diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..befff9e
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,3 @@
+# Suppress false positives in documentation and comments.
+# These are placeholder/example values, not real secrets.
+FUTURE_DEV.md
diff --git a/FUTURE_DEV.md b/FUTURE_DEV.md
index cfd4310..1b6a30e 100644
--- a/FUTURE_DEV.md
+++ b/FUTURE_DEV.md
@@ -33,9 +33,9 @@ access policies, and dynamic secrets.
 #### 2. Secret naming convention
 Store each location's API key as a secret named:
 ```
-CAST_API_KEY_<locationId>
+CAST_API_KEY_<LOCATION_ID>
 ```
-Example: `CAST_API_KEY_q5LZDBHiJ9BsY9Vge5De`
+Example: `CAST_API_KEY_myLocationId123`
 
 #### 3. Code changes in the bridge
 - Add `INFISICAL_CLIENT_ID` and `INFISICAL_CLIENT_SECRET` env vars to config
diff --git a/internal/ghl/admin.go b/internal/ghl/admin.go
index de9ecdc..ce385bb 100644
--- a/internal/ghl/admin.go
+++ b/internal/ghl/admin.go
@@ -125,7 +125,7 @@ func (h *AdminHandler) HandleGetLocationConfig(w http.ResponseWriter, r *http.Re
 // HandleSetLocationConfig sets the sender ID and Cast API key for a location.
 //
 //	PUT /api/admin/locations/{locationId}/config
-//	{"sender_id": "CAST", "cast_api_key": "cast_abc123..."}
+//	{"sender_id": "CAST", "cast_api_key": "cast_<64-hex-chars>"}
 func (h *AdminHandler) HandleSetLocationConfig(w http.ResponseWriter, r *http.Request) {
 	if !h.auth(r) {
 		http.Error(w, "unauthorized", http.StatusUnauthorized)