diff --git a/nuxt.config.ts b/nuxt.config.ts
index 7b020a7..dc9eead 100644
--- a/nuxt.config.ts
+++ b/nuxt.config.ts
@@ -106,23 +106,6 @@ export default defineNuxtConfig({
     }
   },
   runtimeConfig: {
-    // OIDC configuration for nuxt-openid-connect module
-    openidConnect: {
-      op: {
-        issuer: process.env.KEYCLOAK_ISSUER,
-        clientId: process.env.KEYCLOAK_CLIENT_ID,
-        clientSecret: process.env.KEYCLOAK_CLIENT_SECRET,
-        callbackUrl: "",
-      },
-      config: {
-        cookieFlags: {
-          access_token: {
-            httpOnly: true,
-            secure: process.env.NODE_ENV === 'production',
-          }
-        }
-      }
-    },
     nocodb: {
       url: "",
       token: "",
@@ -146,7 +129,7 @@ export default defineNuxtConfig({
     op: {
       issuer: process.env.KEYCLOAK_ISSUER || "https://auth.portnimara.dev/realms/client-portal",
       clientId: process.env.KEYCLOAK_CLIENT_ID || "client-portal",
-      clientSecret: process.env.KEYCLOAK_CLIENT_SECRET || "",
+      clientSecret: process.env.KEYCLOAK_CLIENT_SECRET!, // Environment variable must be set
       callbackUrl: "", // Deprecated in v0.8.0+ but required by types - module uses /oidc/cb automatically
       scope: ["openid", "email", "profile"],
     },
diff --git a/server/api/debug/oidc-config.ts b/server/api/debug/oidc-config.ts
index efc437e..e117c36 100644
--- a/server/api/debug/oidc-config.ts
+++ b/server/api/debug/oidc-config.ts
@@ -3,10 +3,20 @@ export default defineEventHandler((event) => {
   
   // Return the OIDC configuration (without showing the actual secret)
   return {
-    issuer: config.openidConnect?.op?.issuer || 'NOT_SET',
-    clientId: config.openidConnect?.op?.clientId || 'NOT_SET',
-    clientSecret: config.openidConnect?.op?.clientSecret ? '***SET***' : 'NOT_SET',
-    secretLength: config.openidConnect?.op?.clientSecret?.length || 0,
+    // Runtime config
+    runtime: {
+      issuer: config.openidConnect?.op?.issuer || 'NOT_SET',
+      clientId: config.openidConnect?.op?.clientId || 'NOT_SET',
+      clientSecret: config.openidConnect?.op?.clientSecret ? '***SET***' : 'NOT_SET',
+      secretLength: config.openidConnect?.op?.clientSecret?.length || 0,
+    },
+    // Build-time config (what the module actually uses)
+    buildTime: {
+      issuer: process.env.KEYCLOAK_ISSUER || 'NOT_SET',
+      clientId: process.env.KEYCLOAK_CLIENT_ID || 'NOT_SET',
+      clientSecret: process.env.KEYCLOAK_CLIENT_SECRET ? '***SET***' : 'NOT_SET',
+      secretLength: process.env.KEYCLOAK_CLIENT_SECRET?.length || 0,
+    },
     environment: process.env.NODE_ENV,
     envVars: {
       KEYCLOAK_ISSUER: process.env.KEYCLOAK_ISSUER ? '***SET***' : 'NOT_SET',