diff --git a/modules/Dashboard/src/SimpleModule.Dashboard/Pages/components/TokenTester.tsx b/modules/Dashboard/src/SimpleModule.Dashboard/Pages/components/TokenTester.tsx
index 45a7fc7b..306984bc 100644
--- a/modules/Dashboard/src/SimpleModule.Dashboard/Pages/components/TokenTester.tsx
+++ b/modules/Dashboard/src/SimpleModule.Dashboard/Pages/components/TokenTester.tsx
@@ -121,7 +121,7 @@ export function TokenTester() {
       response_type: 'code',
       client_id: 'simplemodule-client',
       redirect_uri: `${window.location.origin}/oauth-callback`,
-      scope: 'openid profile email',
+      scope: 'openid profile email roles',
       state,
       code_challenge: challenge,
       code_challenge_method: 'S256',
diff --git a/modules/OpenIddict/src/SimpleModule.OpenIddict.Contracts/OpenIddictModuleConstants.cs b/modules/OpenIddict/src/SimpleModule.OpenIddict.Contracts/OpenIddictModuleConstants.cs
index d2943db1..47e40cb2 100644
--- a/modules/OpenIddict/src/SimpleModule.OpenIddict.Contracts/OpenIddictModuleConstants.cs
+++ b/modules/OpenIddict/src/SimpleModule.OpenIddict.Contracts/OpenIddictModuleConstants.cs
@@ -12,7 +12,7 @@ public static class Routes
         public const string ClientsCreate = "/clients/create";
         public const string ClientsEdit = "/clients/{id}/edit";
 
-        // View route — registered via ConfigureEndpoints (escape hatch)
+        // OAuth callback (registered as a top-level IEndpoint, not under ViewPrefix)
         public const string OAuthCallback = "/oauth-callback";
 
         // Connect routes (also in ConnectRouteConstants)
diff --git a/modules/OpenIddict/src/SimpleModule.OpenIddict/Endpoints/Connect/OAuthCallbackEndpoint.cs b/modules/OpenIddict/src/SimpleModule.OpenIddict/Endpoints/Connect/OAuthCallbackEndpoint.cs
new file mode 100644
index 00000000..a09be591
--- /dev/null
+++ b/modules/OpenIddict/src/SimpleModule.OpenIddict/Endpoints/Connect/OAuthCallbackEndpoint.cs
@@ -0,0 +1,17 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Routing;
+using SimpleModule.Core;
+using SimpleModule.Core.Inertia;
+using SimpleModule.OpenIddict.Contracts;
+
+namespace SimpleModule.OpenIddict.Endpoints.Connect;
+
+[AllowAnonymous]
+public class OAuthCallbackEndpoint : IEndpoint
+{
+    public const string Route = OpenIddictModuleConstants.Routes.OAuthCallback;
+
+    public void Map(IEndpointRouteBuilder app) =>
+        app.MapGet(Route, () => Inertia.Render("OpenIddict/OAuthCallback"));
+}
diff --git a/modules/OpenIddict/src/SimpleModule.OpenIddict/Hosting/OpenIddictSwaggerContributor.cs b/modules/OpenIddict/src/SimpleModule.OpenIddict/Hosting/OpenIddictSwaggerContributor.cs
index 5f1cb38d..6cfd4a13 100644
--- a/modules/OpenIddict/src/SimpleModule.OpenIddict/Hosting/OpenIddictSwaggerContributor.cs
+++ b/modules/OpenIddict/src/SimpleModule.OpenIddict/Hosting/OpenIddictSwaggerContributor.cs
@@ -33,6 +33,7 @@ public void Configure(SwaggerGenOptions options)
                             { AuthConstants.OpenIdScope, "OpenID" },
                             { AuthConstants.ProfileScope, "Profile" },
                             { AuthConstants.EmailScope, "Email" },
+                            { AuthConstants.RolesScope, "Roles" },
                         },
                     },
                 },
@@ -55,6 +56,7 @@ public void Configure(SwaggerGenOptions options)
                         AuthConstants.OpenIdScope,
                         AuthConstants.ProfileScope,
                         AuthConstants.EmailScope,
+                        AuthConstants.RolesScope,
                     ]
                 },
             };
diff --git a/modules/OpenIddict/src/SimpleModule.OpenIddict/OpenIddictModule.cs b/modules/OpenIddict/src/SimpleModule.OpenIddict/OpenIddictModule.cs
index 0c4f8ad1..4fd078d3 100644
--- a/modules/OpenIddict/src/SimpleModule.OpenIddict/OpenIddictModule.cs
+++ b/modules/OpenIddict/src/SimpleModule.OpenIddict/OpenIddictModule.cs
@@ -1,5 +1,3 @@
-using Microsoft.AspNetCore.Builder;
-using Microsoft.AspNetCore.Routing;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
@@ -7,7 +5,6 @@
 using SimpleModule.Core;
 using SimpleModule.Core.Authorization;
 using SimpleModule.Core.Hosting;
-using SimpleModule.Core.Inertia;
 using SimpleModule.Database;
 using SimpleModule.OpenIddict.Contracts;
 using SimpleModule.OpenIddict.Hosting;
@@ -118,12 +115,5 @@ public void ConfigureServices(IServiceCollection services, IConfiguration config
         OpenIddictAuthSetup.AddSmartAuthentication(services);
     }
 
-    public void ConfigureEndpoints(IEndpointRouteBuilder endpoints)
-    {
-        endpoints
-            .MapGet("/oauth-callback", () => Inertia.Render("OpenIddict/OAuthCallback"))
-            .AllowAnonymous();
-    }
-
     // Menu items removed — accessible via Admin hub page
 }
diff --git a/packages/SimpleModule.Client/src/routes.ts b/packages/SimpleModule.Client/src/routes.ts
index bc855c62..eff09537 100644
--- a/packages/SimpleModule.Client/src/routes.ts
+++ b/packages/SimpleModule.Client/src/routes.ts
@@ -312,6 +312,7 @@ export const routes = {
     api: {
       authorization: () => '/connect/authorize' as const,
       logout: () => '/connect/endsession' as const,
+      oAuthCallback: () => '/oauth-callback' as const,
       token: () => '/connect/token' as const,
       userinfo: () => '/connect/userinfo' as const,
     },