diff --git a/docker-compose.development.yml b/docker-compose.development.yml
index 9ca2b29218..b213a57b43 100644
--- a/docker-compose.development.yml
+++ b/docker-compose.development.yml
@@ -158,8 +158,8 @@ services:
       - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
       - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
       - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
-      - S3_ENDPOINT=${S3_ENDPOINT}
-      - S3_ODK_BUCKET_NAME=${S3_ODK_BUCKET_NAME:-"fmtm-odk-media"}
+      - S3_SERVER=${S3_ENDPOINT}
+      - S3_BUCKET_NAME=${S3_ODK_BUCKET_NAME:-"fmtm-odk-media"}
       - S3_ACCESS_KEY=${S3_ACCESS_KEY}
       - S3_SECRET_KEY=${S3_SECRET_KEY}
     networks:
diff --git a/docker-compose.yml b/docker-compose.yml
index a9e7095f59..d8e7876f81 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -131,7 +131,7 @@ services:
       - ./src/frontend:/app
       - /app/node_modules/
     environment:
-      - VITE_API_URL=${API_URL:-http://api.${FMTM_DOMAIN}:${FMTM_DEV_PORT:-7050}}
+      - VITE_API_URL=http://api.${FMTM_DOMAIN}:${FMTM_DEV_PORT:-7050}
     ports:
       - "7051:7051"
     networks:
@@ -154,7 +154,7 @@ services:
       - /app/.svelte-kit/
       # - ../ui:/app/node_modules/@hotosm/ui:ro
     environment:
-      - VITE_API_URL=${API_URL:-http://api.${FMTM_DOMAIN}:${FMTM_DEV_PORT:-7050}}
+      - VITE_API_URL=http://api.${FMTM_DOMAIN}:${FMTM_DEV_PORT:-7050}
       - VITE_SYNC_URL=http://sync.${FMTM_DOMAIN}:${FMTM_DEV_PORT:-7050}
     networks:
       - fmtm-net
@@ -194,8 +194,9 @@ services:
       - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
       - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
       - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
-      - S3_ENDPOINT=${S3_ENDPOINT:-"http://s3:9000"}
-      - S3_ODK_BUCKET_NAME=${S3_ODK_BUCKET_NAME:-"fmtm-odk-media"}
+      # Note S3_ENDPOINT is hardcoded here for when we use tunnel config
+      - S3_SERVER="http://s3:9000
+      - S3_BUCKET_NAME=${S3_ODK_BUCKET_NAME:-"fmtm-odk-media"}
       - S3_ACCESS_KEY=${S3_ACCESS_KEY}
       - S3_SECRET_KEY=${S3_SECRET_KEY}
     # ports:
@@ -326,7 +327,8 @@ services:
       - .env
     # Hardcode some vars for dev, as not necessarily present in the .env file
     environment:
-      - S3_ENDPOINT=${S3_ENDPOINT:-"http://s3:9000"}
+      # Note S3_ENDPOINT is hardcoded here for when we use tunnel config
+      - S3_ENDPOINT="http://s3:9000
       - S3_BACKUP_BUCKET_NAME=${S3_BACKUP_BUCKET_NAME:-"fmtm-db-backups"}
     networks:
       - fmtm-net
diff --git a/odkcentral/api/container-entrypoint.sh b/odkcentral/api/container-entrypoint.sh
index c2c0eaa256..5d44ff2250 100644
--- a/odkcentral/api/container-entrypoint.sh
+++ b/odkcentral/api/container-entrypoint.sh
@@ -3,8 +3,8 @@
 set -eo pipefail
 
 check_all_s3_vars_present() {
-    if [ -z "${S3_ENDPOINT}" ]; then
-        echo "Environment variable S3_ENDPOINT is not set."
+    if [ -z "${S3_SERVER}" ]; then
+        echo "Environment variable S3_SERVER is not set."
         exit 1
     fi
     if [ -z "${S3_ACCESS_KEY}" ]; then
@@ -15,16 +15,16 @@ check_all_s3_vars_present() {
         echo "Environment variable S3_SECRET_KEY is not set."
         exit 1
     fi
-    if [ -z "${S3_ODK_BUCKET_NAME}" ]; then
-        echo "Environment variable S3_ODK_BUCKET_NAME is not set."
+    if [ -z "${S3_BUCKET_NAME}" ]; then
+        echo "Environment variable S3_BUCKET_NAME is not set."
         exit 1
     fi
 
     # Strip any extra unrequired "quotes"
-    export S3_ENDPOINT="${S3_ENDPOINT//\"/}"
+    export S3_SERVER="${S3_SERVER//\"/}"
     export S3_ACCESS_KEY="${S3_ACCESS_KEY//\"/}"
     export S3_SECRET_KEY="${S3_SECRET_KEY//\"/}"
-    export S3_ODK_BUCKET_NAME="${S3_ODK_BUCKET_NAME//\"/}"
+    export S3_BUCKET_NAME="${S3_BUCKET_NAME//\"/}"
 }
 
 # Check env vars + strip extra quotes on vars
@@ -50,11 +50,11 @@ echo "Elevating user to admin"
 odk-cmd --email "${SYSADMIN_EMAIL}" user-promote || true
 
 ### Create S3 bucket for submission photo storage ###
-BUCKET_NAME="${S3_ODK_BUCKET_NAME}"
-echo "Creating S3 bucket ${BUCKET_NAME} to store submission media"
-mc alias set s3 "$S3_ENDPOINT" "$S3_ACCESS_KEY" "$S3_SECRET_KEY"
-mc mb "s3/${BUCKET_NAME}" --ignore-existing
-mc anonymous set download "s3/${BUCKET_NAME}"
+echo "Creating S3 bucket ${S3_BUCKET_NAME} to store submission media"
+mc alias set s3 "$S3_SERVER" "$S3_ACCESS_KEY" "$S3_SECRET_KEY"
+mc mb "s3/${S3_BUCKET_NAME}" --ignore-existing
+# Prevent anonymous access (pre-signed URL download only)
+mc anonymous set none "s3/${S3_BUCKET_NAME}"
 
 ### Run server (hardcode WORKER_COUNT=1 for dev) ###
 export WORKER_COUNT=1