diff --git a/.env.sample b/.env.sample
index 500940a..d966362 100644
--- a/.env.sample
+++ b/.env.sample
@@ -42,10 +42,16 @@ COMPOSE_FILE="compose.yml"
 
 ## Gandi, https://gandi.net
 ## note(3wc): only "V5" (new) API is supported, so far
-#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi.yml"
-#GANDI_ENABLED=1
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-api-key.yml"
+#GANDI_API_KEY_ENABLED=1
 #SECRET_GANDIV5_API_KEY_VERSION=v1
 
+## Gandi, https://gandi.net
+## note: uses GandiV5 Personal Access Token
+#COMPOSE_FILE="$COMPOSE_FILE:compose.gandi-personal-access-token.yml"
+#GANDI_PERSONAL_ACCESS_TOKEN_ENABLED=1
+#SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION=v1
+
 ## DigitalOcean, https://digitalocean.com
 #COMPOSE_FILE="$COMPOSE_FILE:compose.digitalocean.yml"
 #DIGITALOCEAN_ENABLED=1
diff --git a/README.md b/README.md
index dcb6cf1..d23db96 100644
--- a/README.md
+++ b/README.md
@@ -40,8 +40,10 @@ Letsencrypt DNS challenges.
    `SECRET_GANDIV5_API_KEY_VERSION`
 4. Generate an API key for your provider
 5. Run `abra app secret insert YOURAPPDOMAIN SECRETNAME v1 SECRETVALUE`, where
-   `SECRETNAME` is from the compose file (e.g. `compose.gandi.yml`) e.g.
+   `SECRETNAME` is from the compose file (e.g. `compose.gandi-api-key.yml`) e.g.
    `gandiv5_api_key` and `SECRETVALUE` is the API key.
+   - For Gandi, you can use either the deprecated API Key or a GandiV5 Personal
+     Access Token, in which case use compose.gandi-personal-access-token.yml.
 6. Redeploy Traefik, using e.g. `abra app deploy YOURAPPDOMAIN -f`
 
 [`abra`]: https://git.autonomic.zone/autonomic-cooperative/abra
diff --git a/compose.gandi.yml b/compose.gandi-api-key.yml
similarity index 100%
rename from compose.gandi.yml
rename to compose.gandi-api-key.yml
diff --git a/compose.gandi-personal-access-token.yml b/compose.gandi-personal-access-token.yml
new file mode 100644
index 0000000..af647a9
--- /dev/null
+++ b/compose.gandi-personal-access-token.yml
@@ -0,0 +1,15 @@
+version: "3.8"
+
+services:
+  app:
+    environment:
+      - GANDIV5_PERSONAL_ACCESS_TOKEN_FILE=/run/secrets/gandiv5_personal_access_token
+      - LETS_ENCRYPT_DNS_CHALLENGE_ENABLED
+      - LETS_ENCRYPT_DNS_CHALLENGE_PROVIDER
+    secrets:
+      - gandiv5_personal_access_token
+
+secrets:
+  gandiv5_personal_access_token:
+    name: ${STACK_NAME}_gandiv5_personal_access_token_${SECRET_GANDIV5_PERSONAL_ACCESS_TOKEN_VERSION}
+    external: true
diff --git a/entrypoint.sh.tmpl b/entrypoint.sh.tmpl
index 41cbf44..f4e6232 100644
--- a/entrypoint.sh.tmpl
+++ b/entrypoint.sh.tmpl
@@ -7,10 +7,6 @@ export OVH_CONSUMER_KEY=$(cat "$OVH_CONSUMER_KEY_FILE")
 export OVH_APPLICATION_SECRET=$(cat "$OVH_APPLICATION_SECRET_FILE")
 {{ end }}
 
-{{ if eq (env "GANDI_ENABLED") "1" }}
-export GANDIV5_API_KEY=$(cat "$GANDIV5_API_KEY_FILE")
-{{ end }}
-
 {{ if eq (env "DIGITALOCEAN_ENABLED") "1" }}
 export DO_AUTH_TOKEN=$(cat "$DO_AUTH_TOKEN_FILE")
 {{ end }}