diff --git a/.env.example b/.env.example
new file mode 100644
index 00000000..53756547
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,23 @@
+# Environment Variables for n8n-workflows
+# Copy this file to .env and configure with your own values
+
+# Security Configuration
+JWT_SECRET_KEY=your-secret-jwt-key-change-this-in-production
+ADMIN_PASSWORD=your-secure-admin-password-change-this
+
+# API Configuration
+ADMIN_TOKEN=your-admin-api-token-for-protected-endpoints
+
+# Database Configuration (optional)
+WORKFLOW_DB_PATH=database/workflows.db
+
+# Server Configuration (optional)
+HOST=127.0.0.1
+PORT=8000
+
+# CORS Origins (optional, comma-separated)
+ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8080,https://zie619.github.io
+
+# Rate Limiting (optional)
+RATE_LIMIT_REQUESTS=60
+RATE_LIMIT_WINDOW=60
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index 6532fcda..85ab6ba7 100644
--- a/.gitignore
+++ b/.gitignore
@@ -20,8 +20,12 @@ wheels/
 .installed.cfg
 *.egg
 
-# Virtual environments
+# Environment files
 .env
+.env.local
+.env.production
+
+# Virtual environments
 .venv
 env/
 venv/
diff --git a/src/user_management.py b/src/user_management.py
index 0734d158..bc6cf275 100644
--- a/src/user_management.py
+++ b/src/user_management.py
@@ -15,9 +15,10 @@ import secrets
 import jwt
 from datetime import datetime, timedelta
 import json
+import os
 
-# Configuration
-SECRET_KEY = "your-secret-key-change-in-production"
+# Configuration - Use environment variables for security
+SECRET_KEY = os.environ.get("JWT_SECRET_KEY", secrets.token_urlsafe(32))
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 30
 
@@ -116,16 +117,22 @@ class UserManager:
         admin_count = cursor.fetchone()[0]
         
         if admin_count == 0:
-            admin_password = "admin123"  # Change in production
+            # Use environment variable or generate secure random password
+            admin_password = os.environ.get("ADMIN_PASSWORD", secrets.token_urlsafe(16))
             password_hash = self.hash_password(admin_password)
-            
+
             cursor.execute("""
                 INSERT INTO users (username, email, full_name, password_hash, role)
                 VALUES (?, ?, ?, ?, ?)
             """, ("admin", "admin@n8n-workflows.com", "System Administrator", password_hash, "admin"))
-            
+
             conn.commit()
-            print("Default admin user created: admin/admin123")
+            # Only print password if it was auto-generated (not from env)
+            if "ADMIN_PASSWORD" not in os.environ:
+                print(f"Default admin user created: admin/{admin_password}")
+                print("WARNING: Please change this password immediately after first login!")
+            else:
+                print("Default admin user created with environment-configured password")
         
         conn.close()