diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 63f4f85..db838d5 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -107,7 +107,6 @@ get_default_token() {
   curl -s -X POST "${LOGTO_ENDPOINT}/oidc/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
     -H "Host: ${HOST}" \
-    -H "X-Forwarded-Proto: https" \
     -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }
 
@@ -117,24 +116,23 @@ TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token' 2>/dev/null)
 [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ] && { log "ERROR: Failed to get token"; exit 1; }
 log "Got Management API token."
 
-# --- Helper: Logto API calls (X-Forwarded-Proto needed since ENDPOINT is HTTPS but internal calls use HTTP) ---
-PROXY_HEADERS="-H Host:${HOST} -H X-Forwarded-Proto:https"
+# --- Helper: Logto API calls (default tenant, port 3001) ---
 api_get() {
-  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" -H "X-Forwarded-Proto: https" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
+  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
 }
 api_post() {
-  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" -H "X-Forwarded-Proto: https" \
+  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_put() {
-  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" -H "X-Forwarded-Proto: https" \
+  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_delete() {
-  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" -H "X-Forwarded-Proto: https" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
+  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_patch() {
-  curl -s -X PATCH -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" -H "X-Forwarded-Proto: https" \
+  curl -s -X PATCH -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 
@@ -143,7 +141,6 @@ api_patch() {
 # ============================================================
 
 EXISTING_APPS=$(api_get "/api/applications")
-log "DEBUG api_get /api/applications: $(echo "$EXISTING_APPS" | head -c 300)"
 
 # --- SPA app (for SaaS frontend) ---
 SPA_ID=$(echo "$EXISTING_APPS" | jq -r ".[] | select(.name == \"$SPA_APP_NAME\" and .type == \"SPA\") | .id")