diff --git a/deployments/staging/kubernetes/configmap.yaml b/deployments/staging/kubernetes/configmap.yaml
index 76a4d9b6..9322b065 100644
--- a/deployments/staging/kubernetes/configmap.yaml
+++ b/deployments/staging/kubernetes/configmap.yaml
@@ -16,15 +16,15 @@ data:
 
   # EN: JWT Configuration (shared across all services)
   # VI: Cau hinh JWT (dung chung cho tat ca services)
-  # EN: Use external HTTPS URL so RequireHttpsMetadata=true is valid.
-  #     Services resolve OIDC discovery over public TLS endpoint via Traefik.
-  # VI: Dùng HTTPS external URL để RequireHttpsMetadata=true hoạt động đúng.
-  #     Các service lấy OIDC discovery qua endpoint TLS công khai qua Traefik.
-  Jwt__Authority: "https://api.techbi.org"
+  # EN: Use internal K8s DNS for OIDC discovery — pods cannot reach external HTTPS.
+  #     Issuer in tokens is still https://api.techbi.org (set in iam-service IssuerUri).
+  # VI: Dùng K8s DNS nội bộ cho OIDC discovery — pods không thể reach HTTPS bên ngoài.
+  #     Issuer trong tokens vẫn là https://api.techbi.org (set trong iam-service IssuerUri).
+  Jwt__Authority: "http://iam-service:8080"
   Jwt__Audience: "goodgo-api"
-  # EN: MUST be true in staging/prod — never allow HTTP metadata endpoints outside dev
-  # VI: PHẢI là true trong staging/prod — không cho phép HTTP metadata endpoint ngoài môi trường dev
-  Jwt__RequireHttpsMetadata: "true"
+  # EN: false because Authority is HTTP (internal K8s). Token signature is still validated.
+  # VI: false vì Authority là HTTP (K8s nội bộ). Chữ ký token vẫn được xác thực.
+  Jwt__RequireHttpsMetadata: "false"
 
