diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 2cce4fa..dbb24f2 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -107,6 +107,7 @@ get_default_token() {
   curl -s -X POST "${LOGTO_ENDPOINT}/oidc/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -H "Host: ${HOST}" \
+    -H "X-Forwarded-Proto: https" \
     -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }
 
@@ -116,23 +117,24 @@ TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token' 2>/dev/null)
 [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ] && { log "ERROR: Failed to get token"; exit 1; }
 log "Got Management API token."
 
-# --- Helper: Logto API calls ---
+# --- Helper: Logto API calls (X-Forwarded-Proto needed since ENDPOINT is HTTPS but internal calls use HTTP) ---
+PROXY_HEADERS="-H Host:${HOST} -H X-Forwarded-Proto:https"
 api_get() {
-  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
+  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" -H "X-Forwarded-Proto: https" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
 }
 api_post() {
-  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \
+  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" -H "X-Forwarded-Proto: https" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_put() {
-  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \
+  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" -H "X-Forwarded-Proto: https" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_delete() {
-  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
+  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" -H "X-Forwarded-Proto: https" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_patch() {
-  curl -s -X PATCH -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \
+  curl -s -X PATCH -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" -H "X-Forwarded-Proto: https" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }