diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt
index 39d0cd2792..c53b4fd09a 100644
--- a/.github/actions/spelling/expect.txt
+++ b/.github/actions/spelling/expect.txt
@@ -97,3 +97,4 @@ VUB
 websecure
 WOR
 youngcw
+OIDC
diff --git a/docs/experimental/oauth-auth.md b/docs/experimental/oauth-auth.md
index 82a1607201..7e08128940 100644
--- a/docs/experimental/oauth-auth.md
+++ b/docs/experimental/oauth-auth.md
@@ -115,6 +115,55 @@ When setup is done, you will be redirected to the _login_ page:
 
 ![](/static/img/oauth/first-login.png)
 
+### Environment Variables
+
+#### `ACTUAL_OPENID_DISCOVERY_URL`
+- **Purpose:** If your OpenID provider supports discovery, this is the URL where discovery metadata can be found.  
+**Example Value:** `https://provider.tld/.well-known/openid-configuration`
+
+#### `ACTUAL_OPENID_CLIENT_ID`
+- **Purpose:** The client ID issued by your OpenID provider.  
+**Example Value:** `my-actual-app`
+
+#### `ACTUAL_OPENID_CLIENT_SECRET`
+- **Purpose:** The client secret issued by your OpenID provider.  
+**Example Value:** `super-secret-value`
+
+#### `ACTUAL_OPENID_SERVER_HOSTNAME`
+- **Purpose:** The public URL of your Actual Server, which the provider redirects to after authentication.  
+**Example Value:** `https://actual.myserver.com`
+
+#### `ACTUAL_OPENID_AUTHORIZATION_ENDPOINT`
+- **Purpose:** Provider’s authorization endpoint (for providers that don’t support discovery).  
+**Example Value:** `https://provider.com/oauth2/authorize`
+
+#### `ACTUAL_OPENID_TOKEN_ENDPOINT`
+- **Purpose:** Provider’s token endpoint (for providers that don’t support discovery).  
+**Example Value:** `https://provider.com/oauth2/token`
+
+#### `ACTUAL_OPENID_USERINFO_ENDPOINT`
+- **Purpose:** Provider’s user-info endpoint (for providers that don’t support discovery).  
+**Example Value:** `https://provider.com/oauth2/userinfo`
+
+#### `ACTUAL_OPENID_AUTH_METHOD`
+- **Purpose:** Tells the server whether it should use the OpenID (OIDC) or a more general OAuth2 flow.  
+**Possible Values:** 
+  - `openid` (default)  
+  - `oauth2`  
+
+**Tip:** Use `oauth2` for providers like GitHub that don’t fully support OpenID discovery.
+
+#### `ACTUAL_OPENID_ENFORCE`
+- **Purpose:** Forces OpenID/OAuth2 authentication as the only allowed login method when set to `true`.  
+**Example Value:** `true` or `false` (default is `false`)
+
+#### `ACTUAL_TOKEN_EXPIRATION`
+- **Purpose:** Controls how access tokens expire.  
+**Possible Values:**  
+  - `"never"` (tokens never expire - **current default**)  
+  - `"openid-provider"` (tokens follow the expiration time from the OpenID provider)  
+  - A numeric value in seconds (e.g., `3600` for 1 hour)
+
+
 :::tip
 Configuring the OpenID provider from options supports discovery; otherwise, use [file configuration](oauth-auth#config-using-configuration-file)
-:::