diff --git a/docker-env2/docker-compose.yml b/docker-env2/docker-compose.yml
index 0a248233..a7c47637 100644
--- a/docker-env2/docker-compose.yml
+++ b/docker-env2/docker-compose.yml
@@ -6,6 +6,12 @@ services:
       SCADABRIDGE_CONFIG: Central
       ASPNETCORE_ENVIRONMENT: Development
       ASPNETCORE_URLS: "http://+:5000"
+      # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization
+      # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup
+      # requirement (>=16 chars, per-environment). Distinct from the docker/ cluster's
+      # pepper per the "different per environment" guidance; real deployments inject a
+      # true secret out-of-band, never from source control. Both Central nodes share it.
+      ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-env2-cluster-0001"
     ports:
       - "9101:5000"   # Web UI + Inbound API
       - "9111:8081"   # Akka remoting
@@ -23,6 +29,12 @@ services:
       SCADABRIDGE_CONFIG: Central
       ASPNETCORE_ENVIRONMENT: Development
       ASPNETCORE_URLS: "http://+:5000"
+      # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization
+      # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup
+      # requirement (>=16 chars, per-environment). Distinct from the docker/ cluster's
+      # pepper per the "different per environment" guidance; real deployments inject a
+      # true secret out-of-band, never from source control. Both Central nodes share it.
+      ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-env2-cluster-0001"
     ports:
       - "9102:5000"   # Web UI + Inbound API
       - "9112:8081"   # Akka remoting
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
index eed0fce9..7e99afbe 100644
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@@ -6,6 +6,12 @@ services:
       SCADABRIDGE_CONFIG: Central
       ASPNETCORE_ENVIRONMENT: Development
       ASPNETCORE_URLS: "http://+:5000"
+      # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization
+      # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup
+      # requirement (>=16 chars, per-environment). Real deployments inject a true secret
+      # out-of-band (env/secret store), never from source control — see
+      # docs/operations/inbound-api-key-reissue.md. Both Central nodes share one pepper.
+      ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-docker-cluster-0001"
     ports:
       - "9001:5000"   # Web UI + Inbound API
       - "9011:8081"   # Akka remoting (host access for CLI/debugging)
@@ -23,6 +29,12 @@ services:
       SCADABRIDGE_CONFIG: Central
       ASPNETCORE_ENVIRONMENT: Development
       ASPNETCORE_URLS: "http://+:5000"
+      # DEV-ONLY local-cluster value — NOT a real secret. The Auth/Config normalization
+      # (2026-06-03) made ScadaBridge:InboundApi:ApiKeyPepper a hard Central startup
+      # requirement (>=16 chars, per-environment). Real deployments inject a true secret
+      # out-of-band (env/secret store), never from source control — see
+      # docs/operations/inbound-api-key-reissue.md. Both Central nodes share one pepper.
+      ScadaBridge__InboundApi__ApiKeyPepper: "dev-only-insecure-pepper-docker-cluster-0001"
     ports:
       - "9002:5000"   # Web UI + Inbound API
       - "9012:8081"   # Akka remoting