diff --git a/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs b/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs
index 43f0cbdd17..9bc5a496e0 100644
--- a/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs
+++ b/src/Core/Auth/Identity/TokenProviders/DuoUniversalTokenService.cs
@@ -166,9 +166,7 @@ public class DuoUniversalTokenService(
         }
 
         var normalizedHost = host.ToLowerInvariant();
-        return normalizedHost.EndsWith("bitwarden.com") ||
-               normalizedHost.EndsWith("bitwarden.eu") ||
-               normalizedHost.EndsWith("bitwarden.pw");
+        return Constants.BitwardenCloudDomains.Any(d => normalizedHost.EndsWith(d));
     }
 
     private static DuoDeeplinkScheme? GetDeeplinkSchemeOverride(HttpContext httpContext)
diff --git a/src/Core/Constants.cs b/src/Core/Constants.cs
index e5148795f4..b0b2b32204 100644
--- a/src/Core/Constants.cs
+++ b/src/Core/Constants.cs
@@ -33,6 +33,11 @@ public static class Constants
     public const string SSHKeyCipherMinimumVersion = "2024.12.0";
     public const string DenyLegacyUserMinimumVersion = "2025.6.0";
 
+    /// <summary>
+    /// Domain suffixes for Bitwarden cloud-hosted environments.
+    /// </summary>
+    public static readonly string[] BitwardenCloudDomains = ["bitwarden.com", "bitwarden.eu", "bitwarden.pw"];
+
     /// <summary>
     /// Used by IdentityServer to identify our own provider.
     /// </summary>
diff --git a/src/Identity/IdentityServer/ApiClient.cs b/src/Identity/IdentityServer/ApiClient.cs
index c37ddbb7a0..df250ef410 100644
--- a/src/Identity/IdentityServer/ApiClient.cs
+++ b/src/Identity/IdentityServer/ApiClient.cs
@@ -1,6 +1,7 @@
 // FIXME: Update this file to be null safe and then delete the line below
 #nullable disable
 
+using Bit.Core;
 using Bit.Core.Settings;
 using Bit.Identity.IdentityServer.RequestValidators;
 using Duende.IdentityServer.Models;
@@ -82,12 +83,9 @@ public class ApiClient : Client
         }
         else if (id == "mobile")
         {
-            RedirectUris = new[] {
-                "bitwarden://sso-callback",
-                "https://bitwarden.com/sso-callback",
-                "https://bitwarden.eu/sso-callback",
-                "https://bitwarden.pw/sso-callback",
-            };
+            RedirectUris = new[] { "bitwarden://sso-callback" }
+                .Concat(Constants.BitwardenCloudDomains.Select(d => $"https://{d}/sso-callback"))
+                .ToArray();
             PostLogoutRedirectUris = new[] { "bitwarden://logged-out" };
         }