diff --git a/hbd/server/http.py b/hbd/server/http.py
index 2102e9f..3d88bee 100644
--- a/hbd/server/http.py
+++ b/hbd/server/http.py
@@ -914,13 +914,16 @@ async def start(
         )
         return web.Response(text=body, content_type="text/html")
 
+    def _oauth_redirect_uri(request) -> str:
+        base = config.get("base_url", "").rstrip("/") or str(request.url.origin())
+        return f"{base}/login/oauth/gitea/callback"
+
     async def oauth_gitea_redirect(request):
         """GET /login/oauth/gitea — kick off the Gitea OAuth2 flow."""
         if not oauth_mod.is_enabled(config):
             return web.Response(status=404, text="OAuth not configured")
         state = oauth_mod.make_state()
-        redirect_uri = f"{request.url.origin()}/login/oauth/gitea/callback"
-        raise web.HTTPFound(oauth_mod.authorization_url(config, state, redirect_uri))
+        raise web.HTTPFound(oauth_mod.authorization_url(config, state, _oauth_redirect_uri(request)))
 
     async def oauth_gitea_callback(request):
         """GET /login/oauth/gitea/callback — handle Gitea's redirect back."""
@@ -933,9 +936,8 @@ async def start(
         if not oauth_mod.validate_state(state):
             logger.warning("OAuth: invalid or expired state token from %s", request.remote)
             raise web.HTTPFound("/login?error=1")
-        redirect_uri = f"{request.url.origin()}/login/oauth/gitea/callback"
         try:
-            token = await oauth_mod.exchange_code(config, code, redirect_uri)
+            token = await oauth_mod.exchange_code(config, code, _oauth_redirect_uri(request))
             profile = await oauth_mod.fetch_user(config, token)
         except oauth_mod.OAuthError as exc:
             logger.warning("OAuth error: %s", exc)