diff --git a/.env.example b/.env.example
index 3ae64be..797c27e 100644
--- a/.env.example
+++ b/.env.example
@@ -1,10 +1,24 @@
 DOCKERDIR=/opt/compose/keywarden
 
-KEYWARDEN_SECRET_KEY=
-# PostgreSQL Connection (These are default values, unneeded if matching environment)
+## Local Auth
+KEYWARDEN_SECRET_KEY=<!GENERATE SECRET HERE!>
+KEYWARDEN_ALLOW_LOCAL_LOGIN=true
+KEYWARDEN_ACCESS_TOKEN_EXPIRE_MINUTES=60
+
+## Optional OIDC
+# KEYWARDEN_OIDC_ENABLED=true
+# KEYWARDEN_OIDC_ISSUER=https://auth.example.com/application/o/<slug>
+# KEYWARDEN_OIDC_CLIENT_ID=keywarden
+# KEYWARDEN_OIDC_AUDIENCE=keywarden-api
+# KEYWARDEN_OIDC_JWKS_URL=https://auth.example.com/application/o/<slug>/jwks
+
+## Policy toggles
+# KEYWARDEN_REQUIRE_SSO=false           # if true, local login is disabled
+# KEYWARDEN_AUTO_PROVISION_OIDC=true    # JIT user creation
+
+## Postgres
 KEYWARDEN_POSTGRES_USER="postgres"
 KEYWARDEN_POSTGRES_PASSWORD="postgres"
 KEYWARDEN_POSTGRES_HOST="keywarden-db"
 KEYWARDEN_POSTGRES_PORT=5432
-KEYWARDEN_POSTGRES_DB="keywarden"
-KEYWARDEN_ACCESS_TOKEN_EXPIRE_MINUTES=60
\ No newline at end of file
+KEYWARDEN_POSTGRES_DB="keywarden"
\ No newline at end of file