diff --git a/timetracker-chart/templates/NOTES.txt b/timetracker-chart/templates/NOTES.txt
index 7388a71..b62abc5 100644
--- a/timetracker-chart/templates/NOTES.txt
+++ b/timetracker-chart/templates/NOTES.txt
@@ -33,8 +33,13 @@ IMPORTANT NOTES:
 - Set postgresql.url in values.yaml to point to your existing database.
 - Make sure to change the OIDC configuration in values.yaml
 - Change the SESSION_SECRET from the default value for production
+- Set backend.jwt.secret to a dedicated secret in production (falls back to SESSION_SECRET if empty)
 - Configure ingress host and TLS settings for your environment
 
 OIDC Configuration Required:
-  issuerUrl: {{ .Values.backend.oidc.issuerUrl | default "NOT SET - REQUIRED" }}
-  clientId: {{ .Values.backend.oidc.clientId | default "NOT SET - REQUIRED" }}
\ No newline at end of file
+  issuerUrl:        {{ .Values.backend.oidc.issuerUrl | default "NOT SET - REQUIRED" }}
+  clientId:         {{ .Values.backend.oidc.clientId | default "NOT SET - REQUIRED" }}
+  iosRedirectUri:   {{ .Values.backend.oidc.iosRedirectUri }}
+
+JWT (iOS Bearer auth):
+  jwt.secret: {{ if .Values.backend.jwt.secret }}(set){{ else }}NOT SET - falling back to session.secret{{ end }}
\ No newline at end of file
diff --git a/timetracker-chart/templates/backend-deployment.yaml b/timetracker-chart/templates/backend-deployment.yaml
index 9bf277a..ab86ee3 100644
--- a/timetracker-chart/templates/backend-deployment.yaml
+++ b/timetracker-chart/templates/backend-deployment.yaml
@@ -56,8 +56,12 @@ spec:
               value: {{ .Values.backend.oidc.clientId | quote }}
             - name: OIDC_REDIRECT_URI
               value: {{ (index .Values.ingress.hosts 0).host | printf "https://%s/api/auth/callback" | quote }}
+            - name: OIDC_IOS_REDIRECT_URI
+              value: {{ .Values.backend.oidc.iosRedirectUri | quote }}
             - name: SESSION_SECRET
               value: {{ .Values.backend.session.secret | quote }}
+            - name: JWT_SECRET
+              value: {{ .Values.backend.jwt.secret | quote }}
             - name: APP_URL
               value: {{ (index .Values.ingress.hosts 0).host | printf "https://%s" | quote }}
           ports:
diff --git a/timetracker-chart/values.yaml b/timetracker-chart/values.yaml
index 3d710ef..df0c60b 100644
--- a/timetracker-chart/values.yaml
+++ b/timetracker-chart/values.yaml
@@ -41,11 +41,21 @@ backend:
   oidc:
     issuerUrl: ""
     clientId: ""
+    # Redirect URI registered in the IDP for the iOS native app.
+    # Must match the custom URL scheme configured in the iOS app.
+    iosRedirectUri: "timetracker://oauth/callback"
 
   # Session configuration
   session:
     secret: "change-this-secret-in-production"
 
+  # JWT configuration (for iOS Bearer token auth)
+  # jwt.secret is used to sign backend-issued JWTs for the iOS app.
+  # If left empty it falls back to session.secret.
+  # Set this to a dedicated secret in production.
+  jwt:
+    secret: ""
+
   env:
     nodeEnv: production
     port: 3001