diff --git a/workout-system/sparkyfitness.yaml b/workout-system/sparkyfitness.yaml
index 89de147..9262f7a 100644
--- a/workout-system/sparkyfitness.yaml
+++ b/workout-system/sparkyfitness.yaml
@@ -22,7 +22,7 @@
 # api-encryption-key / better-auth-secret must NEVER change after first boot
 # (changing them locks out 2FA users and makes encrypted data unrecoverable).
 #
-# Authentik provider: OAuth2/OpenID, application slug `sparkyfitness`, confidential,
+# Authentik provider: OAuth2/OpenID, application slug `sparky-fitness`, confidential,
 # RS256, scopes `openid profile email`. Issuer must match SPARKY_FITNESS_OIDC_ISSUER_URL
 # below. Register the exact oidc-callback redirect URI shown in SparkyFitness admin
 # (Settings -> Authentication) once the app is up.
@@ -225,8 +225,10 @@ spec:
             # ---- OIDC (Authentik) — env-based provider upsert ----
             - name: SPARKY_FITNESS_OIDC_AUTH_ENABLED
               value: "true"
+            # NOTE: Authentik application slug is `sparky-fitness` (with hyphen) —
+            # the issuer path must match it exactly, or discovery 404s.
             - name: SPARKY_FITNESS_OIDC_ISSUER_URL
-              value: "https://authentik.dooplex.hu/application/o/sparkyfitness/"
+              value: "https://authentik.dooplex.hu/application/o/sparky-fitness/"
             - name: SPARKY_FITNESS_OIDC_CLIENT_ID
               valueFrom:
                 secretKeyRef: