diff --git a/.env.example b/.env.example
index 1fe5dde..f33d0c2 100644
--- a/.env.example
+++ b/.env.example
@@ -107,6 +107,13 @@ FRONTEND_PORT=80
 # IMPORTANT: Must be accessible from the user's browser!
 VITE_API_URL=http://localhost:3000
 
+# Authentik URL for frontend
+# The base URL of your Authentik instance (without application path)
+# Development: http://localhost:9000
+# Production: https://auth.yourdomain.com
+# IMPORTANT: Used for OAuth redirect URL construction
+VITE_AUTHENTIK_URL=https://auth.yourdomain.com
+
 # ============================================================================
 # AUTHENTIK OAUTH CONFIGURATION
 # ============================================================================
diff --git a/docker-compose.yml b/docker-compose.yml
index 6ee5bcb..99495c2 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -30,10 +30,19 @@ services:
     container_name: feuerwehr_backend_prod
     environment:
       NODE_ENV: production
-      DATABASE_URL: postgresql://${POSTGRES_USER:-prod_user}:${POSTGRES_PASSWORD}@postgres:5432/${POSTGRES_DB:-feuerwehr_prod}
       PORT: 3000
+      DB_HOST: postgres
+      DB_PORT: 5432
+      DB_NAME: ${POSTGRES_DB:-feuerwehr_prod}
+      DB_USER: ${POSTGRES_USER:-prod_user}
+      DB_PASSWORD: ${POSTGRES_PASSWORD:?POSTGRES_PASSWORD is required}
       JWT_SECRET: ${JWT_SECRET:?JWT_SECRET is required}
+      JWT_EXPIRES_IN: ${JWT_EXPIRES_IN:-24h}
       CORS_ORIGIN: ${CORS_ORIGIN:-http://localhost:80}
+      AUTHENTIK_ISSUER: ${AUTHENTIK_ISSUER:?AUTHENTIK_ISSUER is required}
+      AUTHENTIK_CLIENT_ID: ${AUTHENTIK_CLIENT_ID:?AUTHENTIK_CLIENT_ID is required}
+      AUTHENTIK_CLIENT_SECRET: ${AUTHENTIK_CLIENT_SECRET:?AUTHENTIK_CLIENT_SECRET is required}
+      AUTHENTIK_REDIRECT_URI: ${AUTHENTIK_REDIRECT_URI:-http://localhost/auth/callback}
     ports:
       - "${BACKEND_PORT:-3000}:3000"
     depends_on:
@@ -55,9 +64,9 @@ services:
       dockerfile: Dockerfile
       args:
         VITE_API_URL: ${VITE_API_URL:-http://localhost:3000}
+        VITE_AUTHENTIK_URL: ${VITE_AUTHENTIK_URL:?VITE_AUTHENTIK_URL is required}
+        VITE_CLIENT_ID: ${AUTHENTIK_CLIENT_ID:?AUTHENTIK_CLIENT_ID is required}
     container_name: feuerwehr_frontend_prod
-    environment:
-      VITE_API_URL: ${VITE_API_URL:-http://localhost:3000}
     ports:
       - "${FRONTEND_PORT:-80}:80"
     depends_on: