diff --git a/backend/app/services/auto_login_service.py b/backend/app/services/auto_login_service.py
index 28b31b6..16ed7aa 100644
--- a/backend/app/services/auto_login_service.py
+++ b/backend/app/services/auto_login_service.py
@@ -187,17 +187,18 @@ def _perform_zerodha_login(
         "Origin": "https://kite.zerodha.com",
     })
 
-    # Step 1: Initialize OAuth session so Zerodha associates this session with
-    # the api_key before we submit credentials.
-    connect_resp = session.get(
+    # Step 1: Initialize OAuth session.
+    # allow_redirects=False is CRITICAL: the first 302 response sets kf_session
+    # with the OAuth context (api_key). Following the redirect updates kf_session
+    # to a plain web session (no OAuth), which causes twofa to return profile:{}
+    # instead of redirect_url with request_token.
+    session.get(
         f"https://kite.zerodha.com/connect/login?v=3&api_key={api_key}",
         timeout=15,
-        allow_redirects=True,
+        allow_redirects=False,
     )
     print(
-        f"[AUTO-LOGIN-DEBUG] connect final_url={connect_resp.url} "
-        f"status={connect_resp.status_code} "
-        f"cookies={list(session.cookies.keys())}",
+        f"[AUTO-LOGIN-DEBUG] connect cookies={list(session.cookies.keys())}",
         flush=True,
     )