diff --git a/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java b/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
index c530668..96f246d 100644
--- a/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
+++ b/src/main/java/net/siegeln/cameleer/saas/provisioning/DockerTenantProvisioner.java
@@ -199,9 +199,9 @@ public class DockerTenantProvisioner implements TenantProvisioner {
             "CAMELEER_SERVER_TENANT_ID=" + slug,
             "CAMELEER_SERVER_SECURITY_BOOTSTRAPTOKEN=" + req.licenseToken(),
             "CAMELEER_SERVER_SECURITY_JWTSECRET=cameleer-dev-jwt-secret-change-in-production",
-            "CAMELEER_SERVER_SECURITY_OIDCISSUERURI=" + props.oidcIssuerUri(),
-            "CAMELEER_SERVER_SECURITY_OIDCJWKSETURI=" + props.oidcJwkSetUri(),
-            "CAMELEER_SERVER_SECURITY_OIDCAUDIENCE=https://api.cameleer.local",
+            "CAMELEER_SERVER_SECURITY_OIDC_ISSUERURI=" + props.oidcIssuerUri(),
+            "CAMELEER_SERVER_SECURITY_OIDC_JWKSETURI=" + props.oidcJwkSetUri(),
+            "CAMELEER_SERVER_SECURITY_OIDC_AUDIENCE=https://api.cameleer.local",
             "CAMELEER_SERVER_SECURITY_CORSALLOWEDORIGINS=" + props.corsOrigins(),
             "CAMELEER_SERVER_LICENSE_TOKEN=" + req.licenseToken(),
             "CAMELEER_SERVER_RUNTIME_ENABLED=true",
@@ -215,7 +215,7 @@ public class DockerTenantProvisioner implements TenantProvisioner {
         ));
         // If no CA bundle exists, fall back to TLS skip for OIDC (self-signed dev)
         if (!java.nio.file.Files.exists(java.nio.file.Path.of("/certs/ca.pem"))) {
-            env.add("CAMELEER_SERVER_SECURITY_OIDCTLSSKIPVERIFY=true");
+            env.add("CAMELEER_SERVER_SECURITY_OIDC_TLSSKIPVERIFY=true");
         }
 
         // Primary network = tenant-isolated network