diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 988f967..aaf2077 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -376,14 +376,53 @@ else
   fi
 fi
 
-# --- Grant SaaS admin Logto console access ---
+# --- Grant SaaS admin Logto console access (admin tenant, port 3002) ---
 log "Granting SaaS admin Logto console access..."
-ADMIN_MGMT_ROLE_ID=$(api_get "/api/roles" | jq -r '.[] | select(.name == "admin:admin") | .id')
-if [ -n "$ADMIN_MGMT_ROLE_ID" ] && [ "$ADMIN_MGMT_ROLE_ID" != "null" ]; then
-  api_post "/api/users/$ADMIN_USER_ID/roles" "{\"roleIds\": [\"$ADMIN_MGMT_ROLE_ID\"]}" >/dev/null 2>&1
+
+# Admin-tenant API helpers (port 3002)
+admin_api_get() {
+  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}:3002" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || echo "[]"
+}
+admin_api_post() {
+  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3002" \
+    -d "$2" "${LOGTO_ADMIN_ENDPOINT}${1}" 2>/dev/null || true
+}
+
+# Check if admin user already exists on admin tenant
+ADMIN_TENANT_USER_ID=$(admin_api_get "/api/users?search=$SAAS_ADMIN_USER" | jq -r ".[] | select(.username == \"$SAAS_ADMIN_USER\") | .id")
+if [ -z "$ADMIN_TENANT_USER_ID" ] || [ "$ADMIN_TENANT_USER_ID" = "null" ]; then
+  log "Creating admin console user '$SAAS_ADMIN_USER'..."
+  ADMIN_TENANT_RESPONSE=$(admin_api_post "/api/users" "{
+    \"username\": \"$SAAS_ADMIN_USER\",
+    \"password\": \"$SAAS_ADMIN_PASS\",
+    \"name\": \"Platform Admin\"
+  }")
+  ADMIN_TENANT_USER_ID=$(echo "$ADMIN_TENANT_RESPONSE" | jq -r '.id')
+  log "Created admin console user: $ADMIN_TENANT_USER_ID"
+else
+  log "Admin console user exists: $ADMIN_TENANT_USER_ID"
+fi
+
+if [ -n "$ADMIN_TENANT_USER_ID" ] && [ "$ADMIN_TENANT_USER_ID" != "null" ]; then
+  # Assign default:admin role (Management API access)
+  ADMIN_ROLE_ID=$(admin_api_get "/api/roles" | jq -r '.[] | select(.name == "default:admin") | .id')
+  if [ -n "$ADMIN_ROLE_ID" ] && [ "$ADMIN_ROLE_ID" != "null" ]; then
+    admin_api_post "/api/users/$ADMIN_TENANT_USER_ID/roles" "{\"roleIds\": [\"$ADMIN_ROLE_ID\"]}" >/dev/null 2>&1
+    log "Assigned default:admin role."
+  else
+    log "WARNING: default:admin role not found"
+  fi
+
+  # Add to t-default organization with admin role
+  admin_api_post "/api/organizations/t-default/users" "{\"userIds\": [\"$ADMIN_TENANT_USER_ID\"]}" >/dev/null 2>&1
+  TENANT_ADMIN_ORG_ROLE_ID=$(admin_api_get "/api/organization-roles" | jq -r '.[] | select(.name == "admin") | .id')
+  if [ -n "$TENANT_ADMIN_ORG_ROLE_ID" ] && [ "$TENANT_ADMIN_ORG_ROLE_ID" != "null" ]; then
+    admin_api_post "/api/organizations/t-default/users/$ADMIN_TENANT_USER_ID/roles" "{\"organizationRoleIds\": [\"$TENANT_ADMIN_ORG_ROLE_ID\"]}" >/dev/null 2>&1
+    log "Added to t-default organization with admin role."
+  fi
   log "SaaS admin granted Logto console access."
 else
-  log "WARNING: admin:admin role not found — Logto console access not granted"
+  log "WARNING: Could not create admin console user"
 fi
 
 # --- Tenant Admin ---