diff --git a/docs/DEPLOYMENT.md b/docs/DEPLOYMENT.md
index b9895e33..6e697c55 100644
--- a/docs/DEPLOYMENT.md
+++ b/docs/DEPLOYMENT.md
@@ -139,7 +139,7 @@ All vars are set in `.env` at the repo root (copy from `.env.example`). The back
 - [ ] Set `APP_ADMIN_USERNAME` if you want a non-default admin login name (add to `.env` — not in `.env.example`)
 - [ ] Rotate `POSTGRES_PASSWORD` from `change-me`
 - [ ] Rotate `MINIO_ROOT_PASSWORD` from `change-me`
-- [ ] Set a strong `OCR_TRAINING_TOKEN` (`python3 -c "import secrets; print(secrets.token_hex(32))"`)
+- [ ] Set a strong `APP_OCR_TRAINING_TOKEN` (backend) and the matching `TRAINING_TOKEN` (OCR service) — both must be the same value (`python3 -c "import secrets; print(secrets.token_hex(32))"`)
 - [ ] Confirm `ALLOWED_PDF_HOSTS` is locked to your MinIO/S3 hostname — widening to `*` opens SSRF
 - [ ] Set `SPRING_PROFILES_ACTIVE=prod` in the prod overlay (not `dev,e2e` — that exposes Swagger UI and `/v3/api-docs`)
 - [ ] Use a dedicated MinIO service account for `S3_ACCESS_KEY` / `S3_SECRET_KEY`, not the root credentials
@@ -156,6 +156,7 @@ cp .env.example .env
 #    Create the bucket named $MINIO_DEFAULT_BUCKETS with private access.
 
 # 3. Start the stack (prod overlay — see docs/infrastructure/production-compose.md)
+#    docker-compose.prod.yml is NOT committed — create it from the guide above
 docker compose -f docker-compose.yml -f docker-compose.prod.yml up -d
 
 # 4. Flyway migrations run automatically on backend start.