diff --git a/apps/base/forte-drop-mcp/kustomization.yaml b/apps/base/forte-drop-mcp/kustomization.yaml
index 9d5338b..e91a747 100644
--- a/apps/base/forte-drop-mcp/kustomization.yaml
+++ b/apps/base/forte-drop-mcp/kustomization.yaml
@@ -3,4 +3,7 @@ kind: Kustomization
 resources:
 - forte-drop-mcp.yaml
 - keycloak-client-forte-drop-mcp.yaml
-# - auth-oidc-sealed.yaml                   # added in follow-up commit
+# Note: no auth-oidc Secret needed for type: mcp. The MCP sidecar only validates
+# tokens against the OIDC issuer (RFC 9728 resource server) and never authenticates
+# itself, so it doesn't read a client-secret. forte-drop-secrets (shared with the
+# web deployment) covers PG + S3 creds.