diff --git a/navi/api/routes/auth.py b/navi/api/routes/auth.py
index 0639786..a73840f 100644
--- a/navi/api/routes/auth.py
+++ b/navi/api/routes/auth.py
@@ -6,6 +6,8 @@
 import structlog
 from typing import Annotated
 
+from urllib.parse import urlencode, urlparse, parse_qs, urlunparse
+
 from fastapi import APIRouter, Depends, HTTPException, Request, Response
 from gnexus_gauth.exceptions import (
     PkceException,
@@ -48,8 +50,16 @@
         scopes=["openid", "email", "profile", "roles", "permissions"],
     )
 
+    # Force re-authentication prompt so the user always sees the login form
+    # instead of being silently logged in via an existing gnexus-auth session.
+    parsed = urlparse(auth_request.authorization_url)
+    qs = parse_qs(parsed.query, keep_blank_values=True)
+    qs["prompt"] = ["login"]
+    parsed = parsed._replace(query=urlencode(qs, doseq=True))
+    authorization_url = urlunparse(parsed)
+
     log.info("auth.login_redirect", state=auth_request.state[:8] + "...", redirect_uri=redirect_uri)
-    return Response(status_code=302, headers={"Location": auth_request.authorization_url})
+    return Response(status_code=302, headers={"Location": authorization_url})
 
 
 @router.get("/callback")