diff --git a/README.md b/README.md
index 3c2f9dff..fb20ca67 100644
--- a/README.md
+++ b/README.md
@@ -1 +1,8 @@
-# indiekit-blog
\ No newline at end of file
+# indiekit-blog
+
+## Admin login
+
+- The IndieKit admin is expected to run behind `/admin`.
+- Set `INDIEKIT_ADMIN_URL` to the public admin base URL, including trailing slash (example: `https://blog.giersig.eu/admin/`).
+- Login uses `PASSWORD_SECRET` (bcrypt hash), not `INDIEKIT_PASSWORD`.
+- If no `PASSWORD_SECRET` exists yet, open `/admin/auth/new-password` once to generate it.
\ No newline at end of file
diff --git a/indiekit.config.mjs b/indiekit.config.mjs
index 9a19b8b0..37adcbdd 100644
--- a/indiekit.config.mjs
+++ b/indiekit.config.mjs
@@ -1,15 +1,18 @@
+const rawAdminUrl =
+  process.env.INDIEKIT_ADMIN_URL || "https://blog.giersig.eu/admin/";
+const adminUrl = new URL(
+  rawAdminUrl.endsWith("/") ? rawAdminUrl : `${rawAdminUrl}/`,
+).href;
+
 export default {
-  url: "https://blog.giersig.eu",
   debug: "indiekit:*",
   application: {
     name: "Indiekit",
-    admin: {
-      username: "admin@blog.giersig.eu",
-      password: process.env.INDIEKIT_PASSWORD
-    }
-  },
-  "@indiekit/endpoint-auth": {
-    publicUrl: "https://blog.giersig.eu"
+    url: adminUrl,
+    authorizationEndpoint: new URL("auth", adminUrl).href,
+    introspectionEndpoint: new URL("auth/introspect", adminUrl).href,
+    tokenEndpoint: new URL("auth/token", adminUrl).href,
+    mongodbUrl: `mongodb://indiekit:${process.env.MONGO_PASSWORD}@10.100.0.20:27017/indiekit`,
   },
   publication: {
     me: "https://blog.giersig.eu",
@@ -41,8 +44,6 @@ export default {
     ],
   },
 
-  secret: process.env.SECRET,
-  mongodbUrl: `mongodb://indiekit:${process.env.MONGO_PASSWORD}@10.100.0.20:27017/indiekit`,
   plugins: [
     "@indiekit/store-github",
     "@rmdes/indiekit-endpoint-posts",