diff --git a/app/credentials/secrets.rb b/app/credentials/secrets.rb
new file mode 100644
index 00000000..c7ea90cd
--- /dev/null
+++ b/app/credentials/secrets.rb
@@ -0,0 +1,13 @@
+require 'concerns/user_provided_service'
+
+class Secrets
+  extend UserProvidedService
+
+  def self.secret_key_base
+    if use_env_var?
+      ''
+    else
+      credentials('secrets')['secret_key_base']
+    end
+  end
+end
diff --git a/app/services/tock_importer.rb b/app/services/tock_importer.rb
index 9fb1fa19..cd9a8a76 100644
--- a/app/services/tock_importer.rb
+++ b/app/services/tock_importer.rb
@@ -1,5 +1,5 @@
 class TockImporter
-  TOCK_PROJECTS = "https://tock-app.18f.gov/api/projects.json".freeze
+  TOCK_PROJECTS = "https://tock.18f.gov/api/projects.json".freeze
 
   def perform
     projects.each do |project|
diff --git a/config/secrets.yml b/config/secrets.yml
index 34895b83..95bfc6e4 100644
--- a/config/secrets.yml
+++ b/config/secrets.yml
@@ -1,25 +1,8 @@
-# Be sure to restart your server when you modify this file.
-
-# Your secret key is used for verifying the integrity of signed cookies.
-# If you change this key, all old signed cookies will become invalid!
-
-# Make sure the secret is at least 30 characters and all random,
-# no regular words or you'll be exposed to dictionary attacks.
-# You can use `rake secret` to generate a secure secret key.
-
-# Make sure the secrets in this file are kept private
-# if you're sharing your code publicly.
-
 development:
   secret_key_base: 787f9378e8d9e0eac392f57c7a9927daf12c410e8a882b7bedbb4126748db4d6230893a104cb12d2bf09af76d1fb1939eeb072a97709999d062f38e965c4d1cd
 
 test:
   secret_key_base: 8607c91c228d6414a72e6b0da24abd6f43ba21395ec05ffbf174e78afc7792cf294ff00f44c35f10f078bd374b04c99c499a89e4997750d83df452e9c76b5f7a
 
-# Do not keep production secrets in the repository,
-# instead read values from the environment.
-staging:
-  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
-
 production:
-  secret_key_base: <%= ENV["SECRET_KEY_BASE"] %>
+  secret_key_base: <%= Secrets.secret_key_base %>
diff --git a/manifest-staging.yml b/manifest-staging.yml
index 7892d108..3370396d 100644
--- a/manifest-staging.yml
+++ b/manifest-staging.yml
@@ -13,6 +13,7 @@ applications:
     - micropurchase-staging-psql
     - micropurchase-smtp
     - new-relic
+    - secrets
   command: script/start
   env:
     RAILS_ENV: production
diff --git a/manifest.yml b/manifest.yml
index 317d52ef..10944869 100644
--- a/manifest.yml
+++ b/manifest.yml
@@ -13,6 +13,7 @@ applications:
     - micropurchase-psql
     - micropurchase-smtp
     - new-relic
+    - secrets
   command: script/start
   env:
     RAILS_ENV: production
diff --git a/spec/rails_helper.rb b/spec/rails_helper.rb
index e0593864..5f65b736 100644
--- a/spec/rails_helper.rb
+++ b/spec/rails_helper.rb
@@ -21,7 +21,7 @@
   config.before do
     mock_github
     WebMock.stub_request(:any, /api.data.gov/).to_rack(FakeSamApi)
-    WebMock.stub_request(:any, /tock-app.18f.gov/).to_rack(FakeTockApi)
+    WebMock.stub_request(:any, /tock.18f.gov/).to_rack(FakeTockApi)
     WebMock.stub_request(:any, /cap.18f.gov/).to_rack(FakeC2Api)
     WebMock.stub_request(:any, /c2-dev.18f.gov/).to_rack(FakeC2Api)
     WebMock.stub_request(:any, /api.github.com/).to_rack(FakeGitHubApi)