diff --git a/.env.example b/.env.example
index efa0df7..3c1dd89 100644
--- a/.env.example
+++ b/.env.example
@@ -1,16 +1,25 @@
 # BilHej Environment Variables
 # Copy this file to .env and fill in your keys.
+#
+#   cp .env.example .env
+#
+# Docker Compose reads .env from the project root automatically.
 
-# PostgreSQL
+# ---------- PostgreSQL ----------
 POSTGRES_DB=bilhej
 POSTGRES_USER=bilhej
 POSTGRES_PASSWORD=change_me
 
-# JWT
+# ---------- JWT ----------
+# Generate a secure random secret:
+#   openssl rand -hex 32
 JWT_SECRET=change_me_to_a_random_64_char_string
 
-# Stripe
+# ---------- Stripe (Phase 1) ----------
+# Test keys from Stripe Dashboard: https://dashboard.stripe.com/test/apikeys
 STRIPE_SECRET_KEY=sk_test_...
+# Webhook secret from stripe CLI: stripe listen --print-secret
 STRIPE_WEBHOOK_SECRET=whsec_...
+# Price ID from Stripe Dashboard: https://dashboard.stripe.com/test/products
 STRIPE_PRICE_ID=price_...
 
diff --git a/backend/build.gradle b/backend/build.gradle
index bb2c802..9afc24a 100644
--- a/backend/build.gradle
+++ b/backend/build.gradle
@@ -24,10 +24,13 @@ dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-validation'
 	implementation 'org.springframework.boot:spring-boot-starter-webmvc'
 	implementation 'org.flywaydb:flyway-database-postgresql'
+	implementation 'io.jsonwebtoken:jjwt-api:0.12.6'
 	developmentOnly 'org.springframework.boot:spring-boot-devtools'
 	compileOnly 'org.projectlombok:lombok'
 	runtimeOnly 'com.h2database:h2'
 	runtimeOnly 'org.postgresql:postgresql'
+	runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.12.6'
+	runtimeOnly 'io.jsonwebtoken:jjwt-jackson:0.12.6'
 	annotationProcessor 'org.projectlombok:lombok'
 	testImplementation 'org.springframework.boot:spring-boot-starter-data-jpa-test'
 	testImplementation 'org.springframework.boot:spring-boot-starter-flyway-test'
diff --git a/backend/src/main/resources/application-docker.yml b/backend/src/main/resources/application-docker.yml
index b4bdb92..7424df4 100644
--- a/backend/src/main/resources/application-docker.yml
+++ b/backend/src/main/resources/application-docker.yml
@@ -11,3 +11,7 @@ spring:
 
   jpa:
     database-platform: org.hibernate.dialect.PostgreSQLDialect
+
+app:
+  jwt:
+    secret: ${JWT_SECRET}
diff --git a/backend/src/main/resources/application.yml b/backend/src/main/resources/application.yml
index c5a1d69..88453b5 100644
--- a/backend/src/main/resources/application.yml
+++ b/backend/src/main/resources/application.yml
@@ -23,3 +23,7 @@ spring:
   flyway:
     enabled: true
     locations: classpath:db/migration
+
+app:
+  jwt:
+    secret: ${JWT_SECRET:dev-secret-change-in-production}
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index f8f1c72..81a89e5 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -2,8 +2,6 @@ services:
   postgres:
     image: postgres:16
     container_name: bilhej-postgres-prod
-    ports:
-      - "5432:5432"
     environment:
       POSTGRES_DB: ${POSTGRES_DB}
       POSTGRES_USER: ${POSTGRES_USER}
@@ -22,8 +20,6 @@ services:
       dockerfile: docker/backend.prod.Dockerfile
       context: .
     container_name: bilhej-backend-prod
-    ports:
-      - "8080:8080"
     environment:
       SPRING_PROFILES_ACTIVE: docker
       POSTGRES_DB: ${POSTGRES_DB}
@@ -45,13 +41,19 @@ services:
     container_name: bilhej-frontend-prod
     ports:
       - "3000:80"
-      - "443:443"
     depends_on:
       - backend
     volumes:
       - certs:/etc/nginx/certs
+    networks:
+      - default
+      - web
     restart: unless-stopped
 
 volumes:
   pgdata-prod:
   certs:
+
+networks:
+  web:
+    external: true