diff --git a/surfsense_web/.env.example b/surfsense_web/.env.example
index 2313f3e56f..3025202a20 100644
--- a/surfsense_web/.env.example
+++ b/surfsense_web/.env.example
@@ -1,8 +1,8 @@
 NEXT_PUBLIC_FASTAPI_BACKEND_URL=http://localhost:8000
+NEXT_PUBLIC_SIGNOUT_URL=https://<dashboard-domain>
 NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=LOCAL or GOOGLE
 
 # mPass proxy auth — set when deployed behind oauth2-proxy + Traefik ForwardAuth
-NEXT_PUBLIC_OIDC_LOGOUT_URL=https://<cognito-domain>/logout
 NEXT_PUBLIC_OIDC_CLIENT_ID=<cognito-app-client-id>
 NEXT_PUBLIC_OAUTH2_PROXY_URL=https://<subdomain-prefix>auth.<platform-domain>
 NEXT_PUBLIC_ETL_SERVICE=UNSTRUCTURED or LLAMACLOUD or DOCLING
diff --git a/surfsense_web/Dockerfile b/surfsense_web/Dockerfile
index b16b3f066c..3156b2a4fc 100644
--- a/surfsense_web/Dockerfile
+++ b/surfsense_web/Dockerfile
@@ -41,9 +41,8 @@ ARG NEXT_PUBLIC_OAUTH2_PROXY_URL=__NEXT_PUBLIC_OAUTH2_PROXY_URL__
 # These are baked at build time (not placeholder-substituted). Next.js inlines
 # them as literal strings and terser dead-code-eliminates branches based on
 # truthiness; placeholder tokens look truthy and defeat that optimization.
-ARG NEXT_PUBLIC_LOGOUT_REDIRECT_URL=
-ARG NEXT_PUBLIC_OIDC_LOGOUT_URL=
 ARG NEXT_PUBLIC_OIDC_CLIENT_ID=
+ARG NEXT_PUBLIC_SIGNOUT_URL=
 
 ENV NEXT_PUBLIC_FASTAPI_BACKEND_URL=$NEXT_PUBLIC_FASTAPI_BACKEND_URL
 ENV NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE=$NEXT_PUBLIC_FASTAPI_BACKEND_AUTH_TYPE
@@ -51,9 +50,8 @@ ENV NEXT_PUBLIC_ETL_SERVICE=$NEXT_PUBLIC_ETL_SERVICE
 ENV NEXT_PUBLIC_ZERO_CACHE_URL=$NEXT_PUBLIC_ZERO_CACHE_URL
 ENV NEXT_PUBLIC_DEPLOYMENT_MODE=$NEXT_PUBLIC_DEPLOYMENT_MODE
 ENV NEXT_PUBLIC_OAUTH2_PROXY_URL=$NEXT_PUBLIC_OAUTH2_PROXY_URL
-ENV NEXT_PUBLIC_LOGOUT_REDIRECT_URL=$NEXT_PUBLIC_LOGOUT_REDIRECT_URL
-ENV NEXT_PUBLIC_OIDC_LOGOUT_URL=$NEXT_PUBLIC_OIDC_LOGOUT_URL
 ENV NEXT_PUBLIC_OIDC_CLIENT_ID=$NEXT_PUBLIC_OIDC_CLIENT_ID
+ENV NEXT_PUBLIC_SIGNOUT_URL=$NEXT_PUBLIC_SIGNOUT_URL
 
 COPY --from=deps /app/node_modules ./node_modules
 COPY . .
diff --git a/surfsense_web/lib/auth-utils.ts b/surfsense_web/lib/auth-utils.ts
index aadc550d09..b4521c3bb9 100644
--- a/surfsense_web/lib/auth-utils.ts
+++ b/surfsense_web/lib/auth-utils.ts
@@ -239,10 +239,7 @@ export async function logout(): Promise<boolean> {
 	clearAllTokens();
 
 	if (typeof window !== "undefined") {
-		// Rewrite "foss-<app>.<domain>" → "foss.<domain>" so we land on the portal
-		// (outside ForwardAuth) instead of SurfSense's own root, which would silently re-auth.
-		const portalHost = window.location.hostname.replace(/^[^.]*\./, "moneta.");
-		window.location.href = `${window.location.protocol}//${portalHost}`;
+		window.location.href = process.env.NEXT_PUBLIC_SIGNOUT_URL!;
 		return true;
 	}
 
diff --git a/surfsense_web/next.config.ts b/surfsense_web/next.config.ts
index 5414d548d7..4503a6e0a6 100644
--- a/surfsense_web/next.config.ts
+++ b/surfsense_web/next.config.ts
@@ -6,6 +6,14 @@ import createNextIntlPlugin from "next-intl/plugin";
 // Create the next-intl plugin
 const withNextIntl = createNextIntlPlugin("./i18n/request.ts");
 
+// Compulsory build-time env vars
+const REQUIRED_ENV_VARS = ["NEXT_PUBLIC_SIGNOUT_URL"] as const;
+for (const key of REQUIRED_ENV_VARS) {
+	if (!process.env[key]) {
+		throw new Error(`Missing required environment variable: ${key}`);
+	}
+}
+
 // TODO: Separate app routes (/login, /dashboard) from marketing routes
 // (landing page, /contact, /pricing, /docs) so the desktop build only
 // ships what desktop users actually need.