diff --git a/docker-compose.yml b/docker-compose.yml
index 25d1757..3be0ba5 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -85,6 +85,8 @@ services:
       SMTP_USER: ${SMTP_USER:-}
       SMTP_PASS: ${SMTP_PASS:-}
       SMTP_FROM_EMAIL: ${SMTP_FROM_EMAIL:-noreply@cameleer.io}
+    extra_hosts:
+      - "${AUTH_HOST:-localhost}:host-gateway"
     healthcheck:
       test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\" && test -f /data/logto-bootstrap.json"]
       interval: 10s
diff --git a/installer/templates/docker-compose.saas.yml b/installer/templates/docker-compose.saas.yml
index 239d756..5b95e2b 100644
--- a/installer/templates/docker-compose.saas.yml
+++ b/installer/templates/docker-compose.saas.yml
@@ -32,6 +32,11 @@ services:
       SMTP_USER: ${SMTP_USER:-}
       SMTP_PASS: ${SMTP_PASS:-}
       SMTP_FROM_EMAIL: ${SMTP_FROM_EMAIL:-noreply@cameleer.io}
+    extra_hosts:
+      # Logto validates M2M tokens by fetching its own JWKS from ENDPOINT.
+      # Route the public hostname back to the Docker host (Traefik on :443)
+      # so the container can reach itself without going through the tunnel.
+      - "${AUTH_HOST:-localhost}:host-gateway"
     healthcheck:
       test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\" && test -f /data/logto-bootstrap.json"]
       interval: 10s