diff --git a/k8s/apps/furumi-server/deployment.yaml b/k8s/apps/furumi-server/deployment.yaml
index 678f12e..561da11 100644
--- a/k8s/apps/furumi-server/deployment.yaml
+++ b/k8s/apps/furumi-server/deployment.yaml
@@ -22,7 +22,10 @@ spec:
           imagePullPolicy: Always
           env:
             - name: FURUMI_TOKEN
-              value: "f38387266e75effe891b7953eb9c06b4"
+              valueFrom:
+                secretKeyRef:
+                  name: furumi-ng-token
+                  key: TOKEN
             - name: FURUMI_ROOT
               value: "/media"
           ports:
diff --git a/k8s/apps/furumi-server/external-secrets.yaml b/k8s/apps/furumi-server/external-secrets.yaml
new file mode 100644
index 0000000..6b0bca3
--- /dev/null
+++ b/k8s/apps/furumi-server/external-secrets.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: furumi-ng-token
+spec:
+  target:
+    name: furumi-ng-token
+    deletionPolicy: Delete
+    template:
+      type: Opaque
+      data:
+        TOKEN: |-
+          {{ .token }}
+  data:
+    - secretKey: token
+      sourceRef:
+        storeRef:
+          name: vaultwarden-login
+          kind: ClusterSecretStore
+      remoteRef:
+        key: b8b8c3a2-c3fe-42d3-9402-0ae305e1455f
+        property: fields[0].value
diff --git a/k8s/apps/furumi-server/kustomization.yaml b/k8s/apps/furumi-server/kustomization.yaml
index f8d52aa..f5d050d 100644
--- a/k8s/apps/furumi-server/kustomization.yaml
+++ b/k8s/apps/furumi-server/kustomization.yaml
@@ -6,3 +6,4 @@ resources:
   - deployment.yaml
   - service.yaml
   - servicemonitor.yaml
+  - external-secrets.yaml