diff --git a/.env.example b/.env.example
index 1fdbfb0..3ce81b6 100644
--- a/.env.example
+++ b/.env.example
@@ -5,7 +5,5 @@ POSTGRES_DB=budget
 POSTGRES_USER=budget
 POSTGRES_PASSWORD=changeme
 
-# Client (baked into Vite build)
-VITE_AUTH_AUTHORITY=https://auth.stwaddle.com
-VITE_AUTH_CLIENT_ID=budget-client
-VITE_AUTH_REDIRECT_URI=https://budget.stwaddle.com/callback
+# Note: client OIDC values live in src/Budget.Client/.env (committed).
+# Override locally in src/Budget.Client/.env.local (gitignored).
diff --git a/.gitignore b/.gitignore
index add57be..aaffe88 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,4 +2,7 @@ bin/
 obj/
 /packages/
 riderModule.iml
-/_ReSharper.Caches/
\ No newline at end of file
+/_ReSharper.Caches/
+
+# Local dev overrides (contain localhost URLs, not secrets)
+src/Budget.Client/.env.local
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index bc68c4d..87ae264 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,14 +5,6 @@ COPY src/Budget.Client/package*.json ./
 RUN npm ci
 COPY src/Budget.Client/ ./
 
-ARG VITE_AUTH_AUTHORITY=https://auth.stwaddle.com/
-ARG VITE_AUTH_CLIENT_ID=budget-client
-ARG VITE_AUTH_REDIRECT_URI=https://budget.stwaddle.com/callback
-
-ENV VITE_AUTH_AUTHORITY=$VITE_AUTH_AUTHORITY
-ENV VITE_AUTH_CLIENT_ID=$VITE_AUTH_CLIENT_ID
-ENV VITE_AUTH_REDIRECT_URI=$VITE_AUTH_REDIRECT_URI
-
 RUN npm run build
 
 # Stage 2: Build and publish ASP.NET app
diff --git a/src/Budget.Client/.env b/src/Budget.Client/.env
new file mode 100644
index 0000000..b67bff7
--- /dev/null
+++ b/src/Budget.Client/.env
@@ -0,0 +1,4 @@
+VITE_OIDC_AUTHORITY=https://auth.stwaddle.com
+VITE_OIDC_CLIENT_ID=budget-client
+VITE_OIDC_REDIRECT_URI=https://budget.stwaddle.com/callback
+VITE_OIDC_POST_LOGOUT_REDIRECT_URI=https://budget.stwaddle.com
diff --git a/src/Budget.Client/src/auth/authConfig.ts b/src/Budget.Client/src/auth/authConfig.ts
index 1a2acb7..dca0b19 100644
--- a/src/Budget.Client/src/auth/authConfig.ts
+++ b/src/Budget.Client/src/auth/authConfig.ts
@@ -1,11 +1,11 @@
 import type { UserManagerSettings } from 'oidc-client-ts';
 
 export const authConfig: UserManagerSettings = {
-  authority: import.meta.env.VITE_AUTH_AUTHORITY,
-  client_id: import.meta.env.VITE_AUTH_CLIENT_ID,
-  redirect_uri: import.meta.env.VITE_AUTH_REDIRECT_URI,
+  authority: import.meta.env.VITE_OIDC_AUTHORITY,
+  client_id: import.meta.env.VITE_OIDC_CLIENT_ID,
+  redirect_uri: import.meta.env.VITE_OIDC_REDIRECT_URI,
   response_type: 'code',
   scope: 'openid profile email offline_access budget_api',
-  post_logout_redirect_uri: import.meta.env.VITE_AUTH_REDIRECT_URI?.replace('/callback', ''),
+  post_logout_redirect_uri: import.meta.env.VITE_OIDC_POST_LOGOUT_REDIRECT_URI,
   automaticSilentRenew: true,
 };