diff --git a/pkg/auth/token.go b/pkg/auth/token.go
index c35d8b36f..ab84ca0be 100644
--- a/pkg/auth/token.go
+++ b/pkg/auth/token.go
@@ -9,6 +9,7 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"os"
 	"strconv"
 	"strings"
 	"sync"
@@ -541,6 +542,14 @@ func NewTokenValidator(ctx context.Context, config TokenValidatorConfig) (*Token
 		registry.AddProvider(NewGoogleProvider(config.IntrospectionURL))
 	}
 
+	// Load client secret from environment variable if not provided in config
+	// This allows secrets to be injected via Kubernetes Secret references
+	if config.ClientSecret == "" {
+		if envSecret := os.Getenv("TOOLHIVE_OIDC_CLIENT_SECRET"); envSecret != "" {
+			config.ClientSecret = envSecret
+		}
+	}
+
 	// Add RFC7662 provider with auth if configured
 	if config.ClientID != "" || config.ClientSecret != "" {
 		rfc7662Provider, err := NewRFC7662ProviderWithAuth(