diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index 1b146b9..6cf62ac 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -105,7 +105,13 @@ api.use("*", resolveStaffMiddleware);
 // Better-Auth handler — mounted as sub-app to handle all /api/auth/* routes
 // authMiddleware and resolveStaffMiddleware both skip /api/auth/ paths
 const authRouter = new Hono();
-authRouter.all("/*", (c) => getAuth().handler(c.req.raw));
+authRouter.all("/*", (c) => {
+  try {
+    return getAuth().handler(c.req.raw);
+  } catch {
+    return c.json({ error: "Authentication not configured" }, 503);
+  }
+});
 api.route("/auth", authRouter);
 
 // ── Role guards ────────────────────────────────────────────────────────────────
diff --git a/apps/api/src/middleware/auth.ts b/apps/api/src/middleware/auth.ts
index 1417614..906f505 100644
--- a/apps/api/src/middleware/auth.ts
+++ b/apps/api/src/middleware/auth.ts
@@ -23,7 +23,6 @@ if (process.env.AUTH_DISABLED === "true") {
 }
 
 export const authMiddleware: MiddlewareHandler = async (c, next) => {
-  // Better-Auth's own routes handle their own auth (OAuth callbacks, session mgmt)
   if (c.req.path.startsWith("/api/auth/")) {
     await next();
     return;
@@ -37,7 +36,14 @@ export const authMiddleware: MiddlewareHandler = async (c, next) => {
     return;
   }
 
-  const session = await getAuth().api.getSession({
+  let auth;
+  try {
+    auth = getAuth();
+  } catch {
+    return c.json({ error: "Authentication not configured" }, 503);
+  }
+
+  const session = await auth.api.getSession({
     headers: c.req.raw.headers,
   });
 
diff --git a/apps/web/package.json b/apps/web/package.json
index 2cf5416..3c9d044 100644
--- a/apps/web/package.json
+++ b/apps/web/package.json
@@ -15,7 +15,7 @@
   "dependencies": {
     "@groombook/types": "workspace:*",
     "@tailwindcss/vite": "^4.2.2",
-    "better-auth": "^1.0.0",
+    "better-auth": "^1.5.6",
     "lucide-react": "^0.577.0",
     "react": "^19.0.0",
     "react-dom": "^19.0.0",
diff --git a/apps/web/vite.config.ts b/apps/web/vite.config.ts
index 7beaaa5..d73c18d 100644
--- a/apps/web/vite.config.ts
+++ b/apps/web/vite.config.ts
@@ -41,11 +41,11 @@ export default defineConfig({
       workbox: {
         globPatterns: ["**/*.{js,css,html,ico,png,svg,woff2}"],
         navigateFallbackDenylist: [
-          /^\/api\/auth\/oauth2\/callback\//,
+          /^\/api\/auth\//,
         ],
         runtimeCaching: [
           {
-            urlPattern: /^http.*\/api\/.*/i,
+            urlPattern: /^http.*\/api\/(?!auth\/).*/i,
             handler: "NetworkFirst",
             options: {
               cacheName: "api-cache",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 81bbed5..faa203f 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -87,7 +87,7 @@ importers:
         specifier: ^4.2.2
         version: 4.2.2(vite@6.4.1(@types/node@22.19.15)(jiti@2.6.1)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
       better-auth:
-        specifier: ^1.0.0
+        specifier: ^1.5.6
         version: 1.5.6(@opentelemetry/api@1.9.1)(react-dom@19.2.4(react@19.2.4))(react@19.2.4)(vitest@3.2.4(@types/node@22.19.15)(jiti@2.6.1)(jsdom@26.1.0)(lightningcss@1.32.0)(terser@5.46.1)(tsx@4.21.0))
       lucide-react:
         specifier: ^0.577.0