diff --git a/docker/cameleer-logto/logto-entrypoint.sh b/docker/cameleer-logto/logto-entrypoint.sh
index 7eb5a07..00b23da 100644
--- a/docker/cameleer-logto/logto-entrypoint.sh
+++ b/docker/cameleer-logto/logto-entrypoint.sh
@@ -24,6 +24,24 @@ for i in $(seq 1 120); do
   sleep 1
 done
 
+# Wait for admin endpoint to be routable through Traefik
+# The Management API needs ADMIN_ENDPOINT for admin tenant OIDC discovery.
+# Since bootstrap runs inside this container (not a separate one), Traefik
+# may not have discovered our labels yet — wait for it.
+if [ -n "$ADMIN_ENDPOINT" ]; then
+  echo "[entrypoint] Waiting for admin endpoint ($ADMIN_ENDPOINT) to be routable..."
+  for i in $(seq 1 60); do
+    if curl -sfk "$ADMIN_ENDPOINT/oidc/.well-known/openid-configuration" >/dev/null 2>&1; then
+      echo "[entrypoint] Admin endpoint ready."
+      break
+    fi
+    if [ "$i" -eq 60 ]; then
+      echo "[entrypoint] WARNING: Admin endpoint not reachable after 60s, bootstrap may fail"
+    fi
+    sleep 1
+  done
+fi
+
 # Run bootstrap if not already done
 BOOTSTRAP_FILE="/data/logto-bootstrap.json"
 if [ -f "$BOOTSTRAP_FILE" ]; then