diff --git a/README.md b/README.md
index 23900ef..821ce7d 100644
--- a/README.md
+++ b/README.md
@@ -86,6 +86,9 @@ Settings can be provided via CLI flags, environment variables, config file (`cam
 |---------|----------|---------|------------|---------|
 | Admin username | `--admin-user` | `SAAS_ADMIN_USER` | `admin_user` | `admin` |
 | Admin password | `--admin-password` | `SAAS_ADMIN_PASS` | `admin_password` | auto-generated |
+| Admin email | `--admin-email` | `SAAS_ADMIN_EMAIL` | `admin_email` | `<username>@<PUBLIC_HOST>` |
+
+Email is the primary user identity in SaaS mode. All users — including the admin — must have an email address. If `SAAS_ADMIN_EMAIL` is not set, the bootstrap derives it from `<SAAS_ADMIN_USER>@<PUBLIC_HOST>`.
 
 In standalone mode, the env vars are `SERVER_ADMIN_USER` / `SERVER_ADMIN_PASS`.
 
diff --git a/templates/.env.example b/templates/.env.example
index a829050..f1de7ee 100644
--- a/templates/.env.example
+++ b/templates/.env.example
@@ -50,8 +50,11 @@ CLICKHOUSE_PASSWORD=CHANGE_ME
 # ============================================================
 # Admin credentials (SaaS mode)
 # ============================================================
+# Email is the primary user identity in SaaS mode. The admin email
+# defaults to <SAAS_ADMIN_USER>@<PUBLIC_HOST> if not set explicitly.
 SAAS_ADMIN_USER=admin
 SAAS_ADMIN_PASS=CHANGE_ME
+# SAAS_ADMIN_EMAIL=admin@example.com
 
 # ============================================================
 # Admin credentials (standalone mode)
diff --git a/templates/docker-compose.saas.yml b/templates/docker-compose.saas.yml
index 4cbd6e5..bf590f8 100644
--- a/templates/docker-compose.saas.yml
+++ b/templates/docker-compose.saas.yml
@@ -27,6 +27,7 @@ services:
       PG_DB_SAAS: cameleer_saas
       SAAS_ADMIN_USER: ${SAAS_ADMIN_USER:-admin}
       SAAS_ADMIN_PASS: ${SAAS_ADMIN_PASS:?SAAS_ADMIN_PASS must be set in .env}
+      SAAS_ADMIN_EMAIL: ${SAAS_ADMIN_EMAIL:-}
     extra_hosts:
       # Logto validates M2M tokens by fetching its own JWKS from ENDPOINT.
       # Route the public hostname back to the Docker host (Traefik on :443)