diff --git a/.env.example b/.env.example
index 22f2871..b762311 100644
--- a/.env.example
+++ b/.env.example
@@ -11,6 +11,7 @@ POSTGRES_DB=cameleer_saas
 
 # Logto Identity Provider
 LOGTO_ENDPOINT=http://logto:3001
+LOGTO_PUBLIC_ENDPOINT=http://localhost:3001
 LOGTO_ISSUER_URI=http://logto:3001/oidc
 LOGTO_JWK_SET_URI=http://logto:3001/oidc/jwks
 LOGTO_DB_PASSWORD=change_me_in_production
diff --git a/docker-compose.yml b/docker-compose.yml
index 2802ad9..cf0721d 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -92,6 +92,7 @@ services:
       SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER:-cameleer}
       SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
       LOGTO_ENDPOINT: ${LOGTO_ENDPOINT:-http://logto:3001}
+      LOGTO_PUBLIC_ENDPOINT: ${LOGTO_PUBLIC_ENDPOINT:-http://localhost:3001}
       LOGTO_ISSUER_URI: ${LOGTO_ISSUER_URI:-http://logto:3001/oidc}
       LOGTO_JWK_SET_URI: ${LOGTO_JWK_SET_URI:-http://logto:3001/oidc/jwks}
       LOGTO_M2M_CLIENT_ID: ${LOGTO_M2M_CLIENT_ID:-}
diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index ba2a75d..849cfbd 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -47,15 +47,22 @@ M_DEFAULT_SECRET=$(PGPASSWORD="${PG_PASSWORD:-cameleer_dev}" psql -h "$PG_HOST"
 log "Got m-default secret."
 
 # --- Get Management API token ---
-get_token() {
+get_admin_token() {
   curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -H "Host: localhost:3002" \
     -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }
 
+get_default_token() {
+  curl -s -X POST "${LOGTO_ENDPOINT}/oidc/token" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -H "Host: localhost:3001" \
+    -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
+}
+
 log "Getting Management API token..."
-TOKEN_RESPONSE=$(get_token "m-default" "$M_DEFAULT_SECRET")
+TOKEN_RESPONSE=$(get_admin_token "m-default" "$M_DEFAULT_SECRET")
 log "Token response: $(echo "$TOKEN_RESPONSE" | head -c 200)"
 TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token' 2>/dev/null)
 [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ] && { log "ERROR: Failed to get token"; exit 1; }
@@ -137,7 +144,7 @@ else
       log "Assigned Management API role to M2M app."
 
       # Verify our M2M app works
-      VERIFY=$(get_token "$M2M_ID" "$M2M_SECRET")
+      VERIFY=$(get_default_token "$M2M_ID" "$M2M_SECRET")
       VERIFY_TOKEN=$(echo "$VERIFY" | jq -r '.access_token')
       if [ -n "$VERIFY_TOKEN" ] && [ "$VERIFY_TOKEN" != "null" ]; then
         log "Verified M2M app works."
diff --git a/src/main/java/net/siegeln/cameleer/saas/config/PublicConfigController.java b/src/main/java/net/siegeln/cameleer/saas/config/PublicConfigController.java
index 87c70df..a0b101a 100644
--- a/src/main/java/net/siegeln/cameleer/saas/config/PublicConfigController.java
+++ b/src/main/java/net/siegeln/cameleer/saas/config/PublicConfigController.java
@@ -17,8 +17,8 @@ public class PublicConfigController {
     private static final Logger log = LoggerFactory.getLogger(PublicConfigController.class);
     private static final String BOOTSTRAP_FILE = "/data/bootstrap/logto-bootstrap.json";
 
-    @Value("${cameleer.identity.logto-endpoint:}")
-    private String logtoEndpoint;
+    @Value("${cameleer.identity.logto-public-endpoint:${cameleer.identity.logto-endpoint:}}")
+    private String logtoPublicEndpoint;
 
     @Value("${cameleer.identity.spa-client-id:}")
     private String spaClientId;
@@ -34,8 +34,8 @@ public class PublicConfigController {
             clientId = readBootstrapClientId();
         }
 
-        // Use external Logto endpoint for browser redirects
-        String endpoint = logtoEndpoint;
+        // Use public endpoint for browser redirects (not Docker-internal URL)
+        String endpoint = logtoPublicEndpoint;
         if (endpoint == null || endpoint.isEmpty()) {
             endpoint = "http://localhost:3001";
         }
diff --git a/src/main/resources/application.yml b/src/main/resources/application.yml
index 6198cf9..b506b1c 100644
--- a/src/main/resources/application.yml
+++ b/src/main/resources/application.yml
@@ -35,6 +35,7 @@ cameleer:
     public-key-path: ${CAMELEER_JWT_PUBLIC_KEY_PATH:}
   identity:
     logto-endpoint: ${LOGTO_ENDPOINT:}
+    logto-public-endpoint: ${LOGTO_PUBLIC_ENDPOINT:}
     m2m-client-id: ${LOGTO_M2M_CLIENT_ID:}
     m2m-client-secret: ${LOGTO_M2M_CLIENT_SECRET:}
     spa-client-id: ${LOGTO_SPA_CLIENT_ID:}