From bbd90a29c7d3966ccb6d73629eff4c7f77963a32 Mon Sep 17 00:00:00 2001
From: Brandon Corbett <Bccorb@users.noreply.github.com>
Date: Wed, 27 May 2026 17:43:53 -0400
Subject: [PATCH] docs: small read me update

---
 README.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/README.md b/README.md
index 42e6e00..a35f679 100644
--- a/README.md
+++ b/README.md
@@ -346,6 +346,10 @@ OAuth must be enabled on the Seamless Auth API with `LOGIN_METHODS` including `o
 one configured `oauth_providers` entry. Provider client secrets live on the server and are referenced
 by environment variable name; they are never passed through this SDK.
 
+For production providers, configure exact `redirectUris` on the Seamless Auth API. The SDK should
+send the callback URL it expects to receive, but redirect allowlisting, signed state expiry, OIDC
+nonce handling, email verification policy, and account-linking policy are enforced by the API.
+
 The built-in views avoid logging OTPs, magic-link tokens, bootstrap tokens, PRF salts, or raw
 exception payloads that may contain sensitive request URLs.