diff --git a/workout-system/sparkyfitness.yaml b/workout-system/sparkyfitness.yaml
index 32ab08a..88a51e3 100644
--- a/workout-system/sparkyfitness.yaml
+++ b/workout-system/sparkyfitness.yaml
@@ -208,10 +208,13 @@ spec:
               value: "INFO"
             - name: SPARKY_FITNESS_FRONTEND_URL
               value: "https://workout.dooplex.hu"
-            # TEMPORARILY "false" to bootstrap the first admin account. With signup
-            # disabled, even OIDC auto-register is blocked ("Signups are currently
-            # disabled by the administrator"). Flip back to "true" immediately after
-            # the admin (SPARKY_FITNESS_ADMIN_EMAIL) has logged in via Authentik once.
+            # MUST stay "false": this is the GLOBAL signup gate, and "true" blocks
+            # OIDC auto-register too ("Signups are currently disabled by the
+            # administrator"). We want OIDC self-registration to work, so it stays
+            # false; email/password registration is instead blocked by disabling
+            # email login entirely (SPARKY_FITNESS_DISABLE_EMAIL_LOGIN below).
+            # Who may actually register is then governed by Authentik (only users
+            # authorized for the SparkyFitness application can complete OIDC).
             - name: SPARKY_FITNESS_DISABLE_SIGNUP
               value: "false"
             - name: SPARKY_FITNESS_ADMIN_EMAIL
@@ -220,11 +223,13 @@ spec:
               value: "true"
             - name: SPARKY_FITNESS_EXTRA_TRUSTED_ORIGINS
               value: "https://workout.home"
-            # ---- Fail-safe: keep email/password login working during bring-up
-            # so a misconfigured OIDC can't lock you out. REMOVE this (and
-            # optionally set SPARKY_FITNESS_DISABLE_EMAIL_LOGIN=true) once the
-            # Authentik OIDC login is confirmed working end-to-end.
-            - name: SPARKY_FITNESS_FORCE_EMAIL_LOGIN
+            # OIDC login confirmed working (admin bootstrapped via Authentik 2026-05-27),
+            # so the email-login fail-safe is removed and email/password login +
+            # registration are disabled — Authentik (OIDC) is the only auth/signup path.
+            # EMERGENCY RECOVERY if ever locked out of OIDC: set
+            # SPARKY_FITNESS_FORCE_EMAIL_LOGIN=true on the deployment and restart to
+            # re-enable email/password login (it overrides DISABLE_EMAIL_LOGIN).
+            - name: SPARKY_FITNESS_DISABLE_EMAIL_LOGIN
               value: "true"
             # ---- OIDC (Authentik) — env-based provider upsert ----
             - name: SPARKY_FITNESS_OIDC_AUTH_ENABLED