diff --git a/.gitignore b/.gitignore
index 90ba9d3..d3dd778 100644
--- a/.gitignore
+++ b/.gitignore
@@ -74,3 +74,6 @@ backend/media_plans/
 backend/usage_logs/
 backend/user_access.json
 backend/box_tokens.json
+backend/config/development.env
+backend/config/production.env
+backend/config/box_jwt_config.json
diff --git a/backend/config/.env.template b/backend/config/.env.template
index 8956307..97b00f2 100644
--- a/backend/config/.env.template
+++ b/backend/config/.env.template
@@ -36,7 +36,7 @@ SENDER_EMAIL=noreply@your-domain.com
 ERROR_EMAIL=admin@your-domain.com
 REPORT_EMAILS=admin@your-domain.com
 
-# Box.com OAuth (per-creator user authentication for automation folders)
+# Box.com OAuth (per-creator user authentication — legacy/dormant scaffolding)
 # Register a Custom App with OAuth 2.0 (User Authentication) in Box Developer Console.
 # In the app's Configuration tab, add ALL the redirect URIs you'll use:
 #   http://localhost:7183/auth/box/callback         (local dev)
@@ -46,4 +46,17 @@ REPORT_EMAILS=admin@your-domain.com
 # to set BOX_REDIRECT_URI per server — uncomment only as an override.
 BOX_CLIENT_ID=your-box-client-id
 BOX_CLIENT_SECRET=your-box-client-secret
-# BOX_REDIRECT_URI=
\ No newline at end of file
+# BOX_REDIRECT_URI=
+
+# Box.com JWT (service-account auth — used by /api/box/webhook for unattended QC)
+# Drop the JSON Box gives you for the "Custom App with Server Authentication (JWT)"
+# at backend/config/box_jwt_config.json (gitignored, scp'd onto each server).
+# Override the path with BOX_JWT_CONFIG_PATH if you store it elsewhere.
+# BOX_JWT_CONFIG_PATH=/opt/ai_qc/backend/config/box_jwt_config.json
+
+# Box V2 webhook signing keys (one app-level pair, used by every webhook the
+# Custom App owns). Get them from Box Developer Console → Custom App → Webhooks
+# tab → "Manage Signature Keys". Both are valid simultaneously — Box uses a
+# rolling-rotate model so you can rotate one at a time without downtime.
+BOX_WEBHOOK_PRIMARY_KEY=
+BOX_WEBHOOK_SECONDARY_KEY=
\ No newline at end of file
diff --git a/backend/config/development.env b/backend/config/development.env
deleted file mode 100644
index 49053ad..0000000
--- a/backend/config/development.env
+++ /dev/null
@@ -1,43 +0,0 @@
-# Development Environment Configuration
-# This file is used for local development testing
-
-# OpenAI Configuration
-OPENAI_API_KEY=sk-svcacct-HSREzGYDnN-vCVGAh6LhYqlNcJVF2oefMrY9oCsdDsQFmyVJyHpLb1eSb_mp_vP4YPl4T3BlbkFJzKaOrPghIzx76_22K8VjwO6j2JnoDEvrYDrgfrnA4WjD5sTMnhOqGHXximwGXFhUoYgA
-GOOGLE_API_KEY=AIzaSyDMWN_PAnyU7bPmtWcEKq4LJfiu1KuwUsU
-
-# Azure AD / MSAL Authentication Configuration (Development App Registration)
-# NOTE: You'll need to create a separate app registration for development
-AZURE_TENANT_ID=e519c2e6-bc6d-4fdf-8d9c-923c2f002385
-AZURE_CLIENT_ID=9079054c-9620-4757-a256-23413042f1ef
-AZURE_REDIRECT_URI=http://localhost:7183
-
-# Flask Configuration
-FLASK_ENV=development
-SECRET_KEY=dev-secret-key-change-this-for-security
-DEBUG_MODE=true
-PORT=7183
-
-# Application Configuration
-ENVIRONMENT=development
-BASE_URL=http://localhost:7183
-UPLOAD_FOLDER=uploads-dev
-OUTPUT_FOLDER=output-dev
-
-# Development-specific settings
-LOG_LEVEL=DEBUG
-ENABLE_DEBUG_ENDPOINTS=true
-
-# Mailgun / SMTP (for email notifications)
-SMTP_SERVER=smtp.mailgun.org
-SMTP_PORT=587
-SMTP_USER=twist@mail.dev.oliver.solutions
-SMTP_PASSWORD=102115e9f3b9d7332d0cd1d4329bc0d4-77751bfc-ca066b71
-SENDER_EMAIL=TWIST-UK-SERVER@oliver.agency
-ERROR_EMAIL=nick.viljoen@brandtech.plus
-REPORT_EMAILS=nick.viljoen@brandtech.plus
-
-# Box.com OAuth (per-creator user authentication for automation folders)
-# Redirect URI is computed from each request — no need to hardcode it per server.
-# Set BOX_REDIRECT_URI here only as an override if request-based detection fails.
-BOX_CLIENT_ID=o9zxyl6j917q0bkndrwfi2x5zbdeanh5
-BOX_CLIENT_SECRET=yejdbWTeBOcdsDImpNQ7nvLJZad3e0Jm
\ No newline at end of file
diff --git a/backend/config/production.env b/backend/config/production.env
deleted file mode 100644
index dba396a..0000000
--- a/backend/config/production.env
+++ /dev/null
@@ -1,42 +0,0 @@
-# Production Environment Configuration
-# This file is used for production deployment on the web server
-
-# OpenAI Configuration
-OPENAI_API_KEY=sk-svcacct-HSREzGYDnN-vCVGAh6LhYqlNcJVF2oefMrY9oCsdDsQFmyVJyHpLb1eSb_mp_vP4YPl4T3BlbkFJzKaOrPghIzx76_22K8VjwO6j2JnoDEvrYDrgfrnA4WjD5sTMnhOqGHXximwGXFhUoYgA
-GOOGLE_API_KEY=AIzaSyDMWN_PAnyU7bPmtWcEKq4LJfiu1KuwUsU
-
-# Azure AD / MSAL Authentication Configuration (Production)
-AZURE_TENANT_ID=e519c2e6-bc6d-4fdf-8d9c-923c2f002385
-AZURE_CLIENT_ID=9079054c-9620-4757-a256-23413042f1ef
-AZURE_REDIRECT_URI=https://ai-sandbox.oliver.solutions/ai_qc/
-
-# Flask Configuration
-FLASK_ENV=production
-SECRET_KEY=prod-ai-qc-oliver-solutions-2025-secure-key-9f8e7d6c5b4a3
-DEBUG_MODE=false
-PORT=7184
-
-# Application Configuration
-ENVIRONMENT=production
-BASE_URL=https://ai-sandbox.oliver.solutions/ai_qc
-UPLOAD_FOLDER=uploads
-OUTPUT_FOLDER=output
-
-# Production-specific settings
-LOG_LEVEL=INFO
-ENABLE_DEBUG_ENDPOINTS=false
-
-# Mailgun / SMTP (for email notifications)
-SMTP_SERVER=smtp.mailgun.org
-SMTP_PORT=587
-SMTP_USER=twist@mail.dev.oliver.solutions
-SMTP_PASSWORD=102115e9f3b9d7332d0cd1d4329bc0d4-77751bfc-ca066b71
-SENDER_EMAIL=TWIST-UK-SERVER@oliver.agency
-ERROR_EMAIL=nick.viljoen@brandtech.plus
-REPORT_EMAILS=nick.viljoen@brandtech.plus
-
-# Box.com OAuth (per-creator user authentication for automation folders)
-# Redirect URI is computed from each request — no need to hardcode it per server.
-# Set BOX_REDIRECT_URI here only as an override if request-based detection fails.
-BOX_CLIENT_ID=o9zxyl6j917q0bkndrwfi2x5zbdeanh5
-BOX_CLIENT_SECRET=yejdbWTeBOcdsDImpNQ7nvLJZad3e0Jm
\ No newline at end of file