diff --git a/server/config/default_config.yaml b/server/config/default_config.yaml
index daa46fc..e7e6a46 100644
--- a/server/config/default_config.yaml
+++ b/server/config/default_config.yaml
@@ -15,11 +15,11 @@ auth:
   #   - LAN requests are REJECTED with 401 (security default)
   # To enable LAN access, uncomment the example below and replace the value
   # with a secret you generated yourself (e.g. `openssl rand -hex 32`).
-  # The previous default `dev: "development-key-change-in-production"` has
-  # been removed — it shipped as a publicly-known token and any deployment
-  # that still uses it grants full LAN access to anyone on the network.
-  api_keys:
-    dev: "development-key-change-in-production"
+  # Do NOT ship a hard-coded key here — a publicly-known token grants full
+  # LAN access to anyone on the network.
+  api_keys: {}
+  # api_keys:
+  #   my-client: "replace-with-output-of-openssl-rand-hex-32"
 
 # Storage paths default to ./data relative to the server's working directory.
 # Set LEDGRAB_DATA_DIR in the environment to point at a different data root