diff --git a/.env.example b/.env.example
index ee2a838c..681280f2 100644
--- a/.env.example
+++ b/.env.example
@@ -1,42 +1,60 @@
 # Ingestion Configuration
-# Set to true to disable Langflow ingestion and use traditional OpenRAG processor
-# If unset or false, Langflow pipeline will be used (default: upload -> ingest -> delete)
+# Set to true to disable Langflow ingestion and use the traditional OpenRAG processor.
+# If unset or false, the Langflow pipeline is used (default: upload -> ingest -> delete).
 DISABLE_INGEST_WITH_LANGFLOW=false
-# make one like so https://docs.langflow.org/api-keys-and-authentication#langflow-secret-key
+
+# Create a Langflow secret key:
+# https://docs.langflow.org/api-keys-and-authentication#langflow-secret-key
 LANGFLOW_SECRET_KEY=
 
-# flow ids for chat and ingestion flows
+
+# Flow IDs for chat and ingestion
 LANGFLOW_CHAT_FLOW_ID=1098eea1-6649-4e1d-aed1-b77249fb8dd0
 LANGFLOW_INGEST_FLOW_ID=5488df7c-b93f-4f87-a446-b67028bc0813
-# Ingest flow using docling
+# Ingest flow using Docling
 # LANGFLOW_INGEST_FLOW_ID=1402618b-e6d1-4ff2-9a11-d6ce71186915
 NUDGES_FLOW_ID=ebc01d31-1976-46ce-a385-b0240327226c
 
-# Set a strong admin password for OpenSearch; a bcrypt hash is generated at
-# container startup from this value. Do not commit real secrets.
-# must match the hashed password in secureconfig, must change for secure deployment!!!
+
+# OpenSearch Auth
+# Set a strong admin password for OpenSearch.
+# A bcrypt hash is generated at container startup from this value.
+# Do not commit real secrets.
+# Must be changed for secure deployments.
 OPENSEARCH_PASSWORD=
 
-# make here https://console.cloud.google.com/apis/credentials
+
+# Google OAuth
+# Create credentials here:
+# https://console.cloud.google.com/apis/credentials
 GOOGLE_OAUTH_CLIENT_ID=
 GOOGLE_OAUTH_CLIENT_SECRET=
 
-# Azure app registration credentials for SharePoint/OneDrive
+
+# Microsoft (SharePoint/OneDrive) OAuth
+# Azure app registration credentials.
 MICROSOFT_GRAPH_OAUTH_CLIENT_ID=
 MICROSOFT_GRAPH_OAUTH_CLIENT_SECRET=
 
-# OPTIONAL: dns routable from google (etc.) to handle continous ingest (something like ngrok works). This enables continous ingestion
+
+# Webhooks (optional)
+# Public, DNS-resolvable base URL (e.g., via ngrok) for continuous ingestion.
 WEBHOOK_BASE_URL=
 
+
+# API Keys
 OPENAI_API_KEY=
 
 AWS_ACCESS_KEY_ID=
 AWS_SECRET_ACCESS_KEY=
 
-# OPTIONAL url for openrag link to langflow in the UI
+
+# Langflow UI URL (optional)
+# Public URL to link OpenRAG to Langflow in the UI.
 LANGFLOW_PUBLIC_URL=
 
-# Langflow auth
+
+# Langflow Auth
 LANGFLOW_AUTO_LOGIN=False
 LANGFLOW_SUPERUSER=
 LANGFLOW_SUPERUSER_PASSWORD=