Multiple Set-Cookie headers collapsed on Appwrite Deploy (Next.js 15) — only 1 cookie set

I’m deploying a Next.js 15 app to Appwrite → Deploy → Sites. In app/api/auth/login/route.ts I try to set 3 cookies.

Variant A (manual headers):

const headers = new Headers(); headers.set("Content-Type", "application/json"); headers.set("Cache-Control", "no-store"); headers.set("Set-Cookie", sessionCookie); headers.append("Set-Cookie", teamCookie); headers.append("Set-Cookie", localeCookie);

return new Response(JSON.stringify({ ok: true }), { status: 200, headers });

Variant B (NextResponse API):

import { NextResponse } from "next/server";

export async function POST() { const res = NextResponse.json({ ok: true }, { headers: { "Cache-Control": "no-store" } }); res.cookies.set("a_session", "secret", { path: "/", httpOnly: true, sameSite: "lax", secure: true }); res.cookies.set("active_team_id", "team123", { path: "/", httpOnly: true, sameSite: "lax", secure: true }); res.cookies.set("NEXT_LOCALE", "en", { path: "/", sameSite: "lax", secure: true }); return res; }

Expected: Browser should receive three distinct Set-Cookie headers and store all 3.

Actual: On Appwrite Deploy, I only see one Set-Cookie in DevTools → Network → Response Headers (and only the last cookie is stored). On my own server (local/custom), all 3 Set-Cookie headers appear and all 3 cookies are stored.

What I tried:

headers.append("Set-Cookie", ...) with different orders

NextResponse.cookies.set(...) approach

Static hard-coded cookie values

Verified in DevTools: still only one Set-Cookie on Appwrite Deploy

Env:

Next.js 15 (App Router, Route Handlers)

Same-origin fetch (no CORS)

secure: true, SameSite=Lax, no domain specified

Works locally / custom server, issue only on Appwrite Deploy → Sites

Question: Is Appwrite Deploy’s proxy collapsing multiple Set-Cookie headers? What’s the recommended way to reliably set multiple cookies on Appwrite Deploy?