diff --git a/kubernetes/loculus/templates/_config-processor.tpl b/kubernetes/loculus/templates/_config-processor.tpl
index bd22639781..f6c0f2bd22 100644
--- a/kubernetes/loculus/templates/_config-processor.tpl
+++ b/kubernetes/loculus/templates/_config-processor.tpl
@@ -15,6 +15,11 @@
         secretKeyRef:
           name: smtp-password
           key: secretKey
+    - name: LOCULUSSUB_backendKeycloakClientSecret
+      valueFrom:
+        secretKeyRef:
+          name: backend-keycloak-client-secret
+          key: backendKeycloakClientSecret
 {{- end }}
 
 
diff --git a/kubernetes/loculus/templates/loculus-website-config.yaml b/kubernetes/loculus/templates/loculus-website-config.yaml
index bb518cadda..15ab09be28 100644
--- a/kubernetes/loculus/templates/loculus-website-config.yaml
+++ b/kubernetes/loculus/templates/loculus-website-config.yaml
@@ -32,7 +32,8 @@ data:
         },
         "public": {
           {{- template "loculus.publicRuntimeConfig" dict "Values" .Values "externalLapisUrlConfig" $externalLapisUrlConfig -}}
-        }
+        },
+        "backendKeycloakClientSecret" : "[[backendKeycloakClientSecret]]"
     }
 
 
diff --git a/kubernetes/loculus/values.yaml b/kubernetes/loculus/values.yaml
index 32e5355e3c..2e63a150a6 100644
--- a/kubernetes/loculus/values.yaml
+++ b/kubernetes/loculus/values.yaml
@@ -935,10 +935,10 @@ secrets:
     type: sealed
     data:
       apikey: somesecurekey
-  - name: keycloak-client-secret
+  - name: backend-keycloak-client-secret
     type: autogen
     data:
-      clientSecret: "secret"
+      backendKeycloakClientSecret: ""
 additionalHeadHTML: '<script defer data-domain="main.loculus.org" src="https://plausible.io/js/script.js"></script>'
 bannerMessage: "This is a development environment. Data will not be persisted."
 
diff --git a/website/src/types/runtimeConfig.ts b/website/src/types/runtimeConfig.ts
index ce74afec98..929e5c84c1 100644
--- a/website/src/types/runtimeConfig.ts
+++ b/website/src/types/runtimeConfig.ts
@@ -19,5 +19,6 @@ export const serverConfig = serviceUrls.merge(
 export const runtimeConfig = z.object({
     public: serviceUrls,
     serverSide: serverConfig,
+    backendKeycloakClientSecret: z.string(),
 });
 export type RuntimeConfig = z.infer<typeof runtimeConfig>;
diff --git a/website/src/utils/clientMetadata.ts b/website/src/utils/clientMetadata.ts
index 4399d2ed0b..c61d9549b8 100644
--- a/website/src/utils/clientMetadata.ts
+++ b/website/src/utils/clientMetadata.ts
@@ -1,7 +1,10 @@
 // TODO: #1337 Move to config
+import { getRuntimeConfig } from "../config";
+const runtimeConfig = getRuntimeConfig();
+
 export const clientMetadata = {
     client_id: 'backend-client',
     response_types: ['code', 'id_token'],
-    client_secret: 'someSecret',
+    client_secret: runtimeConfig.backendKeycloakClientSecret,
     public: true,
 };