diff --git a/Client-Tech/Tech.zip b/Client-Tech/Tech.zip
new file mode 100644
index 0000000..cd7ce32
Binary files /dev/null and b/Client-Tech/Tech.zip differ
diff --git a/Client-Tech/src/auth/authConfig.js b/Client-Tech/src/auth/authConfig.js
index b390e77..abbb80a 100644
--- a/Client-Tech/src/auth/authConfig.js
+++ b/Client-Tech/src/auth/authConfig.js
@@ -1,25 +1,28 @@
 /**
- * authConfig.js — Tech Client (Staff Plane)
+ * authConfig.js - Tech Client (Staff Plane)
  *
- * ┌─────────────────────────────────────────────────────────────────────────┐
- * │  PRODUCTION MIGRATION — only these values change at handoff:            │
- * │                                                                         │
- * │  STAFF_AUTHORITY  →  'https://login.microsoftonline.com/{ORG_TENANT}'  │
- * │  STAFF_TENANT_ID  →  new company org tenant ID                         │
- * │  STAFF_CLIENT_ID  →  staff app registration in org tenant              │
- * │                                                                         │
- * │  No other code changes required anywhere.                               │
- * └─────────────────────────────────────────────────────────────────────────┘
+ * APP REGISTRATION MAP (positivespend tenant: f56a3c51-9b5c-4356-920f-b4dcf932a96b)
+ * -------------------------------------------------------------------------
+ * Tech SPA (this app)   846a3677-9135-4ba6-b7f5-933dcce126be
+ *   - Platform: SPA
+ *   - Redirect URI: <Tech deployment origin> - must be registered in portal,
+ *     matches window.location.origin at runtime.
+ *   - API permissions: api://af95fa13-.../access_as_user (delegated)
  *
- * DEV NOTE: Staff currently authenticate against the CIAM tenant (same as
- * clients) because no org tenant exists yet. The login screen looks identical
- * to the client login — this is cosmetic only. API isolation is enforced by
- * audience: staff tokens are rejected by Gateway, client tokens by Management.
+ * Management Staff API  af95fa13-2ef4-4911-b137-7acc6a784cfa
+ *   - Exposes scope: access_as_user
+ *   - App roles: Staff.Admin, Staff.Tech
+ *   - Management validates JWTs issued for this audience
+ *
+ * FLOW: MSAL authenticates as 846a3677, acquires a token scoped to
+ * api://af95fa13-.../access_as_user, sends as Bearer to Management API.
+ * Management validates: issuer = login.microsoftonline.com/f56a3c51/v2.0,
+ * audience = af95fa13 or api://af95fa13, roles = Staff.Admin | Staff.Tech.
  */
 
 // ── Staff Identity Config ─────────────────────────────────────────────────────
 
-const STAFF_TENANT_ID = '0be4c23a-6941-4bdb-b397-a4faf88de4b3'; 
+const STAFF_TENANT_ID = 'f56a3c51-9b5c-4356-920f-b4dcf932a96b'; 
 const STAFF_CLIENT_ID = '846a3677-9135-4ba6-b7f5-933dcce126be';               
 
 // PROD: swap to         →  'https://login.microsoftonline.com/' + STAFF_TENANT_ID
@@ -56,13 +59,13 @@ export const msalConfig = {
 };
 
 export const loginRequest = {
-    scopes: ["api://4e4d69c3-558a-4a27-a689-17bd397175e5/access_as_user"]
+    scopes: ["api://af95fa13-2ef4-4911-b137-7acc6a784cfa/access_as_user"]
 };
 
 // ── API Endpoints ─────────────────────────────────────────────────────────────
 
-export const API_BASE  = 'https://adpapi.usimdev.com';     // Gateway API
-export const MGMT_BASE = 'https://adpmgmt.usimdev.com';    // Management API
+export const API_BASE  = 'https://portal.positivespend.com';     // Gateway API
+export const MGMT_BASE = 'https://mgmt.positivespend.com';    // Management API
 
 // Legacy — kept for backward compatibility with apiClient.js
 export const SESSION_ENDPOINT = `${API_BASE}/api/auth/session`;
diff --git a/Client-Tech/src/components/GoogleTokenTool.jsx b/Client-Tech/src/components/GoogleTokenTool.jsx
index 035b96e..e46a4a7 100644
--- a/Client-Tech/src/components/GoogleTokenTool.jsx
+++ b/Client-Tech/src/components/GoogleTokenTool.jsx
@@ -18,7 +18,7 @@ const DEFAULTS = {
   clientId: '330518338348-a1qto1jug5tmpc6565059apsggsfg12i.apps.googleusercontent.com',
   clientSecret: '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',
   scope: 'https://www.googleapis.com/auth/adwords',
-  containerApp: 'usim-adp-googleapi',
+  containerApp: 'adp-googleapi',
   resourceGroup: 'RG-GraeJones'
 };
 
diff --git a/Client-Tech/src/components/HealthDashboard.jsx b/Client-Tech/src/components/HealthDashboard.jsx
index f8e8f07..9105ba2 100644
--- a/Client-Tech/src/components/HealthDashboard.jsx
+++ b/Client-Tech/src/components/HealthDashboard.jsx
@@ -2,29 +2,29 @@ import React, { useState, useCallback } from 'react';
 import { useAuth } from '../auth/AuthProvider';
 import { API_BASE } from '../auth/authConfig';
 
-const HELP_BASE = 'https://adpmgmt.usimdev.com/api/help';
+const HELP_BASE = 'https://mgmt.positivespend.com/api/help';
 
