diff --git a/internal/config/oidc.go b/internal/config/oidc.go
index 5fa8af8d4..77183d724 100644
--- a/internal/config/oidc.go
+++ b/internal/config/oidc.go
@@ -15,6 +15,7 @@ type (
 		RedirectURL string
 		AppURL      string
 
+		StateCookieDomain string
 		StateCookieExpiry int64
 	}
 )
@@ -34,6 +35,9 @@ func (c *OIDC) Validate() error {
 	if c.RedirectURL == "" {
 		return errors.New("OIDC RedirectURL not set for AUTH")
 	}
+	if c.StateCookieDomain == "" {
+		return errors.New("OIDC CookieDomain not set")
+	}
 
 	return nil
 }
@@ -50,6 +54,7 @@ func (*OIDC) Init(prefix ...string) *OIDC {
 	flag.StringVar(&oidc.ClientSecret, "auth-oidc-client-secret", "", "OIDC Client Secret")
 	flag.StringVar(&oidc.RedirectURL, "auth-oidc-redirect-url", "", "OIDC RedirectURL")
 	flag.StringVar(&oidc.AppURL, "auth-oidc-app-url", "", "OIDC AppURL")
+	flag.StringVar(&oidc.StateCookieDomain, "auth-oidc-cookie-domain", "", "JWT Cookie domain")
 	flag.Int64Var(&oidc.StateCookieExpiry, "auth-oidc-state-cookie-expiry", 15, "OIDC State cookie expiry in minutes")
 	return oidc
 }
diff --git a/system/rest/oidc.go b/system/rest/oidc.go
index 10bbccc11..140c9edf2 100644
--- a/system/rest/oidc.go
+++ b/system/rest/oidc.go
@@ -31,6 +31,7 @@ type (
 
 		appURL            string
 		stateCookieExpiry int64
+		stateCookieDomain string
 
 		userService service.UserService
 
@@ -53,6 +54,7 @@ func OpenIdConnect(ctx context.Context, cfg *config.OIDC, usvc service.UserServi
 	c = &openIdConnect{
 		appURL:            cfg.AppURL,
 		stateCookieExpiry: cfg.StateCookieExpiry,
+		stateCookieDomain: cfg.StateCookieDomain,
 		userService:       usvc,
 		jwt:               jwt,
 	}
@@ -210,6 +212,6 @@ func (c *openIdConnect) setStateCookie(w http.ResponseWriter, r *http.Request, v
 		HttpOnly: true,
 		Secure:   r.URL.Scheme == "https",
 		Path:     "/oidc",
-		Domain:   ".rustbucket.io", // @todo make this configurable (like stateCookieExpiry)
+		Domain:   c.stateCookieDomain,
 	})
 }