diff --git a/src/lib/env.ts b/src/lib/env.ts
index bb8e09c..6e60057 100644
--- a/src/lib/env.ts
+++ b/src/lib/env.ts
@@ -1,7 +1,7 @@
 import { z } from "zod"
 
 const envSchema = z.object({
-  BETTER_AUTH_SECRET: z.string().min(1, "Missing BETTER_AUTH_SECRET"),
+  BETTER_AUTH_SECRET: z.string().min(1).optional(),
   BETTER_AUTH_URL: z.string().url().optional(),
   NEXT_PUBLIC_CONVEX_URL: z.string().url().optional(),
   CONVEX_INTERNAL_URL: z.string().url().optional(),
@@ -30,8 +30,22 @@ if (!parsed.success) {
   throw new Error("Invalid environment configuration")
 }
 
+const isBuildPhase = process.env.NEXT_PHASE === "phase-production-build"
+
+function resolveSecret(value: string | undefined, key: string) {
+  if (value) return value
+  const fallback = isBuildPhase ? `build-placeholder-${key.toLowerCase()}` : `dev-${key.toLowerCase()}`
+  if (process.env.NODE_ENV === "production" && !isBuildPhase) {
+    throw new Error(`${key} must be set in production runtime environment`)
+  }
+  if (!isBuildPhase) {
+    console.warn(`ENV ${key} not set; using fallback value only for development.`)
+  }
+  return fallback
+}
+
 export const env = {
-  BETTER_AUTH_SECRET: parsed.data.BETTER_AUTH_SECRET,
+  BETTER_AUTH_SECRET: resolveSecret(parsed.data.BETTER_AUTH_SECRET, "BETTER_AUTH_SECRET"),
   BETTER_AUTH_URL: parsed.data.BETTER_AUTH_URL ?? parsed.data.NEXT_PUBLIC_APP_URL ?? "http://localhost:3000",
   NEXT_PUBLIC_CONVEX_URL: parsed.data.NEXT_PUBLIC_CONVEX_URL,
   CONVEX_INTERNAL_URL: parsed.data.CONVEX_INTERNAL_URL,