diff --git a/.env.example b/.env.example
index 06842cd..ef2fd78 100644
--- a/.env.example
+++ b/.env.example
@@ -12,9 +12,9 @@ ROOT_PATH=/solventum-image-metadata
 # === Azure AD / SSO ===
 AZURE_TENANT_ID=e519c2e6-bc6d-4fdf-8d9c-923c2f002385
 AZURE_CLIENT_ID=9079054c-9620-4757-a256-23413042f1ef
-AZURE_CLIENT_SECRET=YOUR_AZURE_CLIENT_SECRET_HERE
-# Must match Azure AD App Registration > Authentication > Redirect URIs exactly
-REDIRECT_URI=https://ai-sandbox.oliver.solutions/solventum-image-metadata/auth/callback
+# AZURE_CLIENT_SECRET is not needed (client-side MSAL.js flow)
+# Must match Azure AD App Registration > Authentication > SPA Redirect URIs exactly
+REDIRECT_URI=https://ai-sandbox.oliver.solutions/solventum-image-metadata/
 
 # === OpenAI (optional — for AI metadata generation) ===
 OPENAI_API_KEY=
diff --git a/templates/login.html b/templates/login.html
index a274d70..6f79ea9 100644
--- a/templates/login.html
+++ b/templates/login.html
@@ -316,7 +316,7 @@
                     auth: {
                         clientId: "{{ azure_client_id }}",
                         authority: "https://login.microsoftonline.com/{{ azure_tenant_id }}",
-                        redirectUri: window.location.origin + "{{ base }}/login",
+                        redirectUri: window.location.origin + "{{ base }}/",
                     },
                     cache: {
                         cacheLocation: "sessionStorage",