diff --git a/.env-sample b/.env-sample
new file mode 100644
index 0000000..ee263aa
--- /dev/null
+++ b/.env-sample
@@ -0,0 +1,51 @@
+# Adobe Sign → DocuSign Migrator — Environment Variables
+# Copy this file to .env and fill in your values.
+# Never commit .env to version control.
+
+# ─── Adobe Sign ──────────────────────────────────────────────────────────────
+
+# OAuth app credentials from the Adobe Sign developer console
+ADOBE_CLIENT_ID=your-adobe-client-id
+ADOBE_CLIENT_SECRET=your-adobe-client-secret
+
+# Auto-written by src/adobe_auth.py after the one-time OAuth flow.
+# Leave blank; they will be populated on first run.
+ADOBE_ACCESS_TOKEN=
+ADOBE_REFRESH_TOKEN=
+ADOBE_SIGN_BASE_URL=https://api.eu2.adobesign.com/api/rest/v6
+
+# ─── DocuSign ────────────────────────────────────────────────────────────────
+
+# Integration key (client ID) from the DocuSign developer console
+DOCUSIGN_CLIENT_ID=your-integration-key
+
+# Client secret — only needed for the one-time Auth Code Grant consent flow
+DOCUSIGN_CLIENT_SECRET=your-client-secret
+
+# GUID of the DocuSign user to impersonate via JWT grant
+# Found in the DocuSign admin UI under Users → user details
+DOCUSIGN_USER_ID=your-docusign-user-guid
+
+# Account ID of the target DocuSign account
+# Found in the DocuSign admin UI under Settings → Account Profile
+DOCUSIGN_ACCOUNT_ID=your-docusign-account-id
+
+# Path to the RSA private key file used for JWT signing
+# Generate a keypair in the DocuSign developer console and save the private key here
+DOCUSIGN_PRIVATE_KEY_PATH=/path/to/private.key
+
+# OAuth auth server — use account-d.docusign.com for sandbox, account.docusign.com for production
+DOCUSIGN_AUTH_SERVER=account-d.docusign.com
+
+# eSignature REST API base URL
+# Sandbox:    https://demo.docusign.net/restapi
+# Production: https://na3.docusign.net/restapi  (replace na3 with your shard)
+DOCUSIGN_BASE_URL=https://demo.docusign.net/restapi
+
+# Redirect URI registered in your DocuSign app (used only during one-time consent flow)
+DOCUSIGN_REDIRECT_URI=http://localhost:8080/callback
+
+# Auto-written by src/docusign_auth.py to cache the JWT access token.
+# Leave blank; they will be populated automatically.
+DOCUSIGN_ACCESS_TOKEN=
+DOCUSIGN_TOKEN_EXPIRY=