diff --git a/README.md b/README.md
index b74b096..41549f5 100644
--- a/README.md
+++ b/README.md
@@ -28,13 +28,23 @@ Set these as environment variables (or in `appsettings.json` under the `Oidc` se
 | `Oidc__TenantId` | Entra tenant GUID |
 | `Oidc__ClientId` | App registration client ID |
 | `Oidc__ClientSecret` | App registration client secret |
-| `ClientConnect__RedirectUri` | Public callback URL, e.g. `https://your-host/connect/callback` |
+| `ClientConnect__RedirectUri` | Callback for the per-profile SharePoint connect flow, e.g. `https://your-host/connect/callback` (see below — **not** an OIDC setting) |
 | `DataFolder` | Persistent data path (default `/data`) |
 | `ASPNETCORE_ENVIRONMENT` | Must be `Production` to enable OIDC |
 
 > In `Development`, OIDC is disabled — the app uses a cookie-only auto-login (hardcoded Admin) for local work.
 
-**Entra app registration** must include redirect URI `https://your-host/signin-oidc` and the Graph permissions required by the audit/reporting features (`GroupMember.Read.All`, `Group.Read.All`, `User.Read.All`).
+### Two distinct OAuth flows — two redirect URIs
+
+These are separate and registered on **different** Entra apps. Don't conflate them.
+
+1. **App sign-in (OIDC).** Logging into the toolbox itself via "Sign in with Microsoft". Uses the `Oidc__*` app above. Callback path is the framework default `/signin-oidc` (not configurable here).
+   → On **this** app registration, add redirect URI `https://your-host/signin-oidc` under the **Web** platform. This app also needs the Graph permissions the audit/reporting features require: `GroupMember.Read.All`, `Group.Read.All`, `User.Read.All`.
+
+2. **SharePoint connect (per-profile).** Getting a delegated SharePoint/Graph token for a client tenant. A PKCE public-client flow that uses **each connection profile's own `ClientId`/`TenantId`** — not the `Oidc__*` app. `ClientConnect__RedirectUri` is the callback for this flow.
+   → On **each client-tenant profile's** app registration, add the `ClientConnect__RedirectUri` value (e.g. `https://your-host/connect/callback`) under the **Mobile and desktop / public client** platform.
+
+> **HTTPS note.** The sign-in app is a confidential (Web) client, so Entra requires its `/signin-oidc` redirect URI to be **HTTPS** — plain HTTP is allowed only for `http://localhost`, not a LAN host/IP. To run OIDC on a plain-HTTP LAN deployment, put the app behind an HTTPS-terminating reverse proxy: register `https://your-host/signin-oidc`, and the app honours `X-Forwarded-Proto` (see `UseForwardedHeaders`) to build the correct `https` redirect. Without a proxy, OIDC sign-in won't work over a non-localhost HTTP host — use the local email/password login instead.
 
 Persistent state (profiles, settings, templates, logs, exports, certs) lives in `DataFolder`.