diff --git a/docker/nats-auth.conf b/docker/nats-auth.conf
index dd9329f..001e445 100644
--- a/docker/nats-auth.conf
+++ b/docker/nats-auth.conf
@@ -8,9 +8,11 @@
 # On every real deploy, scripts/generate-nats-auth.mjs OVERWRITES this file
 # (on the host, not in git) with the privileged internal user + per-license
 # scoped users. NATS_AUTH_STAGE defaults to "enforce" (anonymous rejected).
+#
+# NOTE: no_auth_user is a TOP-LEVEL field, NOT inside authorization { }.
 authorization {
   users: [
     { user: "anonymous", password: "", permissions: { publish: { allow: ["corrosion.unclaimed.>"] }, subscribe: { allow: ["corrosion.unclaimed.>"] } } }
   ]
-  no_auth_user: "anonymous"
 }
+no_auth_user: "anonymous"
diff --git a/scripts/generate-nats-auth.mjs b/scripts/generate-nats-auth.mjs
index df600d4..11c951e 100644
--- a/scripts/generate-nats-auth.mjs
+++ b/scripts/generate-nats-auth.mjs
@@ -86,10 +86,12 @@ const main = async () => {
     lines.push('    { user: "anonymous", password: "", permissions: { publish: { allow: ["corrosion.unclaimed.>"] }, subscribe: { allow: ["corrosion.unclaimed.>"] } } }');
   }
   lines.push('  ]');
-  if (NATS_AUTH_STAGE === 'open') {
-    lines.push('  no_auth_user: "anonymous"');
-  }
   lines.push('}');
+  // no_auth_user is a TOP-LEVEL field, NOT inside authorization { } — nesting
+  // it makes nats-server reject the whole config ("unknown field no_auth_user").
+  if (NATS_AUTH_STAGE === 'open') {
+    lines.push('no_auth_user: "anonymous"');
+  }
   process.stdout.write(lines.join('\n') + '\n');
 };