diff --git a/docs/developer/README.md b/docs/developer/README.md
index 9222f07c3..ad7ddd418 100644
--- a/docs/developer/README.md
+++ b/docs/developer/README.md
@@ -20,9 +20,15 @@ Visit the running application at [http://localhost:8080](http://localhost:8080).
 
 ## Setting Vars
 
-Every environment variable for local development is set in [src/docker-compose.yml](../../src/docker-compose.yml).
+Non-secret environment variables for local development are set in [src/docker-compose.yml](../../src/docker-compose.yml).
 
-Including variables which would be secrets and set via a different mechanism elsewhere.
+Secrets (for example, if you'd like to have a working Login.gov authentication) go in `.env` in [src/](../../src/) with contents like this:
+
+```
+DJANGO_SECRET_LOGIN_KEY="<...>"
+```
+
+You'll need to create the `.env` file yourself. Get the secrets from Cloud.gov by running `cf env getgov-unstable`.
 
 ## Viewing Logs
 
diff --git a/docs/operations/runbooks/rotate_application_secrets.md b/docs/operations/runbooks/rotate_application_secrets.md
index 0c2045ebe..b4c2a4746 100644
--- a/docs/operations/runbooks/rotate_application_secrets.md
+++ b/docs/operations/runbooks/rotate_application_secrets.md
@@ -14,10 +14,13 @@ Where `credentials-<ENVIRONMENT>.json` looks like:
 ```json
 {
   "DJANGO_SECRET_KEY": "EXAMPLE",
+  "DJANGO_SECRET_LOGIN_KEY": "EXAMPLE",
   ...
 }
 ```
 
+(Specific credentials are mentioned below.)
+
 You can see the current environment with `cf env <APP>`, for example `cf env getgov-unstable`.
 
 The command `cups` stands for [create user provided service](https://docs.cloudfoundry.org/devguide/services/user-provided.html). User provided services are the way currently recommended by Cloud.gov for deploying secrets. The user provided service is bound to the application in `manifest-<ENVIRONMENT>.json`.
@@ -31,4 +34,24 @@ cf cups getgov-credentials -p credentials-unstable.json
 cf restage getgov-unstable --strategy rolling
 ```
 
-Non-secret environment variables can be declared in `manifest-<ENVIRONMENT>.json` directly.
\ No newline at end of file
+Non-secret environment variables can be declared in `manifest-<ENVIRONMENT>.json` directly.
+
+## DJANGO_SECRET_KEY
+
+This is a standard Django secret key. See Django documentation for tips on generating a new one. 
+
+## DJANGO_SECRET_LOGIN_KEY
+
+This is the base64 encoded private key used in the OpenID Connect authentication flow with Login.gov. It is used to sign a token during user login; the signature is examined by Login.gov before their API grants access to user data.
+
+Generate a new key using this command (or whatever is most recently recommended by Login.gov):
+
+```bash
+openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt
+```
+
+Encode it using:
+
+```bash
+base64 private.pem
+```