diff --git a/get-started/connect/environment-variables.mdx b/get-started/connect/environment-variables.mdx
index 4cd24d9..65f7b0d 100644
--- a/get-started/connect/environment-variables.mdx
+++ b/get-started/connect/environment-variables.mdx
@@ -64,6 +64,32 @@ node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
openssl rand -hex 32
```
+### FOREST_EXECUTOR_ENCRYPTION_KEY
+
+Secret key used to encrypt the stored credentials of [OAuth-protected MCP connectors](/get-started/connect/integrations/mcp-servers). Required only when your deployment connects to such connectors.
+
+```bash
+FOREST_EXECUTOR_ENCRYPTION_KEY=your-32-byte-hex-secret
+```
+
+**Purpose:**
+- Encrypts the OAuth credentials of your MCP connectors at rest (AES-256-GCM), in the database of the executor — the service that runs your MCP connectors inside workflows
+- Use a **separate** secret from `FOREST_AUTH_SECRET`; do not reuse it
+- Read lazily: a deployment that doesn't use OAuth-protected MCP connectors runs fine without it
+
+**Generate a secure secret:**
+```bash
+openssl rand -hex 32
+```
+
+
+If you run several executor instances against the same database, set the **same** `FOREST_EXECUTOR_ENCRYPTION_KEY` on every instance. Otherwise an instance cannot decrypt credentials stored by another, and the affected connector calls will fail.
+
+
+
+Treat this key as permanent: there is no managed rotation. Changing it forces every affected user to reconnect their OAuth-protected MCP connectors.
+
+
### NODE_ENV (Node.js only)
Environment mode for Node.js applications.