diff --git a/app/api/auth/[...nextauth]/route.ts b/app/api/auth/[...nextauth]/route.ts
index 7e6035fa..bb5ebb25 100644
--- a/app/api/auth/[...nextauth]/route.ts
+++ b/app/api/auth/[...nextauth]/route.ts
@@ -12,7 +12,8 @@ function getClientIp(request: NextRequest): string {
   // In production, ensure your reverse proxy (Caddy) sets these headers correctly
   const forwarded = request.headers.get("x-forwarded-for");
   if (forwarded) {
-    return forwarded.split(",")[0]?.trim() || "unknown";
+    const parts = forwarded.split(",");
+    return parts[parts.length - 1]?.trim() || "unknown";
   }
   const real = request.headers.get("x-real-ip");
   if (real) {
diff --git a/app/api/instances/sync/route.ts b/app/api/instances/sync/route.ts
index d4b75697..a2e62313 100644
--- a/app/api/instances/sync/route.ts
+++ b/app/api/instances/sync/route.ts
@@ -24,7 +24,8 @@ function secureTokenCompare(a: string, b: string): boolean {
 function getClientIp(request: NextRequest): string {
   const forwarded = request.headers.get("x-forwarded-for");
   if (forwarded) {
-    return forwarded.split(",")[0]?.trim() || "unknown";
+    const parts = forwarded.split(",");
+    return parts[parts.length - 1]?.trim() || "unknown";
   }
   const real = request.headers.get("x-real-ip");
   if (real) {