diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 3678dbd..e82e43d 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -27,13 +27,6 @@ API_RESOURCE_NAME="Cameleer SaaS API"
 # Users (configurable via env vars)
 SAAS_ADMIN_USER="${SAAS_ADMIN_USER:-admin}"
 SAAS_ADMIN_PASS="${SAAS_ADMIN_PASS:-admin}"
-TENANT_ADMIN_USER="${TENANT_ADMIN_USER:-camel}"
-TENANT_ADMIN_PASS="${TENANT_ADMIN_PASS:-camel}"
-
-# Tenant config
-TENANT_NAME="Example Tenant"
-TENANT_SLUG="default"
-BOOTSTRAP_TOKEN="${CAMELEER_AUTH_TOKEN:-default-bootstrap-token}"
 
 # Vendor seed (optional — creates saas-vendor role + vendor user)
 VENDOR_SEED_ENABLED="${VENDOR_SEED_ENABLED:-false}"
@@ -474,16 +467,9 @@ if [ -n "$ADMIN_TENANT_USER_ID" ] && [ "$ADMIN_TENANT_USER_ID" != "null" ]; then
     log "WARNING: admin tenant roles not found"
   fi
 
-  # Add to t-default organization with admin role
-  admin_api_post "/api/organizations/t-default/users" "{\"userIds\": [\"$ADMIN_TENANT_USER_ID\"]}" >/dev/null 2>&1
-  TENANT_ADMIN_ORG_ROLE_ID=$(admin_api_get "/api/organization-roles" | jq -r '.[] | select(.name == "admin") | .id')
-  if [ -n "$TENANT_ADMIN_ORG_ROLE_ID" ] && [ "$TENANT_ADMIN_ORG_ROLE_ID" != "null" ]; then
-    admin_api_post "/api/organizations/t-default/users/$ADMIN_TENANT_USER_ID/roles" "{\"organizationRoleIds\": [\"$TENANT_ADMIN_ORG_ROLE_ID\"]}" >/dev/null 2>&1
-    log "Added to t-default organization with admin role."
-  fi
-  # Switch admin tenant sign-in mode from Register to SignIn (user already created)
+  # Switch sign-in mode from Register to SignIn (admin user already created)
   admin_api_patch "/api/sign-in-exp" '{"signInMode": "SignIn"}' >/dev/null 2>&1
-  log "Set admin tenant sign-in mode to SignIn."
+  log "Set sign-in mode to SignIn."
 
   log "SaaS admin granted Logto console access."
 else
@@ -577,12 +563,7 @@ cat > "$BOOTSTRAP_FILE" <<EOF
   "tradAppId": "$TRAD_ID",
   "tradAppSecret": "$TRAD_SECRET",
   "apiResourceIndicator": "$API_RESOURCE_INDICATOR",
-  "organizationId": "$ORG_ID",
-  "tenantName": "$TENANT_NAME",
-  "tenantSlug": "$TENANT_SLUG",
-  "bootstrapToken": "$BOOTSTRAP_TOKEN",
   "platformAdminUser": "$SAAS_ADMIN_USER",
-  "tenantAdminUser": "$TENANT_ADMIN_USER",
   "oidcIssuerUri": "${LOGTO_ENDPOINT}/oidc",
   "oidcAudience": "$API_RESOURCE_INDICATOR"
 }
@@ -680,7 +661,6 @@ if [ "$VENDOR_SEED_ENABLED" = "true" ]; then
       [ -n "$ADMIN_USER_ROLE_ID" ] && [ "$ADMIN_USER_ROLE_ID" != "null" ] && V_ROLE_IDS=$(echo "$V_ROLE_IDS" | jq ". + [\"$ADMIN_USER_ROLE_ID\"]")
       [ -n "$ADMIN_ROLE_ID" ] && [ "$ADMIN_ROLE_ID" != "null" ] && V_ROLE_IDS=$(echo "$V_ROLE_IDS" | jq ". + [\"$ADMIN_ROLE_ID\"]")
       [ "$V_ROLE_IDS" != "[]" ] && admin_api_post "/api/users/$VENDOR_CONSOLE_USER_ID/roles" "{\"roleIds\": $V_ROLE_IDS}" >/dev/null 2>&1
-      admin_api_post "/api/organizations/t-default/users" "{\"userIds\": [\"$VENDOR_CONSOLE_USER_ID\"]}" >/dev/null 2>&1
       log "Vendor granted Logto console access."
     fi
   else
diff --git a/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java b/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
index 4ed6702..36410ff 100644
--- a/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
+++ b/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
@@ -195,7 +195,9 @@ public class DockerTenantProvisioner implements TenantProvisioner {
             "SPRING_DATASOURCE_URL=" + props.datasourceUrl(),
             "SPRING_DATASOURCE_USERNAME=cameleer",
             "SPRING_DATASOURCE_PASSWORD=cameleer_dev",
-            "CAMELEER_SERVER_CLICKHOUSE_URL=jdbc:clickhouse://clickhouse:8123/cameleer?user=default&password=cameleer_ch",
+            "CAMELEER_SERVER_CLICKHOUSE_URL=jdbc:clickhouse://clickhouse:8123/cameleer",
+            "CAMELEER_SERVER_CLICKHOUSE_USERNAME=" + props.clickhouseUser(),
+            "CAMELEER_SERVER_CLICKHOUSE_PASSWORD=" + props.clickhousePassword(),
             "CAMELEER_SERVER_TENANT_ID=" + slug,
             "CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN=" + req.licenseToken(),
             "CAMELEER_SERVER_SECURITY_JWTSECRET=cameleer-dev-jwt-secret-change-in-production",
diff --git a/src/main/java/net/siegeln/cameleer/saas/provisioning/ProvisioningProperties.java b/src/main/java/net/siegeln/cameleer/saas/provisioning/ProvisioningProperties.java
index c12ba7a..932d0c4 100644
--- a/src/main/java/net/siegeln/cameleer/saas/provisioning/ProvisioningProperties.java
+++ b/src/main/java/net/siegeln/cameleer/saas/provisioning/ProvisioningProperties.java
@@ -12,6 +12,8 @@ public record ProvisioningProperties(
     String publicProtocol,
     String datasourceUrl,
     String clickhouseUrl,
+    String clickhouseUser,
+    String clickhousePassword,
     String oidcIssuerUri,
     String oidcJwkSetUri,
     String corsOrigins
diff --git a/src/main/java/net/siegeln/cameleer/saas/provisioning/TenantDataCleanupService.java b/src/main/java/net/siegeln/cameleer/saas/provisioning/TenantDataCleanupService.java
index c1a3d09..49e0fe1 100644
--- a/src/main/java/net/siegeln/cameleer/saas/provisioning/TenantDataCleanupService.java
+++ b/src/main/java/net/siegeln/cameleer/saas/provisioning/TenantDataCleanupService.java
@@ -60,7 +60,7 @@ public class TenantDataCleanupService {
             return;
         }
 
