diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md
index 4324e06..00e8a21 100644
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -1122,7 +1122,7 @@ mode: standalone
 persistence:
   size: 50Gi
 consoleIngress:
-  hosts: [minio.forteapps.net]
+  hosts: [zipline.forteapps.net]
 ingress:
   hosts: [s3.forteapps.net]
 ```
@@ -1134,7 +1134,7 @@ ingress:
 **SSO**: Native OIDC via Keycloak `forte` realm (client ID: `minio`). Self-service client config Secret (`keycloak-client-minio`) triggers registrar. Policy claim mapper maps user attributes to MinIO policies.
 
 **Endpoints**:
-- Console: `https://minio.forteapps.net`
+- Console: `https://zipline.forteapps.net`
 - S3 API: `https://s3.forteapps.net`
 
 **Secrets**:
diff --git a/infra/overlays/upc-dev/minio/keycloak-client-config.yaml b/infra/overlays/upc-dev/minio/keycloak-client-config.yaml
index dcd25ad..3d1e774 100644
--- a/infra/overlays/upc-dev/minio/keycloak-client-config.yaml
+++ b/infra/overlays/upc-dev/minio/keycloak-client-config.yaml
@@ -10,8 +10,8 @@ stringData:
     {
       "clientId": "minio",
       "name": "MinIO",
-      "redirectUris": ["https://minio.forteapps.net/oauth_callback"],
-      "webOrigins": ["https://minio.forteapps.net"],
+      "redirectUris": ["https://zipline.forteapps.net/oauth_callback"],
+      "webOrigins": ["https://zipline.forteapps.net"],
       "protocolMappers": [
         {
           "name": "minio-policy-mapper",
diff --git a/infra/values/base/keycloak-values.yaml b/infra/values/base/keycloak-values.yaml
index c305055..4d8f587 100644
--- a/infra/values/base/keycloak-values.yaml
+++ b/infra/values/base/keycloak-values.yaml
@@ -338,7 +338,8 @@ extraDeploy:
                 upsert_secret() {
                   local ns="$1" name="$2" manifest="$3"
                   local code
-                  code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                  # NOTE: intentionally no -f; we need to capture HTTP 404 without curl exiting 22
+                  code=$(curl -s -o /dev/null -w "%{http_code}" \
                     --cacert "$CA_CERT" \
                     -H "Authorization: Bearer ${SA_TOKEN}" \
                     -H "Content-Type: application/json" \
@@ -347,7 +348,7 @@ extraDeploy:
                   if [ "$code" = "200" ]; then
                     echo "  Updated secret '${ns}/${name}'"
                   elif [ "$code" = "404" ]; then
-                    code=$(curl -sf -o /dev/null -w "%{http_code}" \
+                    code=$(curl -s -o /dev/null -w "%{http_code}" \
                       --cacert "$CA_CERT" \
                       -H "Authorization: Bearer ${SA_TOKEN}" \
                       -H "Content-Type: application/json" \
@@ -394,7 +395,7 @@ extraDeploy:
 
                   # Get the client secret from Keycloak
                   local secret_value
-                  secret_value=$(curl -sf -H "Authorization: Bearer ${TOKEN}" \
+                  secret_value=$(curl -s -H "Authorization: Bearer ${TOKEN}" \
                     "${KEYCLOAK_URL}/admin/realms/${REALM}/clients/${client_uuid}/client-secret" \
                     | jq -r '.value')
 
@@ -409,7 +410,7 @@ extraDeploy:
 
                   # Write to target namespace (if it exists)
                   local ns_status
-                  ns_status=$(curl -sf -o /dev/null -w "%{http_code}" \
+                  ns_status=$(curl -s -o /dev/null -w "%{http_code}" \
                     --cacert "$CA_CERT" \
                     -H "Authorization: Bearer ${SA_TOKEN}" \
                     "${K8S_API}/api/v1/namespaces/${target_ns}")
@@ -433,12 +434,12 @@ extraDeploy:
                   local ns="$1" name="$2" key="$3" value="$4"
                   local patch
                   patch=$(printf '{"metadata":{"annotations":{"%s":"%s"}}}' "$key" "$value")
-                  curl -sf -o /dev/null \
+                  curl -s -o /dev/null \
                     --cacert "$CA_CERT" \
                     -H "Authorization: Bearer ${SA_TOKEN}" \
                     -H "Content-Type: application/strategic-merge-patch+json" \
                     -X PATCH -d "$patch" \
-                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}"
+                    "${K8S_API}/api/v1/namespaces/${ns}/secrets/${name}" || true
                 }
 
                 # =============================================
diff --git a/infra/values/upc-dev/minio-values.yaml b/infra/values/upc-dev/minio-values.yaml
index aa2d421..7bfb048 100644
--- a/infra/values/upc-dev/minio-values.yaml
+++ b/infra/values/upc-dev/minio-values.yaml
@@ -39,14 +39,16 @@ ingress:
     - s3.forteapps.net
 
 ## Native OIDC via Keycloak
+## TEMPORARILY disabled: the registrar needs time to create minio-oidc-credentials.
+## Re-enable once `kubectl get secret minio-oidc-credentials -n minio` succeeds.
 oidc:
-  enabled: true
-  configUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
-  clientId: "minio"
-  existingClientSecretName: "minio-oidc-credentials"
-  existingClientSecretKey: "client-secret"
-  claimName: "policy"
-  scopes: "openid,email,profile"
-  redirectUri: "https://zipline.forteapps.net/oauth_callback"
-  claimPrefix: ""
-  comment: ""
+  enabled: false
+  # configUrl: "https://id.forteapps.net/realms/forte/.well-known/openid-configuration"
+  # clientId: "minio"
+  # existingClientSecretName: "minio-oidc-credentials"
+  # existingClientSecretKey: "client-secret"
+  # claimName: "policy"
+  # scopes: "openid,email,profile"
+  # redirectUri: "https://zipline.forteapps.net/oauth_callback"
+  # claimPrefix: ""
+  # comment: ""