diff --git a/.env.example b/.env.example
index e69de29..fb9c3e6 100644
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,19 @@
+# portal — local dev environment.
+# Copy to .env.local (gitignored).
+
+# Tenant Registry — see platform/tenant-registry. Run `make dev` there.
+TENANT_REGISTRY_URL=http://localhost:8090
+
+# Keycloak (dev stack from platform/orca-platform/dev).
+KEYCLOAK_ISSUER=http://localhost:8080/realms/breakpilot-dev
+KEYCLOAK_CLIENT_ID=dev-portal
+# Public PKCE client — secret is structurally required by Auth.js but unused
+# at the OAuth code-exchange step. Any non-empty placeholder works in dev.
+KEYCLOAK_CLIENT_SECRET=unused-public-client
+
+# Auth.js v5 — required for JWT signing.
+# Generate with: openssl rand -base64 32
+AUTH_SECRET=dev-secret-change-me-do-not-ship-replace-with-32-byte-random
+AUTH_URL=http://localhost:3000
+
+# In prod we'd set AUTH_TRUST_HOST=true behind orca-proxy; dev is loopback so leave unset.
diff --git a/src/lib/tenant-registry.test.ts b/src/lib/tenant-registry.test.ts
index 4621c98..679641d 100644
--- a/src/lib/tenant-registry.test.ts
+++ b/src/lib/tenant-registry.test.ts
@@ -48,7 +48,7 @@ describe("fetchTenantBySlug", () => {
     globalThis.fetch = fetchSpy;
     await fetchTenantBySlug("acme");
     expect(fetchSpy).toHaveBeenCalledWith(
-      "http://localhost:8080/v1/tenants/by-slug/acme",
+      "http://localhost:8090/v1/tenants/by-slug/acme",
       expect.any(Object),
     );
   });
diff --git a/src/lib/tenant-registry.ts b/src/lib/tenant-registry.ts
index cce17b5..60ed23c 100644
--- a/src/lib/tenant-registry.ts
+++ b/src/lib/tenant-registry.ts
@@ -13,7 +13,7 @@ export type Tenant = {
 };
 
 function baseUrl(): string {
-  return process.env.TENANT_REGISTRY_URL ?? "http://localhost:8080";
+  return process.env.TENANT_REGISTRY_URL ?? "http://localhost:8090";
 }
 
 export async function fetchTenantBySlug(slug: string): Promise<Tenant | null> {