diff --git a/docker-compose.yml b/docker-compose.yml
index 1191ff5..dc46734 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -45,44 +45,44 @@ services:
     networks:
       - principal
       - traefik-network
+      
     labels:
-      # Traefik labels
-      - "traefik.enable=true"
-      - "traefik.docker.network=traefik-network"
+      - traefik.enable=true
+      - traefik.docker.network=traefik-network
 
-      # Service (shared by both routers)
-      - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=3000"
+      - traefik.http.services.${APP_NAME}.loadbalancer.server.port=3000
 
-      # Router 1: Public PWA resources (no auth) - Higher priority
-      - "traefik.http.routers.${APP_NAME}-public.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/manifest.webmanifest`) || PathPrefix(`/sw.js`) || PathPrefix(`/workbox-`) || PathPrefix(`/icon-`) || PathPrefix(`/apple-touch-icon`) || PathPrefix(`/favicon.ico`) || PathPrefix(`/robots.txt`) || PathPrefix(`/offline.html`) || PathPrefix(`/api/_nuxt_icon/`))"
-      - "traefik.http.routers.${APP_NAME}-public.entrypoints=websecure"
-      - "traefik.http.routers.${APP_NAME}-public.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.${APP_NAME}-public.priority=100"
-      - "traefik.http.routers.${APP_NAME}-public.service=${APP_NAME}"
-      - "traefik.http.routers.${APP_NAME}-public.middlewares=${APP_NAME}-headers,${APP_NAME}-cors"
+      # Public PWA (sin auth)
+      - traefik.http.routers.${APP_NAME}-public.rule=Host(`${APP_DOMAIN}`) && (PathPrefix(`/manifest.webmanifest`) || PathPrefix(`/sw.js`) || PathPrefix(`/workbox-`) || PathPrefix(`/icon-`) || PathPrefix(`/apple-touch-icon`) || PathPrefix(`/favicon.ico`) || PathPrefix(`/robots.txt`) || PathPrefix(`/offline.html`) || PathPrefix(`/api/_nuxt_icon/`))
+      - traefik.http.routers.${APP_NAME}-public.entrypoints=websecure
+      - traefik.http.routers.${APP_NAME}-public.tls.certresolver=letsencrypt
+      - traefik.http.routers.${APP_NAME}-public.priority=100
+      - traefik.http.routers.${APP_NAME}-public.service=${APP_NAME}
+      - traefik.http.routers.${APP_NAME}-public.middlewares=${APP_NAME}-headers,${APP_NAME}-cors
 
-      # Router 2: Protected application (with auth) - Normal priority
-      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)"
-      - "traefik.http.routers.${APP_NAME}.entrypoints=websecure"
-      - "traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt"
-      - "traefik.http.routers.${APP_NAME}.priority=10"
-      - "traefik.http.routers.${APP_NAME}.service=${APP_NAME}"
-      - "traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-authentik,${APP_NAME}-headers"
+      # App protegida (con auth)
+      - traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)
+      - traefik.http.routers.${APP_NAME}.entrypoints=websecure
+      - traefik.http.routers.${APP_NAME}.tls.certresolver=letsencrypt
+      - traefik.http.routers.${APP_NAME}.priority=10
+      - traefik.http.routers.${APP_NAME}.service=${APP_NAME}
+      - traefik.http.routers.${APP_NAME}.middlewares=${APP_NAME}-authentik,${APP_NAME}-headers
 
-      # Middleware de autenticación usando outpost exteriorlvl2
-      - "traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.address=http://ak-outpost-exterior-lvl2:9000/outpost.goauthentik.io/auth/traefik"
-      - "traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.trustForwardHeader=true"
-      - "traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.authResponseHeaders=X-authentik-username,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-groups,X-authentik-entitlements,Set-Cookie"
+      # ForwardAuth → Outpost exteriorlvl2
+      - traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.address=https://exteriorlvl2.nucleoriofrio.com/outpost.goauthentik.io/auth/traefik
+      - traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.trustForwardHeader=true
+      - traefik.http.middlewares.${APP_NAME}-authentik.forwardauth.authResponseHeaders=X-Authentik-Username,X-Authentik-Email,X-Authentik-Name,X-Authentik-Uid,X-Authentik-Groups,X-Authentik-Entitlements
 
-      # Custom headers middleware
-      - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https"
-      - "traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Scheme=https"
+      # Headers
+      - traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Proto=https
+      - traefik.http.middlewares.${APP_NAME}-headers.headers.customrequestheaders.X-Forwarded-Scheme=https
+
+      # CORS para públicos
+      - traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolallowmethods=GET,OPTIONS
+      - traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolalloworiginlist=https://${APP_DOMAIN}
+      - traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolmaxage=100
+      - traefik.http.middlewares.${APP_NAME}-cors.headers.addvaryheader=true
 
-      # CORS middleware for public resources
-      - "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolallowmethods=GET,OPTIONS"
-      - "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolalloworiginlist=https://${APP_DOMAIN}"
-      - "traefik.http.middlewares.${APP_NAME}-cors.headers.accesscontrolmaxage=100"
-      - "traefik.http.middlewares.${APP_NAME}-cors.headers.addvaryheader=true"
 
 volumes:
   postgres_data: