diff --git a/infrastructure/production/fleet/apps/operator.yaml b/infrastructure/production/fleet/apps/operator.yaml
index 8028e93..f16422e 100644
--- a/infrastructure/production/fleet/apps/operator.yaml
+++ b/infrastructure/production/fleet/apps/operator.yaml
@@ -13,7 +13,11 @@ metadata:
     app.kubernetes.io/name: operator
     app.kubernetes.io/part-of: dezky
 spec:
-  replicas: 2
+  # Single replica until OIDC sessions move to shared storage: nuxt-oidc-auth
+  # keeps sessions in per-pod memory, so with >1 replica every request that
+  # lands on the pod that did NOT handle the login gets 401. TODO: nitro
+  # session storage on the dezky-data Redis, then scale back up.
+  replicas: 1
   selector:
     matchLabels:
       app.kubernetes.io/name: operator
diff --git a/infrastructure/production/fleet/apps/portal.yaml b/infrastructure/production/fleet/apps/portal.yaml
index a6de2fb..a533040 100644
--- a/infrastructure/production/fleet/apps/portal.yaml
+++ b/infrastructure/production/fleet/apps/portal.yaml
@@ -10,7 +10,11 @@ metadata:
     app.kubernetes.io/name: portal
     app.kubernetes.io/part-of: dezky
 spec:
-  replicas: 2
+  # Single replica until OIDC sessions move to shared storage: nuxt-oidc-auth
+  # keeps sessions in per-pod memory, so with >1 replica every request that
+  # lands on the pod that did NOT handle the login gets 401. TODO: nitro
+  # session storage on the dezky-data Redis, then scale back up.
+  replicas: 1
   selector:
     matchLabels:
       app.kubernetes.io/name: portal