diff --git a/.env.example b/.env.example
index acd088c..786ac49 100644
--- a/.env.example
+++ b/.env.example
@@ -5,7 +5,9 @@ LOCAL_URL=http://localhost
 PUBLIC_URL=
 
 # ─── Auth ──────────────────────────────────────────────────────────────────────
-# Generate a strong random secret: python -c "import secrets; print(secrets.token_hex(32))"
+# Signs and verifies JWT tokens. Anyone with this key can forge auth tokens,
+# so use a long random value in production and never commit it to git.
+# Generate: python -c "import secrets; print(secrets.token_hex(32))"
 JWT_SECRET_KEY=
 
 # ─── PostgreSQL ───────────────────────────────────────────────────────────────