   # EN: Service Discovery URLs (K8s DNS: {service-name}.staging.svc.cluster.local)
   # VI: URL tim kiem service (K8s DNS: {service-name}.staging.svc.cluster.local)
diff --git a/deployments/staging/kubernetes/redis-config.yaml b/deployments/staging/kubernetes/redis-config.yaml
new file mode 100644
index 00000000..0c2ea26e
--- /dev/null
+++ b/deployments/staging/kubernetes/redis-config.yaml
@@ -0,0 +1,130 @@
+# EN: Redis configuration — ConfigMap with scripts and config files for Redis StatefulSet
+# VI: Cấu hình Redis — ConfigMap chứa scripts và config files cho Redis StatefulSet
+#
+# Volume mount layout:
+#   Redis pod init container: /config (this ConfigMap) → copies to /tmp
+#   Redis container: /tmp (scripts + configs from init)
+#   Sentinel container: /config (this ConfigMap directly)
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: redis-config
+  namespace: staging
+  labels:
+    app: redis
+    component: config
+    platform: goodgo
+    tier: infrastructure
+data:
+  redis-master.conf: |
+    # Redis Master Configuration
+    bind 0.0.0.0
+    port 6379
+    tcp-backlog 511
+    timeout 300
+    tcp-keepalive 60
+    maxmemory 512mb
+    maxmemory-policy allkeys-lru
+    maxmemory-samples 10
+    maxclients 10000
+    appendonly yes
+    appendfsync everysec
+    no-appendfsync-on-rewrite yes
+    auto-aof-rewrite-percentage 100
+    auto-aof-rewrite-min-size 64mb
+    aof-use-rdb-preamble yes
+    save 900 1
+    save 300 10
+    save 60 10000
+    hz 10
+    dynamic-hz yes
+    lazyfree-lazy-eviction yes
+    lazyfree-lazy-expire yes
+    lazyfree-lazy-server-del yes
+    lazyfree-lazy-user-del yes
+    lua-time-limit 5000
+    busy-reply-threshold 5000
+    loglevel notice
+    slowlog-log-slower-than 10000
+    slowlog-max-len 128
+    rename-command FLUSHDB ""
+    rename-command FLUSHALL ""
+    rename-command DEBUG ""
+
+  redis-replica.conf: |
+    # Redis Replica Configuration
+    bind 0.0.0.0
+    port 6379
+    tcp-backlog 511
+    timeout 300
+    tcp-keepalive 60
+    maxmemory 512mb
+    maxmemory-policy allkeys-lru
+    maxmemory-samples 10
+    maxclients 10000
+    replica-read-only yes
+    replica-serve-stale-data yes
+    repl-diskless-sync yes
+    repl-diskless-sync-delay 5
+    appendonly yes
+    appendfsync everysec
+    no-appendfsync-on-rewrite yes
+    save 900 1
+    save 300 10
+    hz 10
+    dynamic-hz yes
+    lazyfree-lazy-eviction yes
+    lazyfree-lazy-expire yes
+    lazyfree-lazy-server-del yes
+    lazyfree-lazy-user-del yes
+    lua-time-limit 5000
+    busy-reply-threshold 5000
+    loglevel notice
+    slowlog-log-slower-than 10000
+    slowlog-max-len 128
+    rename-command FLUSHDB ""
+    rename-command FLUSHALL ""
+    rename-command DEBUG ""
+
+  sentinel.conf: |
+    # Redis Sentinel Configuration
+    port 26379
+    sentinel monitor redis-master redis-0.redis-headless.staging.svc.cluster.local 6379 2
+    sentinel down-after-milliseconds redis-master 5000
+    sentinel failover-timeout redis-master 10000
+    sentinel parallel-syncs redis-master 1
+    sentinel resolve-hostnames yes
+    sentinel announce-hostnames yes
+
+  # EN: Redis init container copies all files to /tmp; redis container reads from /tmp
+  # VI: Redis init container copy tất cả files sang /tmp; redis container đọc từ /tmp
+  start-redis.sh: |
+    #!/bin/sh
+    set -e
+    HOSTNAME=$(hostname)
+    INDEX="${HOSTNAME##*-}"
+    # Config files already in /tmp from init container
+    if [ "$INDEX" = "0" ]; then
+      cp /tmp/redis-master.conf /tmp/redis.conf
+    else
+      cp /tmp/redis-replica.conf /tmp/redis.conf
+      echo "replicaof redis-0.redis-headless.staging.svc.cluster.local 6379" >> /tmp/redis.conf
+      echo "masterauth ${REDIS_PASSWORD}" >> /tmp/redis.conf
+    fi
+    echo "requirepass ${REDIS_PASSWORD}" >> /tmp/redis.conf
+    echo "masterauth ${REDIS_PASSWORD}" >> /tmp/redis.conf
+    exec redis-server /tmp/redis.conf
+
+  # EN: Sentinel has /config mounted directly (no init container)
+  # VI: Sentinel mount /config trực tiếp (không có init container)
+  start-sentinel.sh: |
+    #!/bin/sh
+    set -e
+    cp /config/sentinel.conf /tmp/sentinel-run.conf
+    echo "sentinel auth-pass redis-master ${REDIS_PASSWORD}" >> /tmp/sentinel-run.conf
+    # Wait for Redis master to be ready
+    until redis-cli -h redis-0.redis-headless.staging.svc.cluster.local -p 6379 -a "${REDIS_PASSWORD}" ping 2>/dev/null; do
+      echo "Waiting for Redis master..."
+      sleep 2
+    done
+    exec redis-sentinel /tmp/sentinel-run.conf
diff --git a/deployments/staging/kubernetes/secrets.yaml b/deployments/staging/kubernetes/secrets.yaml
index 58b22022..98411b69 100644
--- a/deployments/staging/kubernetes/secrets.yaml
+++ b/deployments/staging/kubernetes/secrets.yaml
@@ -63,6 +63,11 @@ stringData:
   # VI: IdentityServer Issuer
   IdentityServer__IssuerUri: "https://api.techbi.org"
 
+  # EN: BFF Client credentials (used by pos-web to obtain tokens from IdentityServer)
+  # VI: Thông tin xác thực BFF Client (pos-web dùng để lấy token từ IdentityServer)
+  IdentityServer__ClientId: "bff-client"
+  IdentityServer__ClientSecret: "PLACEHOLDER-bff-client-secret"
+
   # EN: PostgreSQL Connection Strings (per-service databases)
   # VI: Chuoi ket noi PostgreSQL (database rieng cho tung service)
   # Format: Host=ip;Port=port;Database=db;Username=user;Password=pass;SSL Mode=Prefer