diff --git a/docs/hosting/oidc.md b/docs/hosting/oidc.md
index 9100bb5f9..91318c907 100644
--- a/docs/hosting/oidc.md
+++ b/docs/hosting/oidc.md
@@ -346,6 +346,7 @@ When enabled:
 When disabled (default):
 - Providers are loaded from `config/auth.yml`
 - Changes require a server restart
+- In production, YAML is the default unless `AUTH_PROVIDERS_SOURCE=db` is explicitly set
 
 ### 6.2 Admin UI for SSO providers
 
diff --git a/lib/feature_flags.rb b/lib/feature_flags.rb
index e20472e81..bd9c648eb 100644
--- a/lib/feature_flags.rb
+++ b/lib/feature_flags.rb
@@ -3,9 +3,14 @@
 module FeatureFlags
   class << self
     def db_sso_providers?
-      auth_source = ENV.fetch("AUTH_PROVIDERS_SOURCE") do
-        Rails.configuration.app_mode.self_hosted? ? "db" : "yaml"
-      end
+      auth_source = ENV["AUTH_PROVIDERS_SOURCE"]
+      return auth_source.to_s.downcase == "db" if auth_source.present?
+
+      # In production, prefer YAML by default so boot-time tasks (e.g. db:prepare)
+      # do not attempt to query SSO provider tables before migrations run.
+      return false if Rails.env.production?
+
+      auth_source = Rails.configuration.app_mode.self_hosted? ? "db" : "yaml"
 
       auth_source.to_s.downcase == "db"
     end
diff --git a/test/lib/feature_flags_test.rb b/test/lib/feature_flags_test.rb
new file mode 100644
index 000000000..85d0a5f90
--- /dev/null
+++ b/test/lib/feature_flags_test.rb
@@ -0,0 +1,26 @@
+require "test_helper"
+
+class FeatureFlagsTest < ActiveSupport::TestCase
+  test "db_sso_providers? is true when AUTH_PROVIDERS_SOURCE is db in production" do
+    with_env_overrides("AUTH_PROVIDERS_SOURCE" => "db") do
+      Rails.stubs(:env).returns(ActiveSupport::StringInquirer.new("production"))
+      assert FeatureFlags.db_sso_providers?
+    end
+  end
+
+  test "db_sso_providers? defaults to yaml in production when AUTH_PROVIDERS_SOURCE is unset" do
+    with_env_overrides("AUTH_PROVIDERS_SOURCE" => nil) do
+      Rails.stubs(:env).returns(ActiveSupport::StringInquirer.new("production"))
+      assert_not FeatureFlags.db_sso_providers?
+    end
+  end
+
+  test "db_sso_providers? defaults to db for self hosted mode outside production" do
+    with_env_overrides("AUTH_PROVIDERS_SOURCE" => nil) do
+      Rails.stubs(:env).returns(ActiveSupport::StringInquirer.new("development"))
+      with_self_hosting do
+        assert FeatureFlags.db_sso_providers?
+      end
+    end
+  end
+end