diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..fdf8a2f
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,73 @@
+# SwissOID Configuration
+# The SwissOID issuer URL (OpenID Provider)
+SWISSOID_ISSUER=https://api.swissoid.com
+
+# Your client ID registered with SwissOID
+SWISSOID_CLIENT_ID=your-client-id
+
+# Your client secret (for confidential clients)
+SWISSOID_CLIENT_SECRET=your-client-secret-here
+
+# SwissOID token endpoint for exchanging authorization codes
+SWISSOID_TOKEN_ENDPOINT=https://api.swissoid.com/token
+
+# SwissOID JWKS URI for JWT verification
+SWISSOID_JWKS_URI=https://api.swissoid.com/.well-known/jwks.json
+
+# SwissOID authorize endpoint (optional, defaults to SWISSOID_ISSUER/authorize)
+SWISSOID_AUTHORIZE_ENDPOINT=https://api.swissoid.com/authorize
+
+# Redis Configuration
+# Redis connection URL (if provided, overrides host/port settings)
+REDIS_URL=redis://localhost:6379
+
+# Redis host (defaults to localhost if REDIS_URL not provided)
+REDIS_HOST=localhost
+
+# Redis port (defaults to 6379 if REDIS_URL not provided)
+REDIS_PORT=6379
+
+# Redis password (optional)
+REDIS_PASSWORD=
+
+# Redis database index (defaults to 0)
+REDIS_DB=0
+
+# RP (Relying Party) Configuration
+# Frontend URL where users should be redirected after authentication
+RP_FRONTEND_URL=http://localhost:3000
+
+# Base URL for OIDC redirect (used to construct callback URL)
+# The callback URL will be: OIDC_REDIRECT_BASE_URL/oidc/callback
+OIDC_REDIRECT_BASE_URL=http://localhost:3668
+
+# Alternative: Explicitly set the callback URL
+# RP_CALLBACK_URL=http://localhost:3668/oidc/callback
+
+# Cookie domain for session cookies (use leading dot for subdomains)
+# Examples:
+#   localhost (for local development)
+#   .example.com (for all subdomains of example.com)
+COOKIE_DOMAIN=localhost
+
+# Alternative cookie domain variable name (either COOKIE_DOMAIN or RP_COOKIE_DOMAIN works)
+# RP_COOKIE_DOMAIN=localhost
+
+# Session Configuration
+# Name of the session cookie
+SESSION_COOKIE_NAME=connect.sid
+
+# Secret key for signing sessions (use a strong random string in production)
+SESSION_SECRET=your-session-secret-here-use-strong-random-string
+
+# Secret for signing state parameters (optional, defaults to SESSION_SECRET + '-state-signing')
+# STATE_SIGNING_SECRET=your-state-signing-secret
+
+# Session TTL in seconds (optional, defaults to 7200 = 2 hours)
+# SESSION_TTL=7200
+
+# Refresh token TTL in seconds (optional, defaults to 604800 = 7 days)
+# REFRESH_TTL=604800
+
+# Refresh cookie name (optional, defaults to 'rid')
+# REFRESH_COOKIE_NAME=rid
\ No newline at end of file