diff --git a/roles/eda/defaults/main.yml b/roles/eda/defaults/main.yml
index ccd7c840..ab125460 100644
--- a/roles/eda/defaults/main.yml
+++ b/roles/eda/defaults/main.yml
@@ -161,6 +161,10 @@ event_stream_mtls: "{{ event_stream.mtls | default(true) }}"
 event_stream_mtls_prefix_path: "mtls/{{ event_stream_prefix_path.strip('/') }}"
 event_stream_prefix_path: "{{ event_stream.prefix | default('/eda-event-streams') }}"
 
+# Leave empty for standalone deployments (SessionAuth + local resource management).
+# Set to gateway URL when deploying behind Gateway (JWT-only auth).
+resource_server_url: ''
+
 # Disable UI container's nginx ipv6 listener
 ipv6_disabled: false
 
diff --git a/roles/eda/templates/eda.configmap.yaml.j2 b/roles/eda/templates/eda.configmap.yaml.j2
index 55f62f7b..0c45fb28 100644
--- a/roles/eda/templates/eda.configmap.yaml.j2
+++ b/roles/eda/templates/eda.configmap.yaml.j2
@@ -34,6 +34,17 @@ data:
 
   EDA_STATIC_URL: /api/eda/static/
 
+  # Resource Server configuration
+  # Detect gateway deployment via either the operator variable or
+  # the extra_settings injected by the gateway-operator.
+{% set _behind_gateway = (resource_server_url | default('') | length > 0) or (extra_settings | default([]) | selectattr('setting', 'equalto', 'EDA_RESOURCE_SERVER__URL') | list | length > 0) %}
+{% if resource_server_url | default('') | length > 0 %}
+  EDA_RESOURCE_SERVER__URL: "{{ resource_server_url }}"
+{% endif %}
+{% if not _behind_gateway %}
+  EDA_ALLOW_LOCAL_RESOURCE_MANAGEMENT: "True"
+{% endif %}
+
   # Custom user variables
 {% for item in extra_settings | default([]) %}
   {{ item.setting | upper }}: "{{ item.value }}"