diff --git a/backend/WorkClub.Api/Program.cs b/backend/WorkClub.Api/Program.cs
index 1d5ff99..84bd50d 100644
--- a/backend/WorkClub.Api/Program.cs
+++ b/backend/WorkClub.Api/Program.cs
@@ -47,7 +47,7 @@ builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
         options.RequireHttpsMetadata = false;
         options.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
         {
-            ValidateIssuer = true,
+            ValidateIssuer = false,  // Disabled for local dev - external clients use localhost:8080, internal use keycloak:8080
             ValidateAudience = true,
             ValidateLifetime = true,
             ValidateIssuerSigningKey = true
diff --git a/docker-compose.yml b/docker-compose.yml
index 1790b38..1872982 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -63,6 +63,7 @@ services:
       ConnectionStrings__DefaultConnection: "Host=postgres;Port=5432;Database=workclub;Username=workclub;Password=dev_password_change_in_production"
       Keycloak__Authority: "http://keycloak:8080/realms/workclub"
       Keycloak__Audience: "workclub-api"
+      Keycloak__TokenValidationParameters__ValidateIssuer: "false"
     ports:
       - "5001:8080"
     volumes: