diff --git a/docker-compose.yaml b/docker-compose.yaml
index d440aa1..0bd2717 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -3,7 +3,11 @@ services:
     image: pgvector/pgvector:pg17
     environment:
       POSTGRES_USER: postgres
-      POSTGRES_PASSWORD: postgres
+      # Sourced from .env. Defaults to "postgres"
+      # NOTE: changing this on an existing install does NOT
+      # re-key the database — the password is baked into the volume on first init.
+      # You can manually change the password using psql in the container
+      POSTGRES_PASSWORD: "${POSTGRES_PASSWORD:-postgres}"
       POSTGRES_DB: postgres
     logging:
       driver: "json-file"
@@ -136,7 +140,7 @@ services:
       BACKEND_API_ENDPOINT: "${BACKEND_API_ENDPOINT:-http://localhost:8000}"
 
       # Database configuration (using containerized postgres)
-      DATABASE_URL: "postgresql+asyncpg://postgres:postgres@postgres:5432/postgres"
+      DATABASE_URL: "postgresql+asyncpg://postgres:${POSTGRES_PASSWORD:-postgres}@postgres:5432/postgres"
 
       # Redis configuration (using containerized redis)
       REDIS_URL: "redis://:redissecret@redis:6379"
diff --git a/scripts/setup_local.ps1 b/scripts/setup_local.ps1
index 2958f30..d8b9913 100644
--- a/scripts/setup_local.ps1
+++ b/scripts/setup_local.ps1
@@ -243,6 +243,7 @@ if ($UseCoturn) {
 
 Write-Info "[2/$TotalSteps] Creating environment file..."
 $ossJwtSecret = New-HexSecret 32
+$postgresPassword = New-HexSecret 32
 
 $envLines = @(
     '# Container registry for Dograh images'
@@ -251,6 +252,11 @@ $envLines = @(
     '# JWT secret for OSS authentication'
     "OSS_JWT_SECRET=$ossJwtSecret"
     ''
+    '# PostgreSQL password. Used by the postgres container on first init and by'
+    "# the API's DATABASE_URL. Do not change after the first start — the password"
+    '# is baked into the postgres data volume when it is first created.'
+    "POSTGRES_PASSWORD=$postgresPassword"
+    ''
     '# Telemetry (set to false to disable)'
     "ENABLE_TELEMETRY=$EnableTelemetry"
     ''
diff --git a/scripts/setup_local.sh b/scripts/setup_local.sh
index 674185e..e94fb60 100755
--- a/scripts/setup_local.sh
+++ b/scripts/setup_local.sh
@@ -150,6 +150,7 @@ fi
 ENV_STEP=$TOTAL_STEPS
 echo -e "${BLUE}[$ENV_STEP/$TOTAL_STEPS] Creating environment file...${NC}"
 OSS_JWT_SECRET=$(openssl rand -hex 32)
+POSTGRES_PASSWORD=$(openssl rand -hex 32)
 
 cat > .env << ENV_EOF
 # Container registry for Dograh images
@@ -158,6 +159,11 @@ REGISTRY=$REGISTRY
 # JWT secret for OSS authentication
 OSS_JWT_SECRET=$OSS_JWT_SECRET
 
+# PostgreSQL password. Used by the postgres container on first init and by the
+# API's DATABASE_URL. Do not change after the first start — the password is
+# baked into the postgres data volume when it is first created.
+POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+
 # Telemetry (set to false to disable)
 ENABLE_TELEMETRY=$ENABLE_TELEMETRY
 
diff --git a/scripts/setup_remote.sh b/scripts/setup_remote.sh
index d958b69..919c881 100755
--- a/scripts/setup_remote.sh
+++ b/scripts/setup_remote.sh
@@ -251,6 +251,7 @@ echo -e "${GREEN}✓ SSL certificates generated${NC}"
 
 echo -e "${BLUE}[4/$TOTAL] Creating environment file...${NC}"
 OSS_JWT_SECRET=$(openssl rand -hex 32)
+POSTGRES_PASSWORD=$(openssl rand -hex 32)
 
 cat > .env << ENV_EOF
 # Remote deployments run with production signaling and HTTPS defaults
@@ -276,6 +277,11 @@ FORCE_TURN_RELAY=$FORCE_TURN_RELAY
 # JWT secret for OSS authentication
 OSS_JWT_SECRET=$OSS_JWT_SECRET
 
+# PostgreSQL password. Used by the postgres container on first init and by the
+# API's DATABASE_URL. Do not change after the first start — the password is
+# baked into the postgres data volume when it is first created.
+POSTGRES_PASSWORD=$POSTGRES_PASSWORD
+
 # Telemetry (set to false to disable)
 ENABLE_TELEMETRY=$ENABLE_TELEMETRY