diff --git a/.env.example b/.env.example
index d98835ec..0f43d614 100644
--- a/.env.example
+++ b/.env.example
@@ -51,8 +51,13 @@ RAY_ENABLE_UV_RUN_RUNTIME_ENV=0 # critical with the newest version of UV
 
 INCLUDE_CREDENTIALS=false                       # set true if fastapi authentification is enabled, i.e AUTH_TOKEN is set
 INDEXERUI_PORT=8060                             # Port to expose the Indexer UI (default is 3042)
-INDEXERUI_URL='http://X.X.X.X:INDEXERUI_PORT'                 
-API_BASE_URL='http://X.X.X.X:APP_PORT'          # Base URL of your FastAPI backend. 
+INDEXERUI_URL='http://X.X.X.X:INDEXERUI_PORT'
+API_BASE_URL='http://X.X.X.X:APP_PORT'          # Base URL of your FastAPI backend.
+# Mount the indexer-ui under a subpath (e.g. `/indexerui`) on a shared vhost
+# that also hosts the backend. Leave EMPTY for root-level deployment (default).
+# Consumed as a Docker build ARG — run `docker compose build indexer-ui`
+# after changing this value; it is NOT read at runtime.
+# INDEXERUI_BASE_PATH=/indexerui
 
 # Web Search
 # WEBSEARCH_API_TOKEN=      # Web search provider API token. If unset, web search is silently disabled.
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 79990582..3a634db4 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -75,6 +75,12 @@ services:
     build:
       context: ./extern/indexer-ui
       dockerfile: Dockerfile
+      args:
+        # Mount indexer-ui under a subpath (e.g. /indexerui/) on a shared
+        # vhost with the backend. Empty = root-level (default). See
+        # docs/oidc.md §"Single vhost deployment" for the matching nginx
+        # rules.
+        BASE_PATH: ${INDEXERUI_BASE_PATH:-}
     environment:
       - API_BASE_URL=${API_BASE_URL:-http://localhost:${APP_PORT:-8080}}
       - INCLUDE_CREDENTIALS=${INCLUDE_CREDENTIALS:-false}
diff --git a/docs/content/docs/documentation/setup_indexerui.md b/docs/content/docs/documentation/setup_indexerui.md
index 62488394..0cc7063b 100644
--- a/docs/content/docs/documentation/setup_indexerui.md
+++ b/docs/content/docs/documentation/setup_indexerui.md
@@ -43,4 +43,55 @@ INCLUDE_CREDENTIALS=false # Set to true if FastAPI authentication is enabled
 INDEXERUI_PORT=8060 # Port for the Indexer UI (default: 3042)
 INDEXERUI_URL='http://X.X.X.X:INDEXERUI_PORT'
 API_BASE_URL='http://X.X.X.X:APP_PORT'
-```
\ No newline at end of file
+```
+
+### 3. Mount the Indexer UI under a Subpath (optional)
+
+By default the Indexer UI is served at the root of its own origin (`http://host:INDEXERUI_PORT/`). If you want to expose it **on the same vhost as the backend** (behind a reverse proxy), you can mount it under a subpath via `INDEXERUI_BASE_PATH`. The typical reason is to keep the frontend and the backend same-origin.
+With this setup, the backend's session cookie is first-party to the UI (this matters when `AUTH_MODE=oidc`, where a cross-origin `openrag_session` cookie is dropped by the browser).
+
+```bash
+# Empty (default) → root-level deployment.
+# Set to mount under a subpath — leading slash required, no trailing slash.
+INDEXERUI_BASE_PATH=/indexerui
+```
+
+:::caution[Rebuild required]
+`INDEXERUI_BASE_PATH` is consumed as a **Docker build ARG** (passed to the `indexer-ui` Dockerfile via `docker-compose.yaml`), not a runtime variable. The SvelteKit app bakes the value into every asset URL and every API call at build time. After changing it you must rebuild the image:
+
+```bash
+docker compose build indexer-ui
+docker compose up -d indexer-ui
+```
+:::
+
+#### Example nginx rules (single vhost)
+
+```nginx
+server {
+    listen 443 ssl http2;
+    server_name rag.example.com;
+
+    # ... TLS config ...
+
+    # Indexer UI mounted under /indexerui/
+    location /indexerui/ {
+        proxy_pass         http://indexer-ui:3000/;
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+
+    # Everything else → backend (API, /auth/*, /chainlit, /static, ...)
+    location / {
+        proxy_pass         http://openrag:8080;
+        proxy_set_header   Host              $host;
+        proxy_set_header   X-Real-IP         $remote_addr;
+        proxy_set_header   X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header   X-Forwarded-Proto $scheme;
+    }
+}
+```
+
+The trailing slash on `proxy_pass http://indexer-ui:3000/;` is load-bearing — it strips the `/indexerui` prefix before forwarding, leaving the SvelteKit app to re-add its `base` via `INDEXERUI_BASE_PATH`.
\ No newline at end of file
diff --git a/extern/indexer-ui b/extern/indexer-ui
index 9e67d1d1..7616604a 160000
--- a/extern/indexer-ui
+++ b/extern/indexer-ui
@@ -1 +1 @@
-Subproject commit 9e67d1d1fc3454acf343016f833dca27abe61578
+Subproject commit 7616604a38dcdb0b254c5be3dd116e5982bcc278