diff --git a/backend/WorkClub.Api/Endpoints/Clubs/ClubEndpoints.cs b/backend/WorkClub.Api/Endpoints/Clubs/ClubEndpoints.cs
index e12f203..c6a9b48 100644
--- a/backend/WorkClub.Api/Endpoints/Clubs/ClubEndpoints.cs
+++ b/backend/WorkClub.Api/Endpoints/Clubs/ClubEndpoints.cs
@@ -11,7 +11,7 @@ public static class ClubEndpoints
         var group = app.MapGroup("/api/clubs");
 
         group.MapGet("/me", GetMyClubs)
-            .RequireAuthorization("RequireMember")
+            .RequireAuthorization("RequireViewer")
             .WithName("GetMyClubs");
 
         group.MapGet("/current", GetCurrentClub)
diff --git a/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs b/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
index 6d5a07c..c347ec2 100644
--- a/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
+++ b/backend/WorkClub.Api/Middleware/TenantValidationMiddleware.cs
@@ -22,6 +22,14 @@ public class TenantValidationMiddleware
             return;
         }
 
+        // Exempt /api/clubs/me from tenant validation - this is the bootstrap endpoint
+        if (context.Request.Path.StartsWithSegments("/api/clubs/me"))
+        {
+            _logger.LogInformation("TenantValidationMiddleware: Exempting {Path} from tenant validation", context.Request.Path);
+            await _next(context);
+            return;
+        }
+
         if (!context.Request.Headers.TryGetValue("X-Tenant-Id", out var tenantIdHeader) ||
             string.IsNullOrWhiteSpace(tenantIdHeader))
         {
diff --git a/docker-compose.yml b/docker-compose.yml
index 1872982..1fd21dc 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -79,12 +79,14 @@ services:
       context: ./frontend
       dockerfile: Dockerfile.dev
     container_name: workclub_frontend
+    extra_hosts:
+      - "localhost:host-gateway"
     environment:
       NEXT_PUBLIC_API_URL: "http://localhost:5001"
       API_INTERNAL_URL: "http://dotnet-api:8080"
       NEXTAUTH_URL: "http://localhost:3000"
       NEXTAUTH_SECRET: "dev-secret-change-in-production-use-openssl-rand-base64-32"
-      KEYCLOAK_CLIENT_ID: "workclub-api"
+      KEYCLOAK_CLIENT_ID: "workclub-app"
       KEYCLOAK_CLIENT_SECRET: "dev-secret-workclub-api-change-in-production"
       KEYCLOAK_ISSUER: "http://localhost:8080/realms/workclub"
     ports: