diff --git a/.github/workflows/desktop-release.yml b/.github/workflows/desktop-release.yml
index 7336fa9bd..3ad529671 100644
--- a/.github/workflows/desktop-release.yml
+++ b/.github/workflows/desktop-release.yml
@@ -113,6 +113,7 @@ jobs:
         env:
           HOSTED_BACKEND_URL: ${{ vars.HOSTED_BACKEND_URL }}
           HOSTED_FRONTEND_URL: ${{ vars.HOSTED_FRONTEND_URL }}
+          GOOGLE_DESKTOP_CLIENT_ID: ${{ vars.GOOGLE_DESKTOP_CLIENT_ID }}
           POSTHOG_KEY: ${{ secrets.POSTHOG_KEY }}
           POSTHOG_HOST: ${{ vars.POSTHOG_HOST }}
 
@@ -143,6 +144,7 @@ jobs:
         working-directory: surfsense_desktop
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GOOGLE_DESKTOP_CLIENT_ID: ${{ vars.GOOGLE_DESKTOP_CLIENT_ID }}
           WINDOWS_PUBLISHER_NAME: ${{ vars.WINDOWS_PUBLISHER_NAME }}
           AZURE_CODESIGN_ENDPOINT: ${{ vars.AZURE_CODESIGN_ENDPOINT }}
           AZURE_CODESIGN_ACCOUNT: ${{ vars.AZURE_CODESIGN_ACCOUNT }}
diff --git a/surfsense_desktop/.env.example b/surfsense_desktop/.env.example
index f4e797250..83e658db9 100644
--- a/surfsense_desktop/.env.example
+++ b/surfsense_desktop/.env.example
@@ -3,7 +3,14 @@
 
 # The hosted web frontend URL. Used to intercept OAuth redirects and keep them
 # inside the desktop app. Set to your production frontend domain.
-HOSTED_FRONTEND_URL=https://surfsense.com
+HOSTED_FRONTEND_URL=http://localhost:3000
+
+# The backend API URL used by desktop auth and refresh flows.
+HOSTED_BACKEND_URL=http://localhost:8000
+
+# Public Google OAuth Desktop app client ID. This is required for native
+# loopback + PKCE login and is safe to ship in the desktop app.
+GOOGLE_DESKTOP_CLIENT_ID=your_google_desktop_client_id.apps.googleusercontent.com
 
 # Runtime override for the above (read at app start, no rebuild required).
 # Useful for self-hosters whose backend NEXT_FRONTEND_URL differs from the