diff --git a/README.md b/README.md
index 42e6e00..a35f679 100644
--- a/README.md
+++ b/README.md
@@ -346,6 +346,10 @@ OAuth must be enabled on the Seamless Auth API with `LOGIN_METHODS` including `o
 one configured `oauth_providers` entry. Provider client secrets live on the server and are referenced
 by environment variable name; they are never passed through this SDK.
 
+For production providers, configure exact `redirectUris` on the Seamless Auth API. The SDK should
+send the callback URL it expects to receive, but redirect allowlisting, signed state expiry, OIDC
+nonce handling, email verification policy, and account-linking policy are enforced by the API.
+
 The built-in views avoid logging OTPs, magic-link tokens, bootstrap tokens, PRF salts, or raw
 exception payloads that may contain sensitive request URLs.