Update env-configuration.md

docs/getting-started/env-configuration.md

@@ -2832,6 +2832,26 @@ If the OAuth picture claim is disabled by setting `OAUTH_PICTURE_CLAIM` to `''`
 
 :::
 
+#### `OAUTH_SESSION_TOKEN_ENCRYPTION_KEY`
+
+- Type: `str`
+- Default: Falls back to the value of `WEBUI_SECRET_KEY`.
+- Description: Specifies the secret key used to encrypt and decrypt OAuth tokens stored server-side in the database. This is a critical security component for protecting user credentials at rest. If not set, it defaults to using the main `WEBUI_SECRET_KEY`, but it is highly recommended to set it to a unique, securely generated value for production environments.
+
+:::warning
+
+**Required for Multi-Replica Deployments**
+In any production environment running more than one instance of Open WebUI (e.g., Docker Swarm, Kubernetes), this variable **MUST** be explicitly set to a persistent, shared secret. If left unset, each replica will generate or use a different key, causing session decryption to fail intermittently as user requests are load-balanced across instances.
+
+:::
+
+#### `ENABLE_OAUTH_ID_TOKEN_COOKIE`
+
+- Type: `bool`
+- Default: `True`
+- Description: Controls whether the legacy `oauth_id_token` cookie is set in the browser upon a successful OAuth login. This is provided for **backward compatibility** with custom tools or older versions that might rely on scraping this cookie. The new, recommended approach is to use the server-side session management.
+- Usage: For new and secure deployments, it is recommended to set this to `False` to minimize the information exposed to the client-side. Keep it as `True` only if you have integrations that depend on the old cookie-based method.
+
 #### `WEBUI_AUTH_TRUSTED_EMAIL_HEADER`
 
 - Type: `str`