diff --git a/kubernetes/manifests/sentinel/core.yaml b/kubernetes/manifests/sentinel/core.yaml
index 79121ef..83267ec 100644
--- a/kubernetes/manifests/sentinel/core.yaml
+++ b/kubernetes/manifests/sentinel/core.yaml
@@ -67,6 +67,15 @@ spec:
             # group on each boot. Idempotent — safe to leave as-is.
             - name: ADMIN_ENTITY_IDS
               value: "ent_01kt38a23b9ya1w5x4t9dasd86"
+            # Shared secret each non-core service exchanges at startup
+            # for its pre-seeded bearer JWT. Same value as on every
+            # other sentinel-* deployment. Rotating it requires a
+            # rolling restart of every service so each can re-fetch.
+            - name: INTERNAL_BOOTSTRAP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: INTERNAL_BOOTSTRAP_SECRET
 ---
 apiVersion: v1
 kind: Service
diff --git a/kubernetes/manifests/sentinel/discord.yaml b/kubernetes/manifests/sentinel/discord.yaml
index fbdab64..2078a57 100644
--- a/kubernetes/manifests/sentinel/discord.yaml
+++ b/kubernetes/manifests/sentinel/discord.yaml
@@ -69,6 +69,13 @@ spec:
                 secretKeyRef:
                   name: sentinel-secrets
                   key: DISCORD_TOKEN
+            # Same value as on core; used at startup to exchange for
+            # this service's pre-seeded bearer JWT.
+            - name: INTERNAL_BOOTSTRAP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: INTERNAL_BOOTSTRAP_SECRET
 ---
 apiVersion: v1
 kind: Service
diff --git a/kubernetes/manifests/sentinel/oauth.yaml b/kubernetes/manifests/sentinel/oauth.yaml
index 266544b..b2f4951 100644
--- a/kubernetes/manifests/sentinel/oauth.yaml
+++ b/kubernetes/manifests/sentinel/oauth.yaml
@@ -70,6 +70,31 @@ spec:
             # ID tokens have to be byte-identical for relying parties.
             - name: ISSUER
               value: https://sentinel-v5.gauchoracing.com
+            # Discord OAuth client config for the "Continue with Discord"
+            # login button. Client id/secret are the Discord application's
+            # credentials; the redirect URI must byte-match what the web
+            # client sends in its authorize call (and what's registered
+            # on the Discord application's OAuth2 settings).
+            - name: DISCORD_CLIENT_ID
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: DISCORD_CLIENT_ID
+            - name: DISCORD_CLIENT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: DISCORD_CLIENT_SECRET
+            - name: DISCORD_REDIRECT_URI
+              value: https://sentinel-v5.gauchoracing.com/auth/login/discord
+            # Shared secret exchanged at startup for this service's
+            # pre-seeded bearer JWT. Same value as every other
+            # sentinel-* deployment.
+            - name: INTERNAL_BOOTSTRAP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: INTERNAL_BOOTSTRAP_SECRET
 ---
 apiVersion: v1
 kind: Service
diff --git a/kubernetes/manifests/sentinel/saml.yaml b/kubernetes/manifests/sentinel/saml.yaml
index 4419fbb..7709345 100644
--- a/kubernetes/manifests/sentinel/saml.yaml
+++ b/kubernetes/manifests/sentinel/saml.yaml
@@ -79,6 +79,14 @@ spec:
             # registered service provider.
             - name: ISSUER
               value: https://sentinel-v5.gauchoracing.com
+            # Shared secret exchanged at startup for this service's
+            # pre-seeded bearer JWT. Same value as every other
+            # sentinel-* deployment.
+            - name: INTERNAL_BOOTSTRAP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: sentinel-secrets
+                  key: INTERNAL_BOOTSTRAP_SECRET
 ---
 apiVersion: v1
 kind: Service