diff --git a/core/archipelago/src/main.rs b/core/archipelago/src/main.rs
index 7a254c10..0a299c25 100644
--- a/core/archipelago/src/main.rs
+++ b/core/archipelago/src/main.rs
@@ -115,10 +115,9 @@ async fn main() -> Result<()> {
     // Ensure a default user exists so login works after install/onboarding.
     // In production, the default password is "password123" (shown during install).
     // In dev mode, the dev default password is used.
-    {
-        let auth = AuthManager::new(config.data_dir.clone());
-        auth.ensure_default_user().await?;
-    }
+    // Don't auto-create default user — let onboarding flow handle password setup
+    // via auth.setup RPC. The Login page detects is_setup=false and shows
+    // "Create Password" form instead of login form.
 
     // Create server
     let server = Server::new(config.clone()).await?;
diff --git a/neode-ui/src/api/rpc-client.ts b/neode-ui/src/api/rpc-client.ts
index e7eb684b..c9bf3db5 100644
--- a/neode-ui/src/api/rpc-client.ts
+++ b/neode-ui/src/api/rpc-client.ts
@@ -78,10 +78,10 @@ class RPCClient {
             }
             throw new Error('Session expired')
           }
-          // CSRF 403: retry once after short delay (cookie may have been
+          // CSRF 403: retry twice after delay (cookie may have been
           // updated by a concurrent Set-Cookie response not yet visible to JS)
           if (response.status === 403 && attempt < maxRetries - 1) {
-            await new Promise((r) => setTimeout(r, 300))
+            await new Promise((r) => setTimeout(r, 500))
             continue
           }
           const err = new Error(`HTTP ${response.status}: ${response.statusText}`)