diff --git a/Dockerfile b/Dockerfile
index 37ca5aa..9a72843 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,3 +1,15 @@
+# ===============================================================
+# Stage 1: Build mcp-auth-proxy from source
+# ===============================================================
+FROM golang:1.23-bookworm AS auth-proxy-builder
+
+RUN git clone https://github.com/sigbit/mcp-auth-proxy.git /build \
+    && cd /build \
+    && go build -o /mcp-auth-proxy .
+
+# ===============================================================
+# Stage 2: Main image
+# ===============================================================
 FROM node:20-slim
 
 # ---------------------------------------------------------------
@@ -16,13 +28,9 @@ RUN apt-get update && apt-get install -y \
     && rm -rf /var/lib/apt/lists/*
 
 # ---------------------------------------------------------------
-# 2. Install mcp-auth-proxy (OAuth 2.1 + stdio→HTTPS in one binary)
+# 2. Copy mcp-auth-proxy binary from builder
 # ---------------------------------------------------------------
-ARG MCP_AUTH_PROXY_VERSION=v2.5.3
-RUN ARCH=$(dpkg --print-architecture) && \
-    curl -fsSL "https://github.com/sigbit/mcp-auth-proxy/releases/download/${MCP_AUTH_PROXY_VERSION}/mcp-auth-proxy_linux_${ARCH}" \
-    -o /usr/local/bin/mcp-auth-proxy && \
-    chmod +x /usr/local/bin/mcp-auth-proxy
+COPY --from=auth-proxy-builder /mcp-auth-proxy /usr/local/bin/mcp-auth-proxy
 
 # ---------------------------------------------------------------
 # 3. Clone and build the Overleaf MCP server
@@ -44,10 +52,6 @@ RUN mkdir -p /data/resumes /data/output /root/.overleaf-mcp/browser-data
 
 # ---------------------------------------------------------------
 # 6. Expose HTTPS ports and start
-#    mcp-auth-proxy handles:
-#    - stdio → HTTP conversion
-#    - OAuth 2.1 authentication (GitHub/Google/OIDC/password)
-#    - Auto TLS via Let's Encrypt
 # ---------------------------------------------------------------
 EXPOSE 80 443