diff --git a/PROGRESS.md b/PROGRESS.md
index d9cc53d..872cab4 100644
--- a/PROGRESS.md
+++ b/PROGRESS.md
@@ -4,6 +4,17 @@ Source of truth for current development state.
 ---
 All phases complete. **v1.0.0 tagged.** All packages pass `go test ./...`; `golangci-lint run ./...` clean (pre-existing warnings only).
 
+### 2026-03-15 — Fix Swagger server URLs
+
+**Task:** Update Swagger `servers` section to use correct auth server URLs.
+
+**Changes:**
+- `openapi.yaml` and `web/static/openapi.yaml`: replaced `https://auth.example.com:8443` with `https://mcias.metacircular.net:8443` (Production) and `https://localhost:8443` (Local test server).
+
+**Verification:** `go build ./...`, `go test ./...`, `golangci-lint run ./...` all clean.
+
+---
+
 ### 2026-03-15 — Fix /docs Swagger UI (bundle assets locally)
 
 **Problem:** `/docs` was broken because `docs.html` loaded `swagger-ui-bundle.js` and `swagger-ui.css` from `unpkg.com` CDN, which is blocked by the server's `Content-Security-Policy: default-src 'self'` header.
diff --git a/openapi.yaml b/openapi.yaml
index a267e06..401eb12 100644
--- a/openapi.yaml
+++ b/openapi.yaml
@@ -14,8 +14,10 @@ info:
     10 requests per second per IP, burst of 10.
 
 servers:
-  - url: https://auth.example.com:8443
+  - url: https://mcias.metacircular.net:8443
     description: Production
+  - url: https://localhost:8443
+    description: Local test server
 
 components:
   securitySchemes:
diff --git a/web/static/openapi.yaml b/web/static/openapi.yaml
index a267e06..401eb12 100644
--- a/web/static/openapi.yaml
+++ b/web/static/openapi.yaml
@@ -14,8 +14,10 @@ info:
     10 requests per second per IP, burst of 10.
 
 servers:
-  - url: https://auth.example.com:8443
+  - url: https://mcias.metacircular.net:8443
     description: Production
+  - url: https://localhost:8443
+    description: Local test server
 
 components:
   securitySchemes: