diff --git a/backend/WorkClub.Api/Program.cs b/backend/WorkClub.Api/Program.cs
index 1cbe477..0382631 100644
--- a/backend/WorkClub.Api/Program.cs
+++ b/backend/WorkClub.Api/Program.cs
@@ -50,6 +50,15 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
         options.Audience = builder.Configuration["Keycloak:Audience"];
         options.RequireHttpsMetadata = false;
         options.MapInboundClaims = false;
+        
+        // For Docker internal communication, use the direct Keycloak URL for metadata
+        // This bypasses the hostname mismatch in Keycloak's discovery endpoint
+        var keycloakAuthority = builder.Configuration["Keycloak:Authority"];
+        if (keycloakAuthority?.Contains("keycloak:") == true)
+        {
+            options.MetadataAddress = $"{keycloakAuthority}/.well-known/openid-configuration";
+        }
+        
         options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
         {
             ValidateIssuer = false, // Disabled for local dev - external clients use localhost:8080, internal use keycloak:8080
diff --git a/docker-compose.yml b/docker-compose.yml
index a0f8439..77bcb3f 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -43,6 +43,9 @@ services:
       KC_HOSTNAME_STRICT: "false"
       KC_PROXY: "edge"
       KC_HTTP_PORT: "8081"
+      # Additional hostname for internal Docker communication
+      KC_HOSTNAME_ADMIN: "http://keycloak:8081"
+      KC_SPI_HOSTNAME_DEFAULT_ADMIN: "keycloak:8081"
     ports:
       - "8080:8081"
     volumes: