diff --git a/Sources/PIRService/Controllers/PrivacyPassController.swift b/Sources/PIRService/Controllers/PrivacyPassController.swift
index 816a6bb..3f71176 100644
--- a/Sources/PIRService/Controllers/PrivacyPassController.swift
+++ b/Sources/PIRService/Controllers/PrivacyPassController.swift
@@ -43,8 +43,10 @@ struct PrivacyPassController<UserAuthenticator: UserTokenAuthenticator> {
                 tokenKeyBase64Url: spki.base64URLEncodedString(),
                 notBefore: nil)
         }
+        // RFC 9578 §6: issuer-request-uri MUST be absolute — NEURLFilter rejects relative URIs.
+        // Configurable via PIR_ISSUER_REQUEST_URI env var (set in docker run).
         // swiftlint:disable:next force_unwrapping
-        let issuerRequestUri = URL(string: "/issue")!
+        let issuerRequestUri = URL(string: ProcessInfo.processInfo.environment["PIR_ISSUER_REQUEST_URI"] ?? "/issue")!
         return TokenIssuerDirectory(issuerRequestUri: issuerRequestUri, tokenKeys: tokenKeys)
     }