diff --git a/authelia/.env.example b/authelia/.env.example
index d09796b..a0d3507 100644
--- a/authelia/.env.example
+++ b/authelia/.env.example
@@ -5,7 +5,11 @@ AUTHELIA_JWT_SECRET=
 AUTHELIA_SESSION_SECRET=
 AUTHELIA_STORAGE_ENCRYPTION_KEY=
 
-# OIDC client secrets — generate with: openssl rand -hex 32
+# OIDC HMAC secret (top-level key, env var works here)
 AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=
-AUTHELIA_OIDC_CLIENT_SECRET_LINKDING=
-AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI=
+
+# OIDC client secrets are stored as PBKDF2-SHA512 hashes in secret files on the host:
+#   /srv/authelia/config/secrets/oidc_linkding
+#   /srv/authelia/config/secrets/oidc_open_webui
+# Generate a hash: docker run --rm authelia/authelia:4.38 authelia crypto hash generate pbkdf2 --variant sha512 --password <secret>
+# The plaintext goes in the client app (e.g. LINKDING_OIDC_CLIENT_SECRET in linkding stack)
diff --git a/authelia/config/configuration.yaml b/authelia/config/configuration.yaml
index e4dc424..2b95083 100644
--- a/authelia/config/configuration.yaml
+++ b/authelia/config/configuration.yaml
@@ -65,7 +65,7 @@ identity_providers:
     clients:
       - client_id: open-webui
         client_name: Open WebUI
-        client_secret: '${AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI}'
+        client_secret: '{{ secret "/config/secrets/oidc_open_webui" }}'
         public: false
         authorization_policy: one_factor
         token_endpoint_auth_method: client_secret_post
@@ -79,7 +79,7 @@ identity_providers:
 
       - client_id: linkding
         client_name: Linkding
-        client_secret: '${AUTHELIA_OIDC_CLIENT_SECRET_LINKDING}'
+        client_secret: '{{ secret "/config/secrets/oidc_linkding" }}'
         public: false
         authorization_policy: one_factor
         token_endpoint_auth_method: client_secret_post
diff --git a/authelia/docker-compose.yml b/authelia/docker-compose.yml
index 7dbb1cc..03466e9 100644
--- a/authelia/docker-compose.yml
+++ b/authelia/docker-compose.yml
@@ -10,6 +10,7 @@ services:
       - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
       - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
       - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
+      - X_AUTHELIA_CONFIG_FILTERS=template
     networks:
       - npm-network
       - authelia-internal