diff --git a/ops/chart/values.yaml b/ops/chart/values.yaml
index 62ec0cf..b0311b4 100644
--- a/ops/chart/values.yaml
+++ b/ops/chart/values.yaml
@@ -27,14 +27,25 @@ controllers:
             value: "https://dev.api.corredorconect.com/workload/api/v1"
           - name: NUXT_PUBLIC_DOCUMENT_API_BASE
             value: "https://dev.api.corredorconect.com/document/api/v1"
-          - name: AUTH_SECRET
-            value: 0d85a9ed917254fc14c51a7e57e58f515574938d81f5a5146d407284c020b541
           - name: AUTH_ORIGIN
             value: https://dev.corredorconect.com/api/auth
           - name: ZITADEL_DOMAIN
             value: https://id.corredorconect.com
           - name: ZITADEL_CLIENT_ID
-            value: 371939070261068337
+            valueFrom:
+              secretKeyRef:
+                name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-oidcapp-client-secret'
+                key: clientId
+          - name: ZITADEL_PROJECT_ID
+            valueFrom:
+              secretKeyRef:
+                name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-oidcapp-client-secret'
+                key: projectId
+          - name: AUTH_SECRET
+            valueFrom:
+              secretKeyRef:
+                name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets'
+                key: auth-secret
         ports:
           - name: http
             containerPort: 3000
@@ -71,3 +82,65 @@ service:
 ingress:
   main:
     enabled: false
+
+rawResources:
+  password-generator:
+    enabled: true
+    apiVersion: generators.external-secrets.io/v1alpha1
+    kind: Password
+    suffix: password-generator 
+    spec:
+      spec:
+        length: 32
+        noUpper: false
+        allowRepeat: true
+        secretKeys:
+          - auth-secret
+
+  external-secret:
+    enabled: true
+    apiVersion: external-secrets.io/v1
+    kind: ExternalSecret
+    suffix: secrets
+    spec:
+      spec:
+        refreshInterval: 0s
+        secretStoreRef:
+          name: cluster-secrets-store
+          kind: ClusterSecretStore
+        target:
+          name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-secrets'
+          creationPolicy: Owner
+        dataFrom:
+          - sourceRef:
+              generatorRef:
+                apiVersion: generators.external-secrets.io/v1alpha1
+                kind: Password
+                name: '{{ include "bjw-s.common.lib.chart.names.fullname" $ }}-password-generator'
+  oidcapp: 
+    apiVersion: zitadel.github.com/v1alpha1
+    kind: OIDCApp
+    suffix: oidcapp
+    spec:
+      spec:
+        oidcAppName: policy-ui
+        projectRef:
+          name: seguros-dev
+          namespace: zitadel-resources-operator
+        appType: OIDC_APP_TYPE_WEB
+        authMethodType: OIDC_AUTH_METHOD_TYPE_NONE
+        redirectUris:
+          - https://dev.corredorconect.com/api/auth/callback/zitadel
+        postLogoutRedirectUris:
+          - https://dev.corredorconect.com/
+        responseTypes:
+          - OIDC_RESPONSE_TYPE_CODE
+        grantTypes:
+          - OIDC_GRANT_TYPE_AUTHORIZATION_CODE
+        accessTokenRoleAssertion: true
+        accessTokenType: OIDC_TOKEN_TYPE_JWT
+        idTokenRoleAssertion: true
+        idTokenUserinfoAssertion: true
+        clockSkew: 5s
+        devMode: false
+        skipNativeAppSuccessPage: false
diff --git a/server/api/auth/[...].ts b/server/api/auth/[...].ts
index 7b68700..ddb5c27 100644
--- a/server/api/auth/[...].ts
+++ b/server/api/auth/[...].ts
@@ -9,7 +9,7 @@ export default NuxtAuthHandler({
       issuer: process.env.ZITADEL_DOMAIN,
       authorization: {
         params: {
-            scope: 'openid email profile offline_access urn:zitadel:iam:org:project:371479849505653263:aud'
+            scope: `openid email profile offline_access urn:zitadel:iam:org:project:${process.env.ZITADEL_PROJECT_ID}:aud`
         }
       }
     })