diff --git a/.env.example b/.env.example
index a4b92f9..fb0c72f 100644
--- a/.env.example
+++ b/.env.example
@@ -5,5 +5,38 @@ NEXT_PUBLIC_API_BASE=https://api.lomavuokraus.fi
 # Runtime env flag used in UI
 APP_ENV=local
 
-# Secrets (override in Kubernetes Secret)
-APP_SECRET=change-me
+# Core app secrets (override in Kubernetes Secret)
+APP_URL=http://localhost:3000
+AUTH_SECRET=change-me
+DATABASE_URL=postgresql://user:password@host:5432/lomavuokraus?sslmode=disable
+
+# Mail (fill in SMTP_USER/SMTP_PASS)
+SMTP_HOST=smtp.lomavuokraus.fi
+SMTP_PORT=587
+SMTP_USER=
+SMTP_PASS=
+SMTP_FROM=noreply@lomavuokraus.fi
+SMTP_TLS=true
+SMTP_SSL=false
+SMTP_REJECT_UNAUTHORIZED=true
+DKIM_SELECTOR=mail2025
+DKIM_DOMAIN=lomavuokraus.fi
+DKIM_PRIVATE_KEY_PATH=creds/dkim/lomavuokraus.fi/mail2025.private
+
+# Feature flags / behaviour
+AUTO_APPROVE_LISTINGS=false
+
+# External APIs / infra
+OPENAI_API_KEY=
+OPENAI_TRANSLATIONS_KEY=
+HETZNER_API_TOKEN=
+HCLOUD_TOKEN=
+HETZNER_TOKEN=
+JOKER_DYNDNS_USERNAME=
+JOKER_DYNDNS_PASSWORD=
+REGISTRY_USERNAME=
+REGISTRY_PASSWORD=
+
+# Admin bootstrap (used by seed/reset scripts)
+ADMIN_EMAIL=
+ADMIN_INITIAL_PASSWORD=
diff --git a/PROGRESS.md b/PROGRESS.md
index d28edb9..467675c 100644
--- a/PROGRESS.md
+++ b/PROGRESS.md
@@ -22,7 +22,7 @@
   - Pushes (docker, ctr, skopeo from k3s node) fail: connection closed while uploading blobs (`http://registry.halla-aho.net:443/... use of closed network connection`). Suspect registry reverse-proxy dropping uploads/HTTPS handling.
   - Need to inspect registry host logs/config and retry push once fixed.
 - Secrets:
-  - `APP_SECRET` removed from `deploy/env.sh`; export it in shell before deploy.
+- `AUTH_SECRET` removed from `deploy/env.sh`; export it in shell (or via `scripts/load-secrets.sh`) before deploy.
   - `creds/` and `k3s.yaml` are git-ignored; contains joker DYNDNS creds and registry auth.
 
 # Lomavuokraus app progress (Nov 24)
diff --git a/deploy/deploy-prod.sh b/deploy/deploy-prod.sh
index fc812c0..2d5c314 100755
--- a/deploy/deploy-prod.sh
+++ b/deploy/deploy-prod.sh
@@ -12,5 +12,5 @@ export APP_ENV="production"
 export CLUSTER_ISSUER="$PROD_CLUSTER_ISSUER"
 export INGRESS_CLASS
 
-# optionally set APP_SECRET in the environment before running
+# optionally set AUTH_SECRET (and other secrets) in the environment before running
 bash deploy/deploy.sh
diff --git a/deploy/deploy-staging.sh b/deploy/deploy-staging.sh
index 0b457b5..0cbd29b 100755
--- a/deploy/deploy-staging.sh
+++ b/deploy/deploy-staging.sh
@@ -12,5 +12,5 @@ export APP_ENV="staging"
 export CLUSTER_ISSUER="$STAGING_CLUSTER_ISSUER"
 export INGRESS_CLASS
 
-# optionally set APP_SECRET in the environment before running
+# optionally set AUTH_SECRET (and other secrets) in the environment before running
 bash deploy/deploy.sh
diff --git a/deploy/deploy-test.sh b/deploy/deploy-test.sh
index 8b365c8..4b82125 100755
--- a/deploy/deploy-test.sh
+++ b/deploy/deploy-test.sh
@@ -14,5 +14,5 @@ export CLUSTER_ISSUER="${TEST_CLUSTER_ISSUER}"
 export INGRESS_CLASS
 export APP_REPLICAS="${APP_REPLICAS:-1}"
 
-# optionally set APP_SECRET and DATABASE_URL (pointing to lomavuokraus_testing) in the environment before running
+# optionally set AUTH_SECRET and DATABASE_URL (pointing to lomavuokraus_testing) in the environment before running
 bash deploy/deploy.sh
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
index 082fef3..645ed1c 100755
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@@ -2,6 +2,10 @@
 set -euo pipefail
 
 cd "$(dirname "$0")/.."
+if [[ -f scripts/load-secrets.sh ]]; then
+  # Export secrets from creds/secrets.env (dotenv) when available.
+  source scripts/load-secrets.sh
+fi
 source deploy/env.sh
 
 if [[ ! -f deploy/.last-image ]]; then
diff --git a/docs/build.html b/docs/build.html
index a81c0b6..76de1f4 100644
--- a/docs/build.html
+++ b/docs/build.html
@@ -36,6 +36,7 @@ flowchart LR
         <ul>
           <li>Source: Next.js app with TypeScript and Prisma.</li>
           <li>Env: <code>.env</code> (local), K8s Secret <code>lomavuokraus-web-secrets</code> in cluster.</li>
+          <li>Local secrets: <code>creds/secrets.env</code> (dotenv) loadable via <code>scripts/load-secrets.sh</code>.</li>
           <li>Prisma schema: <code>prisma/schema.prisma</code>, migrations in <code>prisma/migrations/</code>.</li>
         </ul>
       </section>
@@ -84,7 +85,7 @@ flowchart LR
         <h2>Config & Env Vars</h2>
         <ul>
           <li>From ConfigMap (public): <code>NEXT_PUBLIC_SITE_URL</code>, <code>NEXT_PUBLIC_API_BASE</code>, <code>APP_ENV</code>.</li>
-          <li>From Secret: DB URL, AUTH_SECRET, SMTP, DKIM, etc.</li>
+          <li>From Secret: DB URL, AUTH_SECRET, SMTP, DKIM, etc. (materialize from <code>creds/secrets.env</code>).</li>
           <li>App env resolution: <code>process.env.*</code> in Next server code.</li>
         </ul>
       </section>
diff --git a/scripts/load-secrets.sh b/scripts/load-secrets.sh
new file mode 100644
index 0000000..8f8d4c2
--- /dev/null
+++ b/scripts/load-secrets.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+# Shell helper to export secrets from a single dotenv file.
+# Usage: source scripts/load-secrets.sh
+
+set -euo pipefail
+
+ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+SECRETS_FILE="${SECRETS_FILE:-$ROOT_DIR/creds/secrets.env}"
+
+if [[ ! -f "$SECRETS_FILE" ]]; then
+  echo "secrets file not found: $SECRETS_FILE (skipping)" >&2
+  return 0 2>/dev/null || exit 0
+fi
+
+echo "Loading secrets from $SECRETS_FILE"
+set -a
+source "$SECRETS_FILE"
+set +a