diff --git a/.env.example b/.env.example
index 628d8a9..1dab141 100644
--- a/.env.example
+++ b/.env.example
@@ -1,3 +1,6 @@
 PORT=3001
+# HEALTH_TOKEN is read at runtime only (process.env at startup).
+# On Coolify: MUST be is_runtime=true, is_buildtime=false.
+# Buildtime ARG leaks the secret in clear in application_deployment_queues.logs.
 HEALTH_TOKEN=change-me-to-a-strong-secret
 LOGTO_HEALTH_URL=https://auth.lacompagniemaximus.com/oidc/.well-known/openid-configuration
diff --git a/CLAUDE.md b/CLAUDE.md
index 523c17d..a3409a7 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -11,6 +11,7 @@ API sante minimaliste pour le VPS. ~127 lignes, Node 22 + HTTP natif.
 
 - Bearer token via env `HEALTH_TOKEN`
 - Fail-closed : si `HEALTH_TOKEN` non configure, toutes les requetes sont refusees
+- **Coolify** : `HEALTH_TOKEN` doit etre `is_runtime=true, is_buildtime=false`. Buildtime fait fuiter le secret en clair dans `application_deployment_queues.logs`. Voir `la-compagnie-maximus/docs/coolify-ops.md` section "Secrets en buildtime".
 
 ## Config