diff --git a/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanAPIRegion.swift b/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanAPIRegion.swift
index 1e7e5b772..2493e062d 100644
--- a/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanAPIRegion.swift
+++ b/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanAPIRegion.swift
@@ -79,7 +79,9 @@ public enum AlibabaCodingPlanAPIRegion: String, CaseIterable, Sendable {
         case .international:
             "https://bailian-singapore-cs.alibabacloud.com"
         case .chinaMainland:
-            "https://bailian-beijing-cs.aliyuncs.com"
+            // bailian-beijing-cs.aliyuncs.com and other *-cs.aliyuncs.com endpoints have SSL issues
+            // Use main console domain instead which has working SSL
+            "https://bailian.console.aliyun.com"
         }
     }
 
diff --git a/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanProviderDescriptor.swift b/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanProviderDescriptor.swift
index b15a40d54..b30863bd0 100644
--- a/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanProviderDescriptor.swift
+++ b/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanProviderDescriptor.swift
@@ -184,6 +184,8 @@ struct AlibabaCodingPlanWebFetchStrategy: ProviderFetchStrategy {
             return true
         case .invalidCredentials:
             return true
+        case .apiKeyUnavailableInRegion:
+            return false
         case let .apiError(message):
             return message.contains("HTTP 404") || message.contains("HTTP 403")
         case .networkError:
diff --git a/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanUsageFetcher.swift b/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanUsageFetcher.swift
index e3509d438..8998d3789 100644
--- a/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanUsageFetcher.swift
+++ b/Sources/CodexBarCore/Providers/Alibaba/AlibabaCodingPlanUsageFetcher.swift
@@ -480,9 +480,7 @@ public struct AlibabaCodingPlanUsageFetcher: Sendable {
             let normalizedCode = codeText.lowercased()
             if normalizedCode.contains("needlogin") || normalizedCode.contains("login") {
                 if authMode == .apiKey {
-                    throw AlibabaCodingPlanUsageError.apiError(
-                        "This Alibaba endpoint requires a console session for this account/region. " +
-                            "API key mode may be unavailable in CN on this endpoint.")
+                    throw AlibabaCodingPlanUsageError.apiKeyUnavailableInRegion
                 }
                 throw AlibabaCodingPlanUsageError.loginRequired
             }
@@ -491,12 +489,13 @@ public struct AlibabaCodingPlanUsageFetcher: Sendable {
             let normalizedMessage = messageText.lowercased()
             if normalizedMessage.contains("log in") || normalizedMessage.contains("login") {
                 if authMode == .apiKey {
-                    throw AlibabaCodingPlanUsageError.apiError(
-                        "This Alibaba endpoint requires a console session for this account/region. " +
-                            "API key mode may be unavailable in CN on this endpoint.")
+                    throw AlibabaCodingPlanUsageError.apiKeyUnavailableInRegion
                 }
                 throw AlibabaCodingPlanUsageError.loginRequired
             }
+            if authMode == .apiKey && (normalizedMessage.contains("console session") || normalizedMessage.contains("api key mode may be unavailable")) {
+                throw AlibabaCodingPlanUsageError.apiKeyUnavailableInRegion
+            }
         }
 
         let instanceInfo = self.findActiveInstanceInfo(in: dictionary, now: now)
@@ -1079,6 +1078,7 @@ public enum AlibabaCodingPlanUsageError: LocalizedError, Sendable, Equatable {
     case networkError(String)
     case apiError(String)
     case parseFailed(String)
+    case apiKeyUnavailableInRegion
 
     var shouldRetryOnAlternateRegion: Bool {
         switch self {
@@ -1086,6 +1086,8 @@ public enum AlibabaCodingPlanUsageError: LocalizedError, Sendable, Equatable {
             true
         case .invalidCredentials:
             true
+        case .apiKeyUnavailableInRegion:
+            false
         case let .apiError(message):
             message.contains("HTTP 404") || message.contains("HTTP 403")
         case let .parseFailed(message):
@@ -1099,9 +1101,13 @@ public enum AlibabaCodingPlanUsageError: LocalizedError, Sendable, Equatable {
         switch self {
         case .loginRequired:
             "Alibaba Coding Plan console login is required. " +
-                "Sign in to Model Studio in a supported browser or paste a Cookie header."
+                "Sign in to Model Studio/Bailian in a supported browser or paste a Cookie header."
         case .invalidCredentials:
             "Alibaba Coding Plan API credentials are invalid or expired."
+        case .apiKeyUnavailableInRegion:
+            "Alibaba Coding Plan API key mode is not available for this account/region. " +
+                "Please use cookie authentication instead by enabling \"Cookie source\" in Settings → Providers → Alibaba, " +
+                "or switch to API key mode if your account supports it."
         case let .networkError(message):
             "Alibaba Coding Plan network error: \(message)"
         case let .apiError(message):