diff --git a/k8s/environments/production/configmap.yaml b/k8s/environments/production/configmap.yaml
index b64f55a..6b134fa 100644
--- a/k8s/environments/production/configmap.yaml
+++ b/k8s/environments/production/configmap.yaml
@@ -13,4 +13,13 @@ data:
   RABBITMQ_PORT: "5672"
   HTTP_API_PORT: "8000"
   ADMINER_PORT: "8080"
-  CORS_ALLOWED_ORIGINS: "https://app.example.com"
+  CORS_ALLOWED_ORIGINS: "https://smartem.diamond.ac.uk"
+  # Keycloak OIDC integration. The backend rejects every non-exempt
+  # request that doesn't carry a valid Bearer token (always-on since
+  # smartem-decisions#285). KEYCLOAK_ALLOWED_AZP is the comma-separated
+  # azp allow-list; unset means any valid token from the realm is accepted.
+  KEYCLOAK_URL: "https://identity.diamond.ac.uk"
+  KEYCLOAK_ALLOWED_AZP: "SmartEM_User,SmartEM_Agent"
+  # TODO: confirm with DLS Keycloak admins before go-live
+  #   KEYCLOAK_REALM
+  #   KEYCLOAK_VERIFY_ISS  (set "true" once realm is known so the issuer URL can be validated)