diff --git a/infrastructure/production/fleet/apps/secrets.example.yaml b/infrastructure/production/fleet/apps/secrets.example.yaml
index 7e204ee..5b94f3a 100644
--- a/infrastructure/production/fleet/apps/secrets.example.yaml
+++ b/infrastructure/production/fleet/apps/secrets.example.yaml
@@ -52,6 +52,25 @@ stringData:
   NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
   # nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
   NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
+  # ── Runtime overrides for the BAKED OIDC provider config ────────────────
+  # The prod image is built in CI with no env, so nuxt.config bakes EMPTY
+  # client creds and .local URLs into runtimeConfig. Nitro only overrides
+  # runtimeConfig keys whose env name matches the config path —
+  # oidc.providers.oidc.* → NUXT_OIDC_PROVIDERS_OIDC_*. The plain
+  # NUXT_OIDC_* names above only work in dev (nuxt.config evaluated at
+  # runtime); production needs BOTH sets.
+  NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "REPLACE_same_as_NUXT_OIDC_CLIENT_ID"
+  NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET"
+  NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://app.dezky.eu/auth/oidc/callback"
+  NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/"
+  NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
+  NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/"
+  NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-portal/end-session/"
+  NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-portal/.well-known/openid-configuration"
+  # Refresh-token encryption + auth-session secret — without them sessions
+  # die on every pod restart (random keys are generated per boot).
+  NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
+  NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"
 ---
 apiVersion: v1
 kind: Secret
@@ -80,3 +99,16 @@ stringData:
   NUXT_PUBLIC_AUTH_URL: "https://auth.dezky.eu"
   # nuxt-oidc-auth session encryption secret (openssl rand -hex 32).
   NUXT_OIDC_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_32"
+  # Runtime overrides for the baked OIDC provider config — see the portal
+  # section above for why production needs the NUXT_OIDC_PROVIDERS_OIDC_*
+  # names in addition to the plain ones.
+  NUXT_OIDC_PROVIDERS_OIDC_CLIENT_ID: "dezky-operator"
+  NUXT_OIDC_PROVIDERS_OIDC_CLIENT_SECRET: "REPLACE_same_as_NUXT_OIDC_CLIENT_SECRET"
+  NUXT_OIDC_PROVIDERS_OIDC_REDIRECT_URI: "https://operator.dezky.eu/auth/oidc/callback"
+  NUXT_OIDC_PROVIDERS_OIDC_AUTHORIZATION_URL: "https://auth.dezky.eu/application/o/authorize/"
+  NUXT_OIDC_PROVIDERS_OIDC_TOKEN_URL: "https://auth.dezky.eu/application/o/token/"
+  NUXT_OIDC_PROVIDERS_OIDC_USER_INFO_URL: "https://auth.dezky.eu/application/o/userinfo/"
+  NUXT_OIDC_PROVIDERS_OIDC_LOGOUT_URL: "https://auth.dezky.eu/application/o/dezky-operator/end-session/"
+  NUXT_OIDC_PROVIDERS_OIDC_OPEN_ID_CONFIGURATION: "https://auth.dezky.eu/application/o/dezky-operator/.well-known/openid-configuration"
+  NUXT_OIDC_TOKEN_KEY: "data:;base64,REPLACE_WITH_openssl_rand_base64_32"
+  NUXT_OIDC_AUTH_SESSION_SECRET: "REPLACE_WITH_openssl_rand_hex_24"