diff --git a/bff/.env.example b/bff/.env.example
index 2e3ac16b..eab580b9 100644
--- a/bff/.env.example
+++ b/bff/.env.example
@@ -35,6 +35,10 @@ SESSION_COOKIE_HTTPONLY="True"
 SESSION_COOKIE_SECURE="True"
 SESSION_COOKIE_SAMESITE="Strict"
 
+# ECDSA P-256 private key in PEM format, used to encrypt session tokens
+# Generate with: openssl ecparam -name prime256v1 -genkey -noout
+SESSION_TOKEN_ENCRYPTION_KEY="replace-with-ec-private-key-pem-content"
+
 # Server we're proxying
 BACKEND_ENDPOINT="http://host.docker.internal:8080/api"
 
diff --git a/bff/README.md b/bff/README.md
index 411a8ee6..61225e87 100644
--- a/bff/README.md
+++ b/bff/README.md
@@ -32,6 +32,7 @@ For more information on the BFF architecture, see:
 - `OAUTH_ENDPOINT_LOGOUT`
 - `FRONTEND_REDIRECT`
 - `OAUTH_LOGIN_REDIRECT_URI`
+- `SESSION_TOKEN_ENCRYPTION_KEY` (ECDSA P-256 private key in PEM format)
 - Session cookie configuration:
 - `SESSION_COOKIE_NAME`
 - `SESSION_COOKIE_PATH`
@@ -42,6 +43,11 @@ For more information on the BFF architecture, see:
 - `BACKEND_CONNECT_TIMEOUT_SECONDS` (default: `3`)
 - `BACKEND_READ_TIMEOUT_SECONDS` (default: `30`)
 
+Generate a random `FLASK_SECRET_KEY` (see [Flask docs](https://flask.palletsprojects.com/en/stable/config/#SECRET_KEY)):
+```bash
+python -c 'import secrets; print(secrets.token_hex(32))'
+```
+
 Generate a random `TOKEN_COOKIE_ENCRYPTION_KEY`:
 ```bash
 python - <<'PY'
@@ -50,6 +56,15 @@ print(base64.urlsafe_b64encode(secrets.token_bytes(32)).rstrip(b'=').decode())
 PY
 ```
 
+Generate a `SESSION_TOKEN_ENCRYPTION_KEY` (ECDSA P-256 private key in PEM format):
+```bash
+openssl ecparam -name prime256v1 -genkey -noout
+```
+Store the output as a single-line value with literal `\n` separators in `.env`:
+```
+SESSION_TOKEN_ENCRYPTION_KEY="-----BEGIN EC PRIVATE KEY-----\n...\n-----END EC PRIVATE KEY-----"
+```
+
 **Run Locally (Flask / PyCharm)**
 1. Ensure `.env` exists in the repo root.
 2. Install dependencies.