diff --git a/app/handle-auth.go b/app/handle-auth.go
index 6576694..19908a6 100644
--- a/app/handle-auth.go
+++ b/app/handle-auth.go
@@ -25,7 +25,7 @@ func (l *Listener) HandleAuth(b []byte) (err error) {
 	var valid bool
 	if valid, err = auth.Validate(
 		env.Event, l.challenge.Load(),
-		l.ServiceURL(l.req),
+		l.WebSocketURL(l.req),
 	); err != nil {
 		e := err.Error()
 		if err = Ok.Error(l, env, e); chk.E(err) {
@@ -50,7 +50,7 @@ func (l *Listener) HandleAuth(b []byte) (err error) {
 			env.Event.Pubkey,
 		)
 		l.authedPubkey.Store(env.Event.Pubkey)
-		
+
 		// Check if this is a first-time user and create welcome note
 		go l.handleFirstTimeUser(env.Event.Pubkey)
 	}
@@ -65,17 +65,17 @@ func (l *Listener) handleFirstTimeUser(pubkey []byte) {
 		log.E.F("failed to check first-time user status: %v", err)
 		return
 	}
-	
+
 	if !isFirstTime {
 		return // Not a first-time user
 	}
-	
+
 	// Get payment processor to create welcome note
 	if l.Server.paymentProcessor != nil {
 		// Set the dashboard URL based on the current HTTP request
 		dashboardURL := l.Server.DashboardURL(l.req)
 		l.Server.paymentProcessor.SetDashboardURL(dashboardURL)
-		
+
 		if err := l.Server.paymentProcessor.CreateWelcomeNote(pubkey); err != nil {
 			log.E.F("failed to create welcome note for first-time user: %v", err)
 		}
diff --git a/app/server.go b/app/server.go
index e98f584..7660b92 100644
--- a/app/server.go
+++ b/app/server.go
@@ -111,6 +111,29 @@ func (s *Server) ServiceURL(req *http.Request) (url string) {
 	return proto + "://" + host
 }
 
+func (s *Server) WebSocketURL(req *http.Request) (url string) {
+	proto := req.Header.Get("X-Forwarded-Proto")
+	if proto == "" {
+		if req.TLS != nil {
+			proto = "wss"
+		} else {
+			proto = "ws"
+		}
+	} else {
+		// Convert HTTP scheme to WebSocket scheme
+		if proto == "https" {
+			proto = "wss"
+		} else if proto == "http" {
+			proto = "ws"
+		}
+	}
+	host := req.Header.Get("X-Forwarded-Host")
+	if host == "" {
+		host = req.Host
+	}
+	return proto + "://" + host
+}
+
 func (s *Server) DashboardURL(req *http.Request) (url string) {
 	return s.ServiceURL(req) + "/"
 }
@@ -277,7 +300,7 @@ func (s *Server) handleAuthLogin(w http.ResponseWriter, r *http.Request) {
 	delete(s.challenges, challengeHex)
 	s.challengeMutex.Unlock()
 
-	relayURL := s.ServiceURL(r)
+	relayURL := s.WebSocketURL(r)
 
 	// Validate the authentication event with the correct challenge
 	// The challenge in the event tag is hex-encoded, so we need to pass the hex string as bytes