diff --git a/.env.sample b/.env.sample
index d4aca8d..921bc3f 100644
--- a/.env.sample
+++ b/.env.sample
@@ -79,7 +79,6 @@ ENABLE_REGISTRATION=false
 #SECRET_MAS_SIGNING_RSA_VERSION=v1 # generate=false
 
 #### MAS upstream OIDC provider (e.g. Authentik)
-# See mas-authentik-and-roadmap.md for migration procedure.
 # Create a new OAuth2 app in your IdP with redirect URI: https://<DOMAIN>/upstream/callback/<MAS_UPSTREAM_PROVIDER_ID>
 #COMPOSE_FILE="$COMPOSE_FILE:compose.mas-upstream.yml"
 #MAS_UPSTREAM_PROVIDER_ID=          # ULID, e.g. 01JSHPZHAXC50QBKH67MH33TNF — generate at https://www.ulidtools.com
diff --git a/compose.mas.yml b/compose.mas.yml
index 629eef1..64f7670 100644
--- a/compose.mas.yml
+++ b/compose.mas.yml
@@ -21,6 +21,23 @@ services:
       - mas_encryption
       - mas_synapse_shared
       - mas_signing_rsa
+    # Official image is distroless (no curl/wget); upstream suggests `mas-cli config check` for probes.
+    # See https://github.com/element-hq/matrix-authentication-service/issues/3741 — validates config, not HTTP.
+    # GET /health is still served (resource `health` in mas.config.yaml.tmpl) for probes from other images.
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "/usr/local/bin/mas-cli",
+          "--config",
+          "/etc/mas/config.yaml",
+          "config",
+          "check",
+        ]
+      interval: 30s
+      timeout: 10s
+      retries: 3
+      start_period: 60s
     deploy:
       restart_policy:
         condition: on-failure
diff --git a/mas.config.yaml.tmpl b/mas.config.yaml.tmpl
index 59a74e0..7a344b1 100644
--- a/mas.config.yaml.tmpl
+++ b/mas.config.yaml.tmpl
@@ -19,6 +19,8 @@ http:
         - name: graphql
           playground: false
         - name: assets
+        # https://element-hq.github.io/matrix-authentication-service/reference/configuration.html#httplisteners
+        - name: health
       binds:
         - address: "[::]:8080"