Can I use auth.js to authenticate users across two different Next.js apps on separate subdomains?

Question

I'm currently using auth.js in a multi-zone Next.js app setup. My nextjs' multi-zone architecture consists of several apps inside the same subdomain: https://console.my-app.com. All apps within this space rewrite to a main app where I have my authentication system set up using a custom middleware.

However, I have a second app located at https://panel.my-app.com, which does not rewrite to the main app like the others. I wanted to use the same auth.js setup to authenticate users for both the console.my-app.com and panel.my-app.com apps.

Initially, everything seemed to work fine—I was able to use the same login page for both apps, and authentication was working across both subdomains. However, after some time (and may be some changes i can't exactly locate), the authentication stopped working for the panel.my-app.com app. and now it returns (sever log):

panel:start: [auth][error] UntrustedHost: Host must be trusted. URL was: https://panel.my-app.com/api/auth/session. Read more at https://errors.authjs.dev#untrustedhost
panel:start:     at /app/apps/panel/.next/server/middleware.js:389:48416
panel:start:     at ac (/app/apps/panel/.next/server/middleware.js:389:51116)
panel:start:     at process.processTicksAndRejections (node:internal/process/task_queues:95:5)

Additional Information:

• Both apps are Next.js applications.

• I’m using a custom middleware for authentication (in both). like this:

function useAuthMiddleware(
  middleware: CustomMiddleware,
): CustomMiddleware | NextMiddlewareResult {
  return auth((request) => {
    const response = NextResponse.next()
    if (isUnprotectedRoute(request.nextUrl.pathname)) return NextResponse.next()
    if (!request.auth)
      return NextResponse.redirect("https://console.my-app.com/login")
    return middleware(request, undefined, response)
  })
}

And this middleware is used in a chain alongside with other middleware.

• I used the same `auth.config.ts` for both:

export const Local = Credentials({
  credentials: {
    email: {},
    password: {},
  },
  authorize: async (credentials) => {
    const client = new FetchClient()
    try {
      const authBody = await client.post({
        url: `https://api.my-app.com/auth-token`,
        data: {
          email: credentials.email,
          password: credentials.password,
        },
        config: {
          headers: {
            'Content-Type': 'application/json',
          },
        },
      })
      return authBody
    } catch (error) {
      console.error(error)
      return null
    }
  },
})

// Define how we want the session token to be stored in our browser
const cookies: NextAuthConfig['cookies'] = {
  sessionToken: {
    name: `session-token`,
    options: {
      httpOnly: true,
      sameSite: 'lax',
      path: '/',
      secure: useSecureCookies,
      domain: "console.my-app.com",
    },
  },
}

export default {
  providers: [Local, Google],
  secret: AUTH_SECRET,
  pages: {
    signIn: '/login',
    error: '/500',
  },
  useSecureCookies,
  cookies,
} satisfies NextAuthConfig

With env var in main:

AUTH_URL=https://console.my-app.com

• console.my-app.com is a multi-zone setup with multiple apps rewriting to a main app.

• panel.my-app.com is a separate app, obviously, on a different subdomain.

So,

• Is it possible (in first place) to use auth.js to authenticate users across two (or more) different subdomains in Next.js (something like what Microsoft (as an example) is doing with all it's apps)
• If i need to add domain to trust list, how to do that?
• If so, what could be the reason it stopped working?

Any guidance or best practices would be greatly appreciated.