diff --git a/lib/directus.ts b/lib/directus.ts
index 5c2e6842..0a1b26ba 100644
--- a/lib/directus.ts
+++ b/lib/directus.ts
@@ -3,12 +3,12 @@
 
 import { cookies, headers } from "next/headers";
 
-const BASE = (process.env.DIRECTUS_URL || "").replace(/\/$/, "");
+const BASE = (process.env.DIRECTUS_URL || process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, "");
 const TOKEN_ADMIN_REGISTER = process.env.DIRECTUS_TOKEN_ADMIN_REGISTER || ""; // server-only
 const ROLE_MEMBER_NAME = process.env.DIRECTUS_ROLE_MEMBER_NAME || "Users";
 const PROJECTS_COLLECTION = process.env.DIRECTUS_PROJECTS_COLLECTION || "projects";
 
-if (!BASE) console.warn("[directus] Missing DIRECTUS_URL");
+if (!BASE) console.warn("[directus] Missing DIRECTUS_URL / NEXT_PUBLIC_API_BASE_URL");
 if (!TOKEN_ADMIN_REGISTER)
   console.warn("[directus] Missing DIRECTUS_TOKEN_ADMIN_REGISTER (used for registration)");
 
@@ -61,8 +61,12 @@ export function getUserBearerFromRequest(req?: Request): string | null {
 // Low-level helpers (bearer REQUIRED; no fallbacks)
 // ─────────────────────────────────────────────────────────────
 
+function asAuthHeader(bearer: string) {
+  return bearer?.startsWith("Bearer ") ? bearer : `Bearer ${bearer}`;
+}
+
 function authHeaders(bearer: string, extra?: HeadersInit): HeadersInit {
-  return { Accept: "application/json", Authorization: `Bearer ${bearer}`, ...extra };
+  return { Accept: "application/json", Authorization: asAuthHeader(bearer), ...extra };
 }
 
 async function parseJsonSafe(res: Response) {
@@ -205,15 +209,15 @@ export async function resolveMemberRoleId(): Promise<string> {
   return hit;
 }
 
-/** Registrations always create a 'Users' role account. No overrides. */
+/** Registrations create a 'Users' role account. */
 export async function createDirectusUser(input: {
   username: string;
   password: string;
   email?: string;
-}: PromiseLike<any> extends never ? never : any): Promise<{ id: string }> {
+}): Promise<{ id: string }> {
   const role = await resolveMemberRoleId();
 
-  // If email is omitted, create a stable placeholder so login can still work.
+  // If email were omitted, we could synthesize; your current registration requires email.
   const email =
   input.email && input.email.trim()
   ? input.email.trim()