diff --git a/compose.yml b/compose.yml
index 3a78986..b43d784 100644
--- a/compose.yml
+++ b/compose.yml
@@ -63,6 +63,8 @@ services:
       dockerfile: docker/mediamtx/Dockerfile
     environment:
       SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
+      MTX_AUTHHTTPADDRESS: ${MEDIAMTX_AUTH_HTTP_ADDRESS:-http://hctv:3000/api/mediamtx/publish}
+      MTX_WEBRTCADDITIONALHOSTS: ${MEDIAMTX_WEBRTC_ADDITIONAL_HOSTS:-}
     ports:
       - '8890:8890/udp'
   postgres-exporter:
diff --git a/docker/mediamtx/mirror/.env.example b/docker/mediamtx/mirror/.env.example
index e79f521..b2fb7b6 100644
--- a/docker/mediamtx/mirror/.env.example
+++ b/docker/mediamtx/mirror/.env.example
@@ -9,9 +9,5 @@ MEDIAMTX_API_HOST=mmtxapi.hackclub.tv
 # public ip for webrtc stuff
 MEDIAMTX_WEBRTC_ADDITIONAL_HOSTS=203.0.113.10
 
-# mediamtx publish route on hctv
 MEDIAMTX_AUTH_HTTP_ADDRESS=https://hackclub.tv/api/mediamtx/publish
-
-# If MediaMTX still reports x509 unknown-authority for the auth callback even
-# with SSL_CERT_FILE set in compose, set MTX_AUTHHTTPFINGERPRINT manually on
-# the server as a temporary cert pin.
+MEDIAMTX_AUTH_HTTP_FINGERPRINT=
diff --git a/docker/mediamtx/mirror/docker-compose.yml b/docker/mediamtx/mirror/docker-compose.yml
index a8c08ce..7980ede 100644
--- a/docker/mediamtx/mirror/docker-compose.yml
+++ b/docker/mediamtx/mirror/docker-compose.yml
@@ -34,6 +34,7 @@ services:
       SSL_CERT_FILE: /etc/ssl/certs/ca-certificates.crt
       MTX_WEBRTCADDITIONALHOSTS: ${MEDIAMTX_WEBRTC_ADDITIONAL_HOSTS}
       MTX_AUTHHTTPADDRESS: ${MEDIAMTX_AUTH_HTTP_ADDRESS}
+      MTX_AUTHHTTPFINGERPRINT: ${MEDIAMTX_AUTH_HTTP_FINGERPRINT:-}
     labels:
       - traefik.enable=true