diff --git a/README.md b/README.md
index 3be15e49f..5f5bcc8ac 100644
--- a/README.md
+++ b/README.md
@@ -115,7 +115,7 @@ We provide official container images hosted on [Docker Hub](https://hub.docker.c
 | `OIDC_CALLBACK_URL`        | `string` (optional)   | `${ROOT_URL}/api/auth/oidc/callback` | The OIDC callback URL                                                                                |
 | `OIDC_CLIENT_ID`           | `string`              |                                      | The OIDC client ID                                                                                   |
 | `OIDC_CLIENT_SECRET`       | `string`              |                                      | The OIDC client secret                                                                               |
-| `OIDC_ISSUER`              | `string`              |                                      | The OIDC issuer URL, used to discover the OIDC configuration via `/.well-known/openid-configuration` |
+| `OIDC_ISSUER`              | `string`              |                                      | The OIDC issuer URL, used to discover the OIDC configuration via `/.well-known/openid-configuration`. Must **not** include a trailing slash (e.g. `https://auth.example.com`, not `https://auth.example.com/`) — a trailing slash breaks discovery and `iss` claim validation. |
 | `OIDC_SCOPE`               | `string[]` (optional) | `["openid"]`                         | The OIDC scope to request, e.g. `["email","openid","profile"]`                                       |
 | `OIDC_TOKEN_URL`           | `string` (optional)   |                                      | Manual override for the OIDC token endpoint (falls back to the discovery from the issuer)            |
 | `OIDC_USER_INFO_URL`       | `string` (optional)   |                                      | Manual override for the OIDC user info endpoint (falls back to the discovery from the issuer)        |