diff --git a/docker-compose.yml b/docker-compose.yml
index 69743cf..1dce499 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -39,8 +39,8 @@ services:
     entrypoint: ["sh", "-c", "npm run cli db seed -- --swe && npm start"]
     environment:
       DB_URL: postgres://${POSTGRES_USER:-cameleer}:${POSTGRES_PASSWORD:-cameleer_dev}@postgres:5432/logto
-      ENDPOINT: ${LOGTO_PUBLIC_ENDPOINT:-http://localhost:3001}
-      ADMIN_ENDPOINT: ${LOGTO_ADMIN_ENDPOINT:-http://localhost:3002}
+      ENDPOINT: http://${PUBLIC_HOST:-localhost}:3001
+      ADMIN_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3002
       TRUST_PROXY_HEADER: 1
     healthcheck:
       test: ["CMD-SHELL", "node -e \"require('http').get('http://localhost:3001/oidc/.well-known/openid-configuration', r => process.exit(r.statusCode === 200 ? 0 : 1)).on('error', () => process.exit(1))\""]
@@ -67,7 +67,8 @@ services:
     environment:
       LOGTO_ENDPOINT: http://logto:3001
       LOGTO_ADMIN_ENDPOINT: http://logto:3002
-      LOGTO_PUBLIC_ENDPOINT: ${LOGTO_PUBLIC_ENDPOINT:-http://localhost:3001}
+      LOGTO_PUBLIC_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3001
+      PUBLIC_HOST: ${PUBLIC_HOST:-localhost}
       PG_HOST: postgres
       PG_USER: ${POSTGRES_USER:-cameleer}
       PG_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
@@ -103,9 +104,9 @@ services:
       SPRING_DATASOURCE_USERNAME: ${POSTGRES_USER:-cameleer}
       SPRING_DATASOURCE_PASSWORD: ${POSTGRES_PASSWORD:-cameleer_dev}
       LOGTO_ENDPOINT: ${LOGTO_ENDPOINT:-http://logto:3001}
-      LOGTO_PUBLIC_ENDPOINT: ${LOGTO_PUBLIC_ENDPOINT:-http://localhost:3001}
-      LOGTO_ISSUER_URI: ${LOGTO_ISSUER_URI:-http://logto:3001/oidc}
-      LOGTO_JWK_SET_URI: ${LOGTO_JWK_SET_URI:-http://logto:3001/oidc/jwks}
+      LOGTO_PUBLIC_ENDPOINT: http://${PUBLIC_HOST:-localhost}:3001
+      LOGTO_ISSUER_URI: http://${PUBLIC_HOST:-localhost}:3001/oidc
+      LOGTO_JWK_SET_URI: http://${PUBLIC_HOST:-localhost}:3001/oidc/jwks
       LOGTO_M2M_CLIENT_ID: ${LOGTO_M2M_CLIENT_ID:-}
       LOGTO_M2M_CLIENT_SECRET: ${LOGTO_M2M_CLIENT_SECRET:-}
       CAMELEER3_SERVER_ENDPOINT: http://cameleer3-server:8081
@@ -138,7 +139,7 @@ services:
       CAMELEER_AUTH_TOKEN: ${CAMELEER_AUTH_TOKEN:-default-bootstrap-token}
       CAMELEER_JWT_SECRET: ${CAMELEER_JWT_SECRET:-cameleer-dev-jwt-secret-change-in-production}
       CAMELEER_TENANT_ID: ${CAMELEER_TENANT_SLUG:-default}
-      CAMELEER_OIDC_ISSUER_URI: ${LOGTO_ISSUER_URI:-http://logto:3001/oidc}
+      CAMELEER_OIDC_ISSUER_URI: http://${PUBLIC_HOST:-localhost}:3001/oidc
       CAMELEER_OIDC_AUDIENCE: ${CAMELEER_OIDC_AUDIENCE:-https://api.cameleer.local}
     healthcheck:
       test: ["CMD-SHELL", "curl -sf http://localhost:8081/api/v1/health || exit 1"]
diff --git a/docker/logto-bootstrap.sh b/docker/logto-bootstrap.sh
index 6690dc7..9e99101 100644
--- a/docker/logto-bootstrap.sh
+++ b/docker/logto-bootstrap.sh
@@ -40,11 +40,12 @@ SERVER_ENDPOINT="${SERVER_ENDPOINT:-http://cameleer3-server:8081}"
 SERVER_UI_USER="${SERVER_UI_USER:-admin}"
 SERVER_UI_PASS="${SERVER_UI_PASS:-admin}"
 
