diff --git a/client/src/pages/AdminPage.test.tsx b/client/src/pages/AdminPage.test.tsx
index dc0aa6ed..d3f851af 100644
--- a/client/src/pages/AdminPage.test.tsx
+++ b/client/src/pages/AdminPage.test.tsx
@@ -359,13 +359,13 @@ describe('AdminPage', () => {
 
       fireEvent.click(screen.getByRole('button', { name: /settings/i }));
 
-      const heading = await screen.findByRole('heading', { name: /allow registration/i });
+      const heading = await screen.findByRole('heading', { name: /authentication methods/i });
       const card = heading.closest('.bg-white');
-      const toggle = within(card!).getByRole('button');
-      fireEvent.click(toggle);
+      const toggles = within(card!).getAllByRole('button');
+      fireEvent.click(toggles[0]); // First toggle = password_login
 
       await waitFor(() => {
-        expect(capturedBody).toEqual(expect.objectContaining({ allow_registration: false }));
+        expect(capturedBody).toEqual(expect.objectContaining({ password_login: false }));
       });
     });
   });
@@ -1328,15 +1328,6 @@ describe('AdminPage', () => {
       const clientSecretInput = clientSecretLabel.closest('div')!.querySelector('input')!;
       fireEvent.change(clientSecretInput, { target: { value: 'my-client-secret' } });
 
-      // OIDC-only toggle — button within the OIDC card for oidc_only toggle
-      // admin.oidcOnlyMode = 'Disable password authentication'
-      const oidcOnlyText = within(oidcCard!).getByText('Disable password authentication');
-      const oidcOnlySection = oidcOnlyText.closest('.flex');
-      const oidcOnlyToggle = oidcOnlySection?.querySelector('button');
-      if (oidcOnlyToggle) {
-        fireEvent.click(oidcOnlyToggle);
-      }
-
       // Verify the inputs updated
       expect((issuerInput as HTMLInputElement).value).toBe('https://accounts.google.com');
       expect((clientIdInput as HTMLInputElement).value).toBe('my-client-id');
diff --git a/client/src/pages/LoginPage.test.tsx b/client/src/pages/LoginPage.test.tsx
index e50dc200..5f5adc87 100644
--- a/client/src/pages/LoginPage.test.tsx
+++ b/client/src/pages/LoginPage.test.tsx
@@ -155,6 +155,9 @@ describe('LoginPage', () => {
             oidc_configured: true,
             oidc_display_name: 'Okta',
             oidc_only_mode: false,
+            oidc_login: true,
+            password_login: true,
+            password_registration: true,
             setup_complete: true,
           });
         }),
@@ -438,6 +441,8 @@ describe('LoginPage', () => {
             demo_mode: false,
             oidc_configured: true,
             oidc_only_mode: true,
+            password_login: false,
+            oidc_login: true,
             setup_complete: true,
           });
         }),
diff --git a/client/src/types.ts b/client/src/types.ts
index 18938a45..159a0edd 100644
--- a/client/src/types.ts
+++ b/client/src/types.ts
@@ -296,11 +296,18 @@ export interface AppConfig {
   demo_mode: boolean
   oidc_configured: boolean
   oidc_display_name?: string
+  oidc_only_mode?: boolean
   has_maps_key?: boolean
   allowed_file_types?: string
   timezone?: string
   /** When true, users without MFA cannot use the app until they enable it */
   require_mfa?: boolean
+  // Granular auth toggles
+  password_login?: boolean
+  password_registration?: boolean
+  oidc_login?: boolean
+  oidc_registration?: boolean
+  env_override_oidc_only?: boolean
 }
 
 // Translation function type
diff --git a/client/tests/helpers/factories.ts b/client/tests/helpers/factories.ts
index 27d07f90..8bc8b468 100644
--- a/client/tests/helpers/factories.ts
+++ b/client/tests/helpers/factories.ts
@@ -283,6 +283,12 @@ export function buildAppConfig(overrides: Partial<AppConfig> = {}): AppConfig {
     allow_registration: true,
     demo_mode: false,
     oidc_configured: false,
+    oidc_only_mode: false,
+    password_login: true,
+    password_registration: true,
+    oidc_login: true,
+    oidc_registration: true,
+    env_override_oidc_only: false,
     ...overrides,
   };
 }
diff --git a/server/tests/unit/services/adminService.test.ts b/server/tests/unit/services/adminService.test.ts
index 746bf48a..7a0e09ef 100644
--- a/server/tests/unit/services/adminService.test.ts
+++ b/server/tests/unit/services/adminService.test.ts
@@ -471,14 +471,11 @@ describe('OIDC Settings', () => {
     expect(result.client_id).toBe('my-client');
   });
 
-  it('ADMIN-SVC-049 — updateOidcSettings sets oidc_only flag correctly', () => {
-    updateOidcSettings({ oidc_only: true });
-    const enabled = getOidcSettings() as any;
-    expect(enabled.oidc_only).toBe(true);
-
-    updateOidcSettings({ oidc_only: false });
-    const disabled = getOidcSettings() as any;
-    expect(disabled.oidc_only).toBe(false);
+  it('ADMIN-SVC-049 — updateOidcSettings does not write oidc_only (replaced by granular toggles)', () => {
+    updateOidcSettings({ issuer: 'https://auth.example.com', client_id: 'my-client' });
+    const result = getOidcSettings() as any;
+    // oidc_only is no longer managed by updateOidcSettings; use password_login/oidc_login toggles
+    expect(result.oidc_only).toBe(false);
   });
 });