diff --git a/cameleer-server-app/src/main/java/com/cameleer/server/app/dto/AuthCapabilitiesResponse.java b/cameleer-server-app/src/main/java/com/cameleer/server/app/dto/AuthCapabilitiesResponse.java
index 7466af68..ef2c4b0a 100644
--- a/cameleer-server-app/src/main/java/com/cameleer/server/app/dto/AuthCapabilitiesResponse.java
+++ b/cameleer-server-app/src/main/java/com/cameleer/server/app/dto/AuthCapabilitiesResponse.java
@@ -1,6 +1,7 @@
 package com.cameleer.server.app.dto;
 
 import io.swagger.v3.oas.annotations.media.Schema;
+import jakarta.validation.constraints.NotNull;
 
 @Schema(description = "Authentication capabilities reported to the SPA so it can render the login page deterministically")
 public record AuthCapabilitiesResponse(
@@ -11,7 +12,7 @@ public record AuthCapabilitiesResponse(
     @Schema(description = "OIDC interactive login")
     public record Oidc(
             @Schema(description = "Whether OIDC is configured AND enabled") boolean enabled,
-            @Schema(description = "Best-effort display label, e.g. \"Logto\", \"Keycloak\", \"Single Sign-On\"") String providerName,
+            @Schema(description = "Best-effort display label, e.g. \"Logto\", \"Keycloak\", \"Single Sign-On\"") @NotNull String providerName,
             @Schema(description = "When true, OIDC is the canonical entry point and the SPA hides the local form unless ?local is set") boolean primary
     ) {}