
-    .find((c) => c.trim().startsWith("better-auth.session_token="));
-  const token = tokenMatch?.split("=")?.[1]?.trim();
+    .map((c) => c.trim())
+    .find((c) => c.startsWith("__Secure-better-auth.session_token=") || c.startsWith("better-auth.session_token="));
+  const token = cookieMatch?.split("=")?.slice(1)?.join("=")?.trim();
   if (!token) {
     return Response.json({ error: "Unauthorized" }, { status: 401 });
   }