diff --git a/docs/REFERENCE.md b/docs/REFERENCE.md
index a12ab22..a90b77e 100644
--- a/docs/REFERENCE.md
+++ b/docs/REFERENCE.md
@@ -817,12 +817,19 @@ postgresql:
 
 **Authentication**: Keycloak OIDC via `forte` realm (client ID: `gitea`). Protocol mapper: `email_verified` hardcoded claim (`true`, boolean) on ID token, Access token, and Userinfo.
 
+**External User Sync**: Disabled (`cron.sync_external_users.ENABLED: false`). This Gitea cron job is designed for LDAP and deactivates OIDC-only users because it cannot enumerate them — causing "Sign-in prohibited" errors after the sync runs.
+
+**Email Notifications**: Enabled (`ENABLE_NOTIFY_MAIL: true`). SMTP credentials injected via `gitea-smtp-secret` using `additionalConfigFromEnvs` with `GITEA__mailer__USER` / `GITEA__mailer__PASSWD` environment variables.
+
 **Endpoints**:
 - Web UI: `https://git.forteapps.net`
 - SSH: port 22 (ClusterIP)
 - Metrics: `/metrics` (Prometheus scrape)
 
-**Secrets**: `gitea-credentials` (SealedSecret) containing `admin-password`, `postgres-password`, `secret` (OIDC client secret)
+**Secrets**:
+- `gitea-credentials` (SealedSecret) — admin password
+- `gitea-oidc-credentials` (registrar-managed) — OIDC client ID + secret
+- `gitea-smtp-secret` (SealedSecret) — SMTP username + password
 
 ### Gitea Actions Runners
 
diff --git a/infra/values/base/gitea-values.yaml b/infra/values/base/gitea-values.yaml
index e34f256..2fd52fa 100644
--- a/infra/values/base/gitea-values.yaml
+++ b/infra/values/base/gitea-values.yaml
@@ -73,6 +73,10 @@ gitea:
       SMTP_PORT: 587
       FROM: "noreply@fortedigital.com"
 
+    # -- Disable external user sync (designed for LDAP; deactivates OIDC users)
+    "cron.sync_external_users":
+      ENABLED: false
+
     admin:
       DEFAULT_EMAIL_NOTIFICATIONS: enabled