diff --git a/.env.example b/.env.example
index 222f541..65da9ae 100644
--- a/.env.example
+++ b/.env.example
@@ -49,3 +49,23 @@ SMTP_FROM=noreply@docuvault.local
 # Comma-separated list of allowed origins. Default: http://localhost:5173
 # Example for production: https://app.docuvault.example.com
 CORS_ORIGINS=http://localhost:5173
+
+# ── Cloud Storage Backends (Phase 5) ─────────────────────────────────────────
+# Master key for HKDF per-user cloud credential encryption.
+# Must be at least 32 bytes. Generate with:
+#   python3 -c "import secrets; print(secrets.token_urlsafe(32))"
+CLOUD_CREDS_KEY=CHANGEME-32-bytes-padded!!
+
+# Google Drive OAuth 2.0 — create credentials at https://console.cloud.google.com/
+GOOGLE_CLIENT_ID=
+GOOGLE_CLIENT_SECRET=
+
+# Microsoft OneDrive OAuth 2.0 — create app at https://portal.azure.com/
+ONEDRIVE_CLIENT_ID=
+ONEDRIVE_CLIENT_SECRET=
+# "common" for personal + org accounts; or your tenant UUID for org-only
+ONEDRIVE_TENANT_ID=common
+
+# Backend and frontend URLs — used to construct OAuth callback/redirect URLs
+BACKEND_URL=http://localhost:8000
+FRONTEND_URL=http://localhost:5173
diff --git a/backend/config.py b/backend/config.py
index 3daa579..5fbea8c 100644
--- a/backend/config.py
+++ b/backend/config.py
@@ -56,5 +56,19 @@ class Settings(BaseSettings):
     default_ai_provider: str = "ollama"  # DEFAULT_AI_PROVIDER env var
     default_ai_model: str = "llama3.2"   # DEFAULT_AI_MODEL env var
 
+    # Cloud Storage (Phase 5)
+    # master key for HKDF per-user credential encryption — must be overridden in production
+    cloud_creds_key: str = "CHANGEME-32-bytes-padded!!"
+    google_client_id: str = ""
+    google_client_secret: str = ""
+    onedrive_client_id: str = ""
+    onedrive_client_secret: str = ""
+    # "common" works for both personal and org accounts
+    onedrive_tenant_id: str = "common"
+    # used to construct OAuth callback URLs (e.g. {backend_url}/api/cloud/google/callback)
+    backend_url: str = "http://localhost:8000"
+    # used to construct OAuth success/error redirect to Vue app (per Phase 5 B4 fix)
+    # Note: frontend_url already declared above for Phase 2 (password reset links) — shared field
+
 
 settings = Settings()
diff --git a/backend/requirements.txt b/backend/requirements.txt
index 1f4ba02..5f877f6 100644
--- a/backend/requirements.txt
+++ b/backend/requirements.txt
@@ -24,3 +24,11 @@ PyJWT>=2.8.0
 pwdlib[argon2]>=0.2.1
 pyotp>=2.9.0
 slowapi>=0.1.9
+
+# Cloud Storage Backends (Phase 5)
+cryptography>=41.0.0
+google-auth-oauthlib>=1.3.1
+google-api-python-client>=2.196.0
+msal>=1.36.0
+webdavclient3>=3.14.7
+cachetools>=5.3.0