-        try (Connection conn = DriverManager.getConnection(url);
+        try (Connection conn = DriverManager.getConnection(url, props.clickhouseUser(), props.clickhousePassword());
              Statement stmt = conn.createStatement()) {
 
             // Find all tables with a tenant_id column
diff --git a/src/main/java/net/siegeln/cameleer/saas/vendor/InfrastructureService.java b/src/main/java/net/siegeln/cameleer/saas/vendor/InfrastructureService.java
index f8a58ec..fb85d67 100644
--- a/src/main/java/net/siegeln/cameleer/saas/vendor/InfrastructureService.java
+++ b/src/main/java/net/siegeln/cameleer/saas/vendor/InfrastructureService.java
@@ -275,6 +275,6 @@ public class InfrastructureService {
     }
 
     private Connection chConnection() throws SQLException {
-        return DriverManager.getConnection(props.clickhouseUrl());
+        return DriverManager.getConnection(props.clickhouseUrl(), props.clickhouseUser(), props.clickhousePassword());
     }
 }
diff --git a/src/main/resources/application-local.yml b/src/main/resources/application-local.yml
index 78b754b..291ca40 100644
--- a/src/main/resources/application-local.yml
+++ b/src/main/resources/application-local.yml
@@ -22,4 +22,4 @@ cameleer:
       logtoendpoint: http://localhost:3001
       serverendpoint: http://localhost:8081
     provisioning:
-      clickhouseurl: jdbc:clickhouse://localhost:8123/cameleer?user=default&password=cameleer_ch
+      clickhouseurl: jdbc:clickhouse://localhost:8123/cameleer
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 7c87ec7..533332a 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -50,7 +50,9 @@ cameleer:
       publichost: ${CAMELEER_SAAS_PROVISIONING_PUBLICHOST:localhost}
       publicprotocol: ${CAMELEER_SAAS_PROVISIONING_PUBLICPROTOCOL:https}
       datasourceurl: ${CAMELEER_SAAS_PROVISIONING_DATASOURCEURL:jdbc:postgresql://postgres:5432/cameleer3}
-      clickhouseurl: ${CAMELEER_SAAS_PROVISIONING_CLICKHOUSEURL:jdbc:clickhouse://clickhouse:8123/cameleer?user=default&password=cameleer_ch}
+      clickhouseurl: ${CAMELEER_SAAS_PROVISIONING_CLICKHOUSEURL:jdbc:clickhouse://clickhouse:8123/cameleer}
+      clickhouseuser: ${CAMELEER_SAAS_PROVISIONING_CLICKHOUSEUSER:default}
+      clickhousepassword: ${CAMELEER_SAAS_PROVISIONING_CLICKHOUSEPASSWORD:${CLICKHOUSE_PASSWORD:cameleer_ch}}
       oidcissueruri: ${cameleer.saas.provisioning.publicprotocol}://${cameleer.saas.provisioning.publichost}/oidc
       oidcjwkseturi: http://logto:3001/oidc/jwks
       corsorigins: ${cameleer.saas.provisioning.publicprotocol}://${cameleer.saas.provisioning.publichost}