diff --git a/authelia/config/configuration.yaml b/authelia/config/configuration.yaml
index 2b95083..a2c2c48 100644
--- a/authelia/config/configuration.yaml
+++ b/authelia/config/configuration.yaml
@@ -59,9 +59,10 @@ identity_providers:
       - key_id: main
         algorithm: RS256
         use: sig
-        # key: HOST-MANAGED — inline /srv/authelia/config/oidc.key contents here in the
-        # host copy (/srv/authelia/config/configuration.yml). Never commit the key to git.
-        # Generate with: openssl genrsa -out /srv/authelia/config/oidc.key 4096
+        # key is host-managed — never commit to git
+        # Host copy inlines the PEM content as a YAML block scalar (key: |)
+        # using Python to avoid shell $ interpolation of the PEM content.
+        # Generate with: openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:4096 -out /srv/authelia/config/oidc.key
     clients:
       - client_id: open-webui
         client_name: Open WebUI