 // ─── Service definitions ──────────────────────────────────────────────────────
 
 const SERVICE_META = {
   gateway: {
-    label: 'Gateway API', sub: 'adsapi.usimdev.com', tier: 'public', color: '#0066cc',
+    label: 'Gateway API', sub: 'portal.positivespend.com', tier: 'public', color: '#0066cc',
     mode: 'direct', url: `${API_BASE}/api/test/ping`,
     tech: '.NET 8 · Azure Container Apps · SQL Server',
   },
   management: {
-    label: 'Management API', sub: 'adpmgmt.usimdev.com', tier: 'public', color: '#0ea5e9',
-    mode: 'direct', url: 'https://adpmgmt.usimdev.com/health',
+    label: 'Management API', sub: 'mgmt.positivespend.com', tier: 'public', color: '#0ea5e9',
+    mode: 'direct', url: 'https://mgmt.positivespend.com/health',
     tech: '.NET 8 · Azure Container Apps · SQL Server',
   },
   tech: {
-    label: 'Tech (TestAPI)', sub: 'adptestapi.usimdev.com', tier: 'public', color: '#64748b',
+    label: 'Tech (TestAPI)', sub: 'tech.positivespend.com', tier: 'public', color: '#64748b',
     mode: 'none',
     tech: 'React · MSAL · Azure Container Apps',
   },
   registration: {
-    label: 'Registration', sub: 'adpregapi.usimdev.com', tier: 'registration', color: '#f97316',
-    mode: 'direct', url: 'https://adpregapi.usimdev.com/api/health',
+    label: 'Registration', sub: 'regapi.positivespend.com', tier: 'registration', color: '#f97316',
+    mode: 'direct', url: 'https://regapi.positivespend.com/api/health',
     tech: 'Azure Functions · .NET 8',
   },
   creative: {
diff --git a/Client-Tech/src/services/serviceCatalog.js b/Client-Tech/src/services/serviceCatalog.js
index a2d16d7..f828b98 100644
--- a/Client-Tech/src/services/serviceCatalog.js
+++ b/Client-Tech/src/services/serviceCatalog.js
@@ -502,7 +502,7 @@ export const servicesByProvider = {
       sample: {},
       endpoint: '/api/health',
       method: 'GET',
-      baseUrl: 'https://adpregapi.usimdev.com'
+      baseUrl: 'https://regapi.positivespend.com'
     },
     // ── Admin ops below route through Management proxy (/api/registration/*).
     // Management validates the Entra JWT, then forwards to Registration Function
@@ -515,7 +515,7 @@ export const servicesByProvider = {
       sample: {},
       endpoint: '/api/registration/pending',
       method: 'GET',
-      baseUrl: 'https://adpmgmt.usimdev.com'
+      baseUrl: 'https://mgmt.positivespend.com'
     },
     {
       id: 'GetById',
@@ -525,7 +525,7 @@ export const servicesByProvider = {
       sample: { registrationId: 'reg-001' },
       endpoint: '/api/registration/{registrationId}',
       method: 'GET',
-      baseUrl: 'https://adpmgmt.usimdev.com'
+      baseUrl: 'https://mgmt.positivespend.com'
     },
     {
       id: 'Reject',
@@ -535,7 +535,7 @@ export const servicesByProvider = {
       sample: { registrationId: 'reg-001', reason: 'Incomplete information' },
       endpoint: '/api/registration/{registrationId}/reject',
       method: 'POST',
-      baseUrl: 'https://adpmgmt.usimdev.com'
+      baseUrl: 'https://mgmt.positivespend.com'
     },
     {
       id: 'Complete',
@@ -545,7 +545,7 @@ export const servicesByProvider = {
       sample: { registrationId: 'reg-001', platformClientId: 'ADP-TestBusiness-0001' },
       endpoint: '/api/registration/{registrationId}/complete',
       method: 'POST',
-      baseUrl: 'https://adpmgmt.usimdev.com'
+      baseUrl: 'https://mgmt.positivespend.com'
     },
     // Register — still hits Registration Function directly (CIAM JWT, not staff plane)
     {
@@ -564,7 +564,7 @@ export const servicesByProvider = {
       },
       endpoint: '/api/registration/register',
       method: 'POST',
-      baseUrl: 'https://adpregapi.usimdev.com'
+      baseUrl: 'https://regapi.positivespend.com'
     }
   ],
   management: [
@@ -576,7 +576,7 @@ export const servicesByProvider = {
       sample: {},
       endpoint: '/health',
       method: 'GET',
-      baseUrl: 'https://adpmgmt.usimdev.com'
+      baseUrl: 'https://mgmt.positivespend.com'
     },
     {
       id: 'HelpGet',
@@ -586,7 +586,7 @@ export const servicesByProvider = {
       sample: { key: 'client.wizard.budget' },
       endpoint: '/api/help/{key}',
       method: 'GET',
-      baseUrl: 'https://adpmgmt.usimdev.com'
+      baseUrl: 'https://mgmt.positivespend.com'
     },
     {
       id: 'DocumentList',
@@ -596,7 +596,7 @@ export const servicesByProvider = {
       sample: {},
       endpoint: '/api/documents',
       method: 'GET',
-      baseUrl: 'https://adpmgmt.usimdev.com'
+      baseUrl: 'https://mgmt.positivespend.com'
     },
     {
       id: 'DocumentDelete',
@@ -606,7 +606,7 @@ export const servicesByProvider = {
       sample: { docId: 1 },
       endpoint: '/api/documents/{docId}',
       method: 'DELETE',
-      baseUrl: 'https://adpmgmt.usimdev.com'
+      baseUrl: 'https://mgmt.positivespend.com'
     }
   ]
 };