diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 2cce4fa..615bc1b 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -554,8 +554,9 @@ if [ "$SERVER_HEALTHY" = "yes" ] && [ -n "$TRAD_SECRET" ]; then
         \"autoSignup\": true,
         \"defaultRoles\": [\"VIEWER\"],
         \"displayNameClaim\": \"name\",
-        \"rolesClaim\": \"scope\",
-        \"audience\": \"$API_RESOURCE_INDICATOR\"
+        \"rolesClaim\": \"roles\",
+        \"audience\": \"$API_RESOURCE_INDICATOR\",
+        \"additionalScopes\": []
       }")
     log "OIDC config response: $(echo "$OIDC_RESPONSE" | head -c 200)"
     log "cameleer3-server OIDC configured."
@@ -566,6 +567,39 @@ else
   log "WARNING: cameleer3-server not available or no Traditional app secret — skipping OIDC config"
 fi
 
+# ============================================================
+# PHASE 7b: Configure Logto Custom JWT for access tokens
+# ============================================================
+# Adds a 'roles' claim to access tokens based on user's org roles and global roles.
+# This allows the server to extract roles from the access token using rolesClaim: "roles".
+
+log "Configuring Logto Custom JWT for access tokens..."
+CUSTOM_JWT_SCRIPT='const getCustomJwtClaims = async ({ token, context, environmentVariables }) => {
+  const roleMap = { admin: "server:admin", member: "server:viewer" };
+  const roles = new Set();
+  if (context?.user?.organizationRoles) {
+    for (const orgRole of context.user.organizationRoles) {
+      const mapped = roleMap[orgRole.roleName];
+      if (mapped) roles.add(mapped);
+    }
+  }
+  if (context?.user?.roles) {
+    for (const role of context.user.roles) {
+      if (role.name === "platform-admin") roles.add("server:admin");
+    }
+  }
+  return roles.size > 0 ? { roles: [...roles] } : {};
+};'
+
+CUSTOM_JWT_PAYLOAD=$(jq -n --arg script "$CUSTOM_JWT_SCRIPT" '{ script: $script }')
+CUSTOM_JWT_RESPONSE=$(api_put "/api/configs/jwt-customizer/access-token" "$CUSTOM_JWT_PAYLOAD" 2>&1)
+if echo "$CUSTOM_JWT_RESPONSE" | jq -e '.script' >/dev/null 2>&1; then
+  log "Custom JWT configured for access tokens."
+else
+  log "WARNING: Custom JWT configuration failed — server OIDC login may fall back to local roles"
+  log "Response: $(echo "$CUSTOM_JWT_RESPONSE" | head -c 200)"
+fi
+
 # ============================================================
 # PHASE 8: Configure sign-in branding
 # ============================================================