diff --git a/src/saleor-app.ts b/src/saleor-app.ts
index 81e2045..a5f3361 100644
--- a/src/saleor-app.ts
+++ b/src/saleor-app.ts
@@ -3,7 +3,9 @@ import { SaleorApp } from "@saleor/app-sdk/saleor-app";
 import { FileAPL } from "@saleor/app-sdk/APL/file";
 
 /**
- * APL wrapper that normalizes HTTP to HTTPS for auth data lookups
+ * APL wrapper that:
+ * 1. Normalizes HTTP to HTTPS for auth data lookups (for Cloudflare compatibility)
+ * 2. Prefers SALEOR_API_URL env var over stored auth URL (for internal networking)
  */
 class NormalizingAPL implements APL {
   private apl: FileAPL;
@@ -16,10 +18,31 @@ class NormalizingAPL implements APL {
     return url.replace(/^http:\/\//, "https://");
   }
 
+  /**
+   * Get auth data and optionally override saleorApiUrl with env var
+   */
   async get(saleorApiUrl: string): Promise<AuthData | undefined> {
     const normalizedUrl = this.normalizeUrl(saleorApiUrl);
     console.log(`[NormalizingAPL] Looking up auth for: ${saleorApiUrl} -> ${normalizedUrl}`);
-    return this.apl.get(normalizedUrl);
+    
+    const authData = await this.apl.get(normalizedUrl);
+    
+    if (!authData) {
+      return undefined;
+    }
+
+    // If SALEOR_API_URL is set, prefer it over the stored URL
+    // This enables internal networking (e.g., http://saleor-api.saleor:8000)
+    // while still using the stored token for authentication
+    if (process.env.SALEOR_API_URL) {
+      console.log(`[NormalizingAPL] Using SALEOR_API_URL: ${process.env.SALEOR_API_URL} (env var overrides stored: ${authData.saleorApiUrl})`);
+      return {
+        ...authData,
+        saleorApiUrl: process.env.SALEOR_API_URL,
+      };
+    }
+
+    return authData;
   }
 
   async set(authData: AuthData): Promise<void> {