diff --git a/DOCKER-OAUTH-FIX.md b/DOCKER-OAUTH-FIX.md
new file mode 100644
index 0000000..3c5f3e3
--- /dev/null
+++ b/DOCKER-OAUTH-FIX.md
@@ -0,0 +1,64 @@
+# 🔐 Docker OAuth Authentication Fix
+
+## Problem: "Insecure redirect URI" Error
+
+When accessing SoulSync from a **different device** than the Docker host, you may encounter:
+- `INVALID_CLIENT: Insecure redirect URI`
+- `Spotify authentication failed: error: invalid_client`
+
+**Why this happens:** Spotify requires HTTPS for OAuth callbacks when not using localhost.
+
+## ✅ Simple Solution: SSH Port Forwarding
+
+### Step 1: Set up SSH tunnel from your device to Docker host
+
+**On the device you're browsing from** (laptop/phone/etc):
+
+```bash
+# Replace 'user' and 'docker-host-ip' with your actual values
+ssh -L 8888:localhost:8888 -L 8889:localhost:8889 user@docker-host-ip
+
+# Example:
+ssh -L 8888:localhost:8888 -L 8889:localhost:8889 john@192.168.1.100
+```
+
+**Keep this SSH connection open** while using SoulSync.
+
+### Step 2: Configure OAuth redirect URIs
+
+**In your Spotify Developer App:**
+- Set redirect URI to: `http://127.0.0.1:8888/callback`
+
+**In your Tidal Developer App:**
+- Set redirect URI to: `http://127.0.0.1:8889/tidal/callback`
+
+**In SoulSync Settings:**
+- Set Spotify redirect URI to: `http://127.0.0.1:8888/callback`
+- Set Tidal redirect URI to: `http://127.0.0.1:8889/tidal/callback`
+
+### Step 3: Use SoulSync normally
+
+- Access SoulSync: `http://docker-host-ip:8008` (normal HTTP)
+- OAuth callbacks will tunnel through SSH to localhost
+- Authentication will work without HTTPS requirements
+
+## 🖥️ Alternative: Direct Access from Docker Host
+
+If you can access SoulSync directly from the Docker host machine:
+- Use: `http://127.0.0.1:8008`
+- Set OAuth redirect URIs to localhost (as above)
+- No SSH tunnel needed
+
+## 🔧 For Advanced Users: Reverse Proxy
+
+Set up nginx/traefik with proper SSL certificates for true HTTPS support. See community guides for Docker reverse proxy setups.
+
+## 📝 Summary
+
+The core issue is that **Spotify requires HTTPS for non-localhost** OAuth redirects. The SSH tunnel makes remote devices appear as localhost to bypass this requirement.
+
+**Key points:**
+- ✅ Always use `127.0.0.1` in OAuth redirect URIs  
+- ✅ Use SSH tunnel when accessing from different device
+- ✅ Keep tunnel open during authentication
+- ✅ Works with existing Docker setup - no changes needed
\ No newline at end of file
diff --git a/README.md b/README.md
index d5dc588..e253513 100644
--- a/README.md
+++ b/README.md
@@ -164,6 +164,7 @@ docker run -d -p 8008:8008 boulderbadgedad/soulsync:latest
 - **Docker uses separate database** from GUI/WebUI versions
 - **Transfer path** should point to your media server music library
 - **FLAC preferred** but supports all common formats
+- **OAuth from different devices:** See [DOCKER-OAUTH-FIX.md](DOCKER-OAUTH-FIX.md) if you get "Insecure redirect URI" errors
 
 ## 🏗️ Architecture