diff --git a/.env.example b/.env.example
index 915179a..5d9a9cd 100644
--- a/.env.example
+++ b/.env.example
@@ -1,5 +1,12 @@
 # .env.example -- Copy to .env for development, .env.prod for production
 # DO NOT commit .env or .env.prod to git
+#
+# Quick start:
+#   cp .env.example .env
+#   docker compose --profile full build api && docker compose --profile full build poller && docker compose --profile full build frontend
+#   docker compose --profile full up -d
+#   open http://localhost:3000
+#   Login: admin@mikrotik-portal.dev / changeme-in-production
 
 # Environment (dev | staging | production)
 ENVIRONMENT=dev
@@ -9,10 +16,10 @@ DEBUG=true
 # Database
 POSTGRES_DB=mikrotik
 POSTGRES_USER=postgres
-POSTGRES_PASSWORD=CHANGE_ME_IN_PRODUCTION
-DATABASE_URL=postgresql+asyncpg://postgres:CHANGE_ME_IN_PRODUCTION@postgres:5432/mikrotik
-SYNC_DATABASE_URL=postgresql+psycopg2://postgres:CHANGE_ME_IN_PRODUCTION@postgres:5432/mikrotik
-APP_USER_DATABASE_URL=postgresql+asyncpg://app_user:CHANGE_ME_IN_PRODUCTION@postgres:5432/mikrotik
+POSTGRES_PASSWORD=postgres
+DATABASE_URL=postgresql+asyncpg://postgres:postgres@postgres:5432/mikrotik
+SYNC_DATABASE_URL=postgresql+psycopg2://postgres:postgres@postgres:5432/mikrotik
+APP_USER_DATABASE_URL=postgresql+asyncpg://app_user:app_password@postgres:5432/mikrotik
 
 # Poller database (different role, no RLS)
 POLLER_DATABASE_URL=postgres://poller_user:poller_password@postgres:5432/mikrotik
@@ -23,9 +30,12 @@ REDIS_URL=redis://redis:6379/0
 # NATS
 NATS_URL=nats://nats:4222
 
-# Security
-JWT_SECRET_KEY=CHANGE_ME_IN_PRODUCTION
-CREDENTIAL_ENCRYPTION_KEY=CHANGE_ME_IN_PRODUCTION
+# Security — these dev defaults work out of the box.
+# For production, generate unique values:
+#   JWT:    python3 -c "import secrets; print(secrets.token_urlsafe(64))"
+#   Fernet: python3 -c "import secrets, base64; print(base64.b64encode(secrets.token_bytes(32)).decode())"
+JWT_SECRET_KEY=dev-jwt-secret-do-not-use-in-production-replace-me
+CREDENTIAL_ENCRYPTION_KEY=LLLjnfBZTSycvL2U07HDSxUeTtLxb9cZzryQl0R9E4w=
 
 # First admin bootstrap (dev only)
 FIRST_ADMIN_EMAIL=admin@mikrotik-portal.dev