diff --git a/app/api/auth/register/route.ts b/app/api/auth/register/route.ts
index d64074b0..8eedc20b 100644
--- a/app/api/auth/register/route.ts
+++ b/app/api/auth/register/route.ts
@@ -2,14 +2,17 @@
 import { NextResponse } from "next/server";
 
 const DIRECTUS = (process.env.DIRECTUS_URL || process.env.NEXT_PUBLIC_API_BASE_URL || "").replace(/\/$/, "");
-const SERVICE_TOKEN =
-process.env.DIRECTUS_TOKEN_ADMIN_REGISTER || "";
+
+// Registration MUST use only the dedicated admin-register token. No fallbacks.
+const SERVICE_TOKEN = process.env.DIRECTUS_TOKEN_ADMIN_REGISTER || "";
+
 const DEFAULT_ROLE = process.env.DIRECTUS_DEFAULT_ROLE || undefined;
 const SECURE = process.env.NODE_ENV === "production";
 
 function bad(message: string, status = 400) {
     return NextResponse.json({ error: message }, { status });
 }
+
 const EMAIL_RE = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
 
 async function directusLogin(email: string, password: string) {
@@ -27,7 +30,7 @@ async function directusLogin(email: string, password: string) {
 export async function POST(req: Request) {
     try {
         if (!DIRECTUS) return bad("Missing DIRECTUS_URL/NEXT_PUBLIC_API_BASE_URL", 500);
-        if (!SERVICE_TOKEN) return bad("Missing DIRECTUS_SERVICE_TOKEN / admin token", 500);
+        if (!SERVICE_TOKEN) return bad("Missing DIRECTUS_TOKEN_ADMIN_REGISTER", 500);
 
         const body = await req.json().catch(() => ({} as any));
         const email = String(body?.email ?? "").trim().toLowerCase();
@@ -58,12 +61,12 @@ export async function POST(req: Request) {
             return bad("Email or username already in use", 409);
         }
 
-        // Create user with sane defaults
+        // Create user with sane defaults (no provider — Directus defaults to "default")
         const createPayload: any = {
             email,
             username,
             password,
-            status: "active",,
+            status: "active",
         };
         if (DEFAULT_ROLE) createPayload.role = DEFAULT_ROLE;
 
@@ -74,7 +77,7 @@ export async function POST(req: Request) {
                 "Content-Type": "application/json",
                 Accept: "application/json",
             },
-            body: JSON.stringify(createPayload),
+            body: JSON.stringify({ data: createPayload }),
                                       cache: "no-store",
         });
 
@@ -84,7 +87,7 @@ export async function POST(req: Request) {
             return bad(msg, createRes.status || 500);
         }
 
-        // Auto-login (email-based; directus expects "email" even though it's an identifier)
+        // Auto-login (Directus expects "email" even though it's the identifier)
         const tokens = await directusLogin(email, password);
 
         const res = NextResponse.json({ ok: true, id: cj?.data?.id || null }, { status: 201 });