diff --git a/.env.example b/.env.example
index 5f825e44..57d0ceca 100644
--- a/.env.example
+++ b/.env.example
@@ -21,3 +21,14 @@
 # AirLLM model size (default: 70b).
 # 8b  ~16 GB RAM  |  70b  ~140 GB RAM  |  405b  ~810 GB RAM
 # AIRLLM_MODEL_SIZE=70b
+
+# ── L402 Lightning secrets ───────────────────────────────────────────────────
+# HMAC secret for invoice verification.  MUST be changed in production.
+# Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"
+# L402_HMAC_SECRET=<your-secret-here>
+
+# HMAC secret for macaroon signing.  MUST be changed in production.
+# L402_MACAROON_SECRET=<your-secret-here>
+
+# Lightning backend: "mock" (default) | "lnd"
+# LIGHTNING_BACKEND=mock
diff --git a/src/timmy_serve/l402_proxy.py b/src/timmy_serve/l402_proxy.py
index 9999cd3f..ba35c4e6 100644
--- a/src/timmy_serve/l402_proxy.py
+++ b/src/timmy_serve/l402_proxy.py
@@ -22,9 +22,15 @@ from timmy_serve.payment_handler import payment_handler
 
 logger = logging.getLogger(__name__)
 
-_MACAROON_SECRET = os.environ.get(
-    "L402_MACAROON_SECRET", "timmy-macaroon-secret"
-).encode()
+_MACAROON_SECRET_DEFAULT = "timmy-macaroon-secret"
+_MACAROON_SECRET_RAW = os.environ.get("L402_MACAROON_SECRET", _MACAROON_SECRET_DEFAULT)
+_MACAROON_SECRET = _MACAROON_SECRET_RAW.encode()
+
+if _MACAROON_SECRET_RAW == _MACAROON_SECRET_DEFAULT:
+    logger.warning(
+        "SEC: L402_MACAROON_SECRET is using the default value — set a unique "
+        "secret in .env before deploying to production."
+    )
 
 
 @dataclass
diff --git a/src/timmy_serve/payment_handler.py b/src/timmy_serve/payment_handler.py
index 3d3aea1e..a8cdfbce 100644
--- a/src/timmy_serve/payment_handler.py
+++ b/src/timmy_serve/payment_handler.py
@@ -20,7 +20,15 @@ from typing import Optional
 logger = logging.getLogger(__name__)
 
 # Secret key for HMAC-based invoice verification (mock mode)
-_HMAC_SECRET = os.environ.get("L402_HMAC_SECRET", "timmy-sovereign-sats").encode()
+_HMAC_SECRET_DEFAULT = "timmy-sovereign-sats"
+_HMAC_SECRET_RAW = os.environ.get("L402_HMAC_SECRET", _HMAC_SECRET_DEFAULT)
+_HMAC_SECRET = _HMAC_SECRET_RAW.encode()
+
+if _HMAC_SECRET_RAW == _HMAC_SECRET_DEFAULT:
+    logger.warning(
+        "SEC: L402_HMAC_SECRET is using the default value — set a unique "
+        "secret in .env before deploying to production."
+    )
 
 
 @dataclass