-# Redirect URIs
-SPA_REDIRECT_URIS='["http://localhost/callback","http://localhost:8080/callback","http://localhost:5173/callback"]'
-SPA_POST_LOGOUT_URIS='["http://localhost/login","http://localhost:8080/login","http://localhost:5173/login"]'
-TRAD_REDIRECT_URIS='["http://localhost:8081/oidc/callback"]'
-TRAD_POST_LOGOUT_URIS='["http://localhost:8081"]'
+# Redirect URIs (derived from PUBLIC_HOST)
+HOST="${PUBLIC_HOST:-localhost}"
+SPA_REDIRECT_URIS="[\"http://${HOST}/callback\",\"http://${HOST}:8080/callback\",\"http://${HOST}:5173/callback\"]"
+SPA_POST_LOGOUT_URIS="[\"http://${HOST}/login\",\"http://${HOST}:8080/login\",\"http://${HOST}:5173/login\"]"
+TRAD_REDIRECT_URIS="[\"http://${HOST}:8081/oidc/callback\"]"
+TRAD_POST_LOGOUT_URIS="[\"http://${HOST}:8081\"]"
 
 log() { echo "[bootstrap] $1"; }
 pgpass() { PGPASSWORD="${PG_PASSWORD:-cameleer_dev}"; export PGPASSWORD; }
@@ -96,14 +97,14 @@ M_DEFAULT_SECRET=$(psql -h "$PG_HOST" -U "$PG_USER" -d "$PG_DB_LOGTO" -t -A -c \
 get_admin_token() {
   curl -s -X POST "${LOGTO_ADMIN_ENDPOINT}/oidc/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
-    -H "Host: localhost:3002" \
+    -H "Host: ${HOST}:3002" \
     -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }
 
 get_default_token() {
   curl -s -X POST "${LOGTO_ENDPOINT}/oidc/token" \
     -H "Content-Type: application/x-www-form-urlencoded" \
-    -H "Host: localhost:3001" \
+    -H "Host: ${HOST}:3001" \
     -d "grant_type=client_credentials&client_id=${1}&client_secret=${2}&resource=${MGMT_API_RESOURCE}&scope=all"
 }
 
@@ -115,18 +116,18 @@ log "Got Management API token."
 
 # --- Helper: Logto API calls ---
 api_get() {
-  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: localhost:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
+  curl -s -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || echo "[]"
 }
 api_post() {
-  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: localhost:3001" \
+  curl -s -X POST -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3001" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_put() {
-  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: localhost:3001" \
+  curl -s -X PUT -H "Authorization: Bearer $TOKEN" -H "Content-Type: application/json" -H "Host: ${HOST}:3001" \
     -d "$2" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 api_delete() {
-  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: localhost:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
+  curl -s -X DELETE -H "Authorization: Bearer $TOKEN" -H "Host: ${HOST}:3001" "${LOGTO_ENDPOINT}${1}" 2>/dev/null || true
 }
 
 # ============================================================
@@ -442,7 +443,7 @@ if [ "$SERVER_HEALTHY" = "yes" ] && [ -n "$TRAD_SECRET" ]; then
       -H "Content-Type: application/json" \
       -d "{
         \"enabled\": true,
-        \"issuerUri\": \"$LOGTO_ENDPOINT/oidc\",
+        \"issuerUri\": \"$LOGTO_PUBLIC_ENDPOINT/oidc\",
         \"clientId\": \"$TRAD_ID\",
         \"clientSecret\": \"$TRAD_SECRET\",
         \"autoSignup\": true,
diff --git a/ui/src/components/Layout.tsx b/ui/src/components/Layout.tsx
index 9e68e21..355bd70 100644
--- a/ui/src/components/Layout.tsx
+++ b/ui/src/components/Layout.tsx
@@ -162,7 +162,7 @@ export function Layout() {
         <Sidebar.FooterLink
           icon={<ObsIcon />}
           label="View Dashboard"
-          onClick={() => window.open('http://localhost:8082', '_blank', 'noopener')}
+          onClick={() => window.open(`http://${window.location.hostname}:8082`, '_blank', 'noopener')}
         />
 
         {/* User info + logout */}
diff --git a/ui/src/config.ts b/ui/src/config.ts
index fc866c2..cb876f2 100644
--- a/ui/src/config.ts
+++ b/ui/src/config.ts
@@ -22,7 +22,7 @@ export async function fetchConfig(): Promise<AppConfig> {
 
   // Fallback to env vars (Vite dev mode)
   cached = {
-    logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || 'http://localhost:3001',
+    logtoEndpoint: import.meta.env.VITE_LOGTO_ENDPOINT || `http://${window.location.hostname}:3001`,
     logtoClientId: import.meta.env.VITE_LOGTO_CLIENT_ID || '',
     logtoResource: import.meta.env.VITE_LOGTO_RESOURCE || '',
     scopes: [