diff --git a/frontend/src/auth/auth.ts b/frontend/src/auth/auth.ts
index 8f2460c..5af27f2 100644
--- a/frontend/src/auth/auth.ts
+++ b/frontend/src/auth/auth.ts
@@ -24,7 +24,7 @@ declare module "next-auth" {
 // In Docker, the Next.js server reaches Keycloak via internal hostname
 // (keycloak:8080) but the browser uses localhost:8080. Explicit endpoint
 // URLs bypass OIDC discovery, avoiding issuer mismatch validation errors.
-const issuerPublic = process.env.KEYCLOAK_ISSUER!
+const issuerPublic = process.env.KEYCLOAK_ISSUER || 'http://localhost:8080/realms/workclub'
 const issuerInternal = process.env.KEYCLOAK_ISSUER_INTERNAL || issuerPublic
 const oidcPublic = `${issuerPublic}/protocol/openid-connect`
 const oidcInternal = `${issuerInternal.replace(':8080', ':8081')}/protocol/openid-connect`
@@ -32,7 +32,7 @@ const oidcInternal = `${issuerInternal.replace(':8080', ':8081')}/protocol/openi
 export const { handlers, signIn, signOut, auth } = NextAuth({
   providers: [
     KeycloakProvider({
-      clientId: process.env.KEYCLOAK_CLIENT_ID!,
+      clientId: process.env.KEYCLOAK_CLIENT_ID || 'workclub-app',
       issuer: issuerPublic,
       authorization: {
         url: `${oidcPublic}/auth`,