diff --git a/docker/cameleer-logto/logto-entrypoint.sh b/docker/cameleer-logto/logto-entrypoint.sh
index 00b23da..d900d1b 100644
--- a/docker/cameleer-logto/logto-entrypoint.sh
+++ b/docker/cameleer-logto/logto-entrypoint.sh
@@ -1,13 +1,21 @@
 #!/bin/sh
 set -e
 
+# Save the real public endpoints for after bootstrap
+REAL_ENDPOINT="$ENDPOINT"
+REAL_ADMIN_ENDPOINT="$ADMIN_ENDPOINT"
+
 echo "[entrypoint] Seeding Logto database..."
 npm run cli db seed -- --swe 2>/dev/null || true
 
 echo "[entrypoint] Deploying database alterations..."
 npm run cli db alteration deploy 2>/dev/null || true
 
-echo "[entrypoint] Starting Logto..."
+# Start Logto with localhost endpoints so it can reach itself without Traefik
+export ENDPOINT="http://localhost:3001"
+export ADMIN_ENDPOINT="http://localhost:3002"
+
+echo "[entrypoint] Starting Logto (bootstrap mode)..."
 npm start &
 LOGTO_PID=$!
 
@@ -24,26 +32,11 @@ for i in $(seq 1 120); do
   sleep 1
 done
 
-# Wait for admin endpoint to be routable through Traefik
-# The Management API needs ADMIN_ENDPOINT for admin tenant OIDC discovery.
-# Since bootstrap runs inside this container (not a separate one), Traefik
-# may not have discovered our labels yet — wait for it.
-if [ -n "$ADMIN_ENDPOINT" ]; then
-  echo "[entrypoint] Waiting for admin endpoint ($ADMIN_ENDPOINT) to be routable..."
-  for i in $(seq 1 60); do
-    if curl -sfk "$ADMIN_ENDPOINT/oidc/.well-known/openid-configuration" >/dev/null 2>&1; then
-      echo "[entrypoint] Admin endpoint ready."
-      break
-    fi
-    if [ "$i" -eq 60 ]; then
-      echo "[entrypoint] WARNING: Admin endpoint not reachable after 60s, bootstrap may fail"
-    fi
-    sleep 1
-  done
-fi
-
-# Run bootstrap if not already done
+# Run bootstrap if not already done — use localhost since we're inside the container
 BOOTSTRAP_FILE="/data/logto-bootstrap.json"
+export LOGTO_ENDPOINT="http://localhost:3001"
+export LOGTO_ADMIN_ENDPOINT="http://localhost:3002"
+
 if [ -f "$BOOTSTRAP_FILE" ]; then
   CACHED_SECRET=$(jq -r '.m2mClientSecret // empty' "$BOOTSTRAP_FILE" 2>/dev/null)
   CACHED_SPA=$(jq -r '.spaClientId // empty' "$BOOTSTRAP_FILE" 2>/dev/null)
@@ -58,5 +51,13 @@ else
   /scripts/logto-bootstrap.sh
 fi
 
-echo "[entrypoint] Logto is running (PID $LOGTO_PID)."
-wait $LOGTO_PID
+# Restart Logto with real public endpoints
+echo "[entrypoint] Bootstrap done. Restarting Logto with public endpoints..."
+kill $LOGTO_PID 2>/dev/null
+wait $LOGTO_PID 2>/dev/null || true
+
+export ENDPOINT="$REAL_ENDPOINT"
+export ADMIN_ENDPOINT="$REAL_ADMIN_ENDPOINT"
+
+echo "[entrypoint] Starting Logto (production mode)..."
+exec npm start