diff --git a/Dockerfile b/Dockerfile
index a8997ef83..ea505715b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,7 +4,7 @@ WORKDIR /app
 
 # --- Install + Build in one stage ---
 FROM base AS builder
-ARG CACHE_BUST=5
+ARG CACHE_BUST=6
 COPY . .
 RUN pnpm install --no-frozen-lockfile
 ENV NEXT_TELEMETRY_DISABLED=1
diff --git a/docker-compose.yml b/docker-compose.yml
index acd7a63ca..d22bbcf07 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -321,10 +321,12 @@ services:
     environment:
       NODE_ENV: production
       NEXT_PUBLIC_SITE_URL: ${SITE_URL:-http://localhost:3000}
-      # Must match the build-time value — server code reads from process.env
+      # Browser-side: external domain (baked at build time, re-stated here for SSR)
       NEXT_PUBLIC_SUPABASE_URL: ${API_EXTERNAL_URL:-http://localhost:8000}
       NEXT_PUBLIC_SUPABASE_PUBLIC_KEY: ${SUPABASE_ANON_KEY}
       NEXT_PUBLIC_DEFAULT_LOCALE: de
+      # Server-side: Docker-internal URL (avoids hairpin NAT / DNS issues)
+      SUPABASE_INTERNAL_URL: http://supabase-kong:8000
       SUPABASE_SECRET_KEY: ${SUPABASE_SERVICE_ROLE_KEY}
       SUPABASE_DB_WEBHOOK_SECRET: ${DB_WEBHOOK_SECRET:-webhooksecret}
       EMAIL_SENDER: ${EMAIL_SENDER:-noreply@myeasycms.de}
diff --git a/packages/supabase/src/get-supabase-client-keys.ts b/packages/supabase/src/get-supabase-client-keys.ts
index 1f3a3eee9..3afab122e 100644
--- a/packages/supabase/src/get-supabase-client-keys.ts
+++ b/packages/supabase/src/get-supabase-client-keys.ts
@@ -2,8 +2,18 @@ import * as z from 'zod';
 
 /**
  * Returns and validates the Supabase client keys from the environment.
+ *
+ * On the server, prefers SUPABASE_INTERNAL_URL (Docker-internal)
+ * over NEXT_PUBLIC_SUPABASE_URL (external domain) to avoid
+ * hairpin NAT / DNS issues in containerized deployments.
  */
 export function getSupabaseClientKeys() {
+  const isServer = typeof window === 'undefined';
+
+  const url = isServer
+    ? (process.env.SUPABASE_INTERNAL_URL || process.env.NEXT_PUBLIC_SUPABASE_URL)
+    : process.env.NEXT_PUBLIC_SUPABASE_URL;
+
   return z
     .object({
       url: z.string({
@@ -14,7 +24,7 @@ export function getSupabaseClientKeys() {
       }),
     })
     .parse({
-      url: process.env.NEXT_PUBLIC_SUPABASE_URL,
+      url,
       publicKey: process.env.NEXT_PUBLIC_SUPABASE_PUBLIC_KEY,
     });
 }