diff --git a/apps/web/app/(app)/accounts/AddAccount.tsx b/apps/web/app/(app)/accounts/AddAccount.tsx
index 6ac7e6190e..e2fad8444a 100644
--- a/apps/web/app/(app)/accounts/AddAccount.tsx
+++ b/apps/web/app/(app)/accounts/AddAccount.tsx
@@ -22,6 +22,7 @@ export function AddAccount() {
     await authClient.signIn.social({
       provider: "google",
       callbackURL: "/accounts",
+      newUserCallbackURL: "/welcome",
       scopes: [...GMAIL_SCOPES],
     });
   };
@@ -41,6 +42,7 @@ export function AddAccount() {
     await authClient.signIn.social({
       provider: "microsoft",
       callbackURL: "/accounts",
+      newUserCallbackURL: "/welcome",
       scopes: [...OUTLOOK_SCOPES],
     });
   };
diff --git a/apps/web/env.ts b/apps/web/env.ts
index 567a52e121..2e25be99fc 100644
--- a/apps/web/env.ts
+++ b/apps/web/env.ts
@@ -116,6 +116,8 @@ export const env = createEnv({
     LICENSE_25_SEAT_VARIANT_ID: z.coerce.number().optional(),
 
     DUB_API_KEY: z.string().optional(),
+
+    COOKIE_DOMAIN: z.string().default("getinboxzero.com"),
   },
   client: {
     // stripe
diff --git a/apps/web/utils/auth.ts b/apps/web/utils/auth.ts
index f55c9d93dc..78309c2954 100644
--- a/apps/web/utils/auth.ts
+++ b/apps/web/utils/auth.ts
@@ -25,13 +25,13 @@ const logger = createScopedLogger("auth");
 export const auth = betterAuth({
   advanced: {
     crossSubDomainCookies: {
-      domain: "getinboxzero.com",
       enabled: true,
+      domain: env.COOKIE_DOMAIN,
     },
     cookie: {
       sameSite: "none",
       secure: true,
-      domain: "getinboxzero.com",
+      domain: env.COOKIE_DOMAIN,
       path: "/",
     },
     defaultCookieAttributes: {
@@ -101,11 +101,11 @@ export const auth = betterAuth({
       createdAt: "createdAt",
       updatedAt: "updatedAt",
     },
-    /* accountLinking: {
+    accountLinking: {
       enabled: true,
-      trustedProviders: ["google", "microsoft"],
       allowDifferentEmails: true,
-    }, */
+      trustedProviders: ["google", "microsoft"],
+    },
   },
   verification: {
     modelName: "VerificationToken",
@@ -123,6 +123,7 @@ export const auth = betterAuth({
       scope: [...GMAIL_SCOPES],
       accessType: "offline",
       prompt: "select_account+consent",
+      disableIdTokenSignIn: true,
     },
     microsoft: {
       clientId: env.MICROSOFT_CLIENT_ID,
@@ -131,6 +132,7 @@ export const auth = betterAuth({
       tenantId: "common",
       prompt: "consent",
       requireSelectAccount: true,
+      disableIdTokenSignIn: true,
     },
   },
   events: {