fix(auth): replace raw Cookie header with httpx cookie jar

src/notebooklm/_core.py

@@ -141,8 +141,8 @@ async def open(self) -> None:
             self._http_client = httpx.AsyncClient(
                 headers={
                     "Content-Type": "application/x-www-form-urlencoded;charset=UTF-8",
-                    "Cookie": self.auth.cookie_header,
                 },
+                cookies=self.auth.to_cookie_jar(),
                 timeout=timeout,
             )
 
@@ -161,7 +161,7 @@ def is_open(self) -> bool:
         return self._http_client is not None
 
     def update_auth_headers(self) -> None:
-        """Update HTTP client headers with current auth tokens.
+        """Update HTTP client cookies with current auth tokens.
 
         Call this after modifying auth tokens (e.g., after refresh_auth())
         to ensure the HTTP client uses the updated credentials.
@@ -171,7 +171,8 @@ def update_auth_headers(self) -> None:
         """
         if not self._http_client:
             raise RuntimeError("Client not initialized. Use 'async with' context.")
-        self._http_client.headers["Cookie"] = self.auth.cookie_header
+        for name, value in self.auth.cookies.items():
+            self._http_client.cookies.set(name, value, domain=".google.com")
 
     def _build_url(self, rpc_method: RPCMethod, source_path: str = "/") -> str:
         """Build the batchexecute URL for an RPC call.

src/notebooklm/auth.py

@@ -164,6 +164,18 @@ def cookie_header(self) -> str:
         """
         return "; ".join(f"{k}={v}" for k, v in self.cookies.items())
 
+    def to_cookie_jar(self) -> "httpx.Cookies":
+        """Create an httpx cookie jar from auth cookies.
+
+        Uses httpx.Cookies instead of raw Cookie headers so that cookies
+        are correctly sent on cross-domain redirects (e.g., when Google
+        redirects to accounts.google.com to refresh short-lived cookies).
+
+        Returns:
+            httpx.Cookies jar with all auth cookies set on .google.com domain.
+        """
+        return _build_cookie_jar(self.cookies)
+
     @classmethod
     async def from_storage(
         cls, path: Path | None = None, profile: str | None = None
@@ -642,6 +654,19 @@ def load_httpx_cookies(path: Path | None = None) -> "httpx.Cookies":
     return cookies
 
 
+def _build_cookie_jar(cookies: dict[str, str]) -> httpx.Cookies:
+    """Build an httpx cookie jar from a flat cookies dict.
+
+    Uses httpx.Cookies instead of raw Cookie headers so that cookies
+    are correctly sent on cross-domain redirects (e.g., when Google
+    redirects to accounts.google.com to refresh short-lived cookies).
+    """
+    jar = httpx.Cookies()
+    for name, value in cookies.items():
+        jar.set(name, value, domain=".google.com")
+    return jar
+
+
 async def fetch_tokens(cookies: dict[str, str]) -> tuple[str, str]:
     """Fetch CSRF token and session ID from NotebookLM homepage.
 
@@ -659,12 +684,12 @@ async def fetch_tokens(cookies: dict[str, str]) -> tuple[str, str]:
         ValueError: If tokens cannot be extracted from response
     """
     logger.debug("Fetching CSRF and session tokens from NotebookLM")
-    cookie_header = "; ".join(f"{k}={v}" for k, v in cookies.items())
 
-    async with httpx.AsyncClient() as client:
+    jar = _build_cookie_jar(cookies)
+
+    async with httpx.AsyncClient(cookies=jar) as client:
         response = await client.get(
             "https://notebooklm.google.com/",
-            headers={"Cookie": cookie_header},
             follow_redirects=True,
             timeout=30.0,
         )