diff --git a/README.md b/README.md
index ae03a2e1..4e20a379 100644
--- a/README.md
+++ b/README.md
@@ -137,7 +137,20 @@ npm run db:generate
 npm run db:seed
 ```
 
-### Step 11 — Run the app
+### Step 11 — Configure nginx
+
+The repo includes `nginx.conf` in the project root. Install it as the active site config:
+
+```sh
+sudo cp nginx.conf /etc/nginx/sites-available/dental-app
+sudo ln -sf /etc/nginx/sites-available/dental-app /etc/nginx/sites-enabled/dental-app
+sudo nginx -t && sudo systemctl reload nginx
+```
+
+> **Important:** The `/api/` location block must include `proxy_set_header Authorization $http_authorization;`
+> Without it, nginx strips the Authorization header and the backend returns "Access denied. No token provided."
+
+### Step 12 — Run the app
 
 Open two terminals:
 
diff --git a/nginx.conf b/nginx.conf
index 5e7ee3ce..0a2a85ef 100644
--- a/nginx.conf
+++ b/nginx.conf
@@ -2,13 +2,14 @@ server {
     listen 80;
     server_name _;
 
-    # API requests → backend
+    # API requests → backend (Authorization header must be explicit or it gets stripped)
     location /api/ {
         proxy_pass http://localhost:5000;
         proxy_http_version 1.1;
         proxy_set_header Host $host;
         proxy_set_header X-Real-IP $remote_addr;
         proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Authorization $http_authorization;
     }
 
     # Socket.IO → backend (WebSocket upgrade)