diff --git a/.env.example b/.env.example
index 41147e2..a5ee584 100644
--- a/.env.example
+++ b/.env.example
@@ -1,4 +1,4 @@
-# Required: API key for authentication
+# Required: Password for web UI login and credential encryption (use a strong unique password)
 # API_KEY=your-secret-key-here
 
 # Optional Configuration
diff --git a/README.md b/README.md
index ab17dce..d12ff91 100644
--- a/README.md
+++ b/README.md
@@ -276,5 +276,6 @@ curl http://localhost:8080/api/v1/health \
 }
 ```
 
+## API Key Security
 
-
+Your API_KEY is both the login password and the master encryption key for all integration credentials. Use a strong unique password. Changing it will make all encrypted credentials unrecoverable.