diff --git a/.env.sample b/.env.sample
index c984e03..cc1b436 100644
--- a/.env.sample
+++ b/.env.sample
@@ -23,6 +23,6 @@ LETS_ENCRYPT_ENV=production
 #SSO_PROVIDER_NAME=Authentik
 #SSO_OIDC_URL=https://authentik.example.com/application/o/cryptpad
 #SSO_CLIENT_ID=cryptpad
-#SSO_CLIENT_SECRET=
+#SSO_CLIENT_SECRET_VERSION=v1
 #SSO_JWT_ALG=RS256
 #SSO_PLUGIN_VERSION=0.4.0
diff --git a/abra.sh b/abra.sh
index 136b414..0e1ced5 100644
--- a/abra.sh
+++ b/abra.sh
@@ -1,5 +1,5 @@
 export CONFIG_VERSION=v2
 export CONFIG_JS_VERSION=v2
 export NGINX_CONF_VERSION=v1
-export SSO_ENTRYPOINT_VERSION=v4
-export SSO_JS_VERSION=v2
+export SSO_ENTRYPOINT_VERSION=v5
+export SSO_JS_VERSION=v3
diff --git a/compose.yml b/compose.yml
index bb6519f..e270577 100644
--- a/compose.yml
+++ b/compose.yml
@@ -4,7 +4,7 @@ version: "3.8"
 services:
   app:
     image: cryptpad/cryptpad:version-2026.2.0
-    entrypoint: ["/bin/bash", "/sso-entrypoint.sh"]
+    entrypoint: ["/sso-entrypoint.sh", "/cryptpad/docker-entrypoint.sh"]
     command: ["npm", "start"]
     networks:
       - backend
@@ -19,14 +19,14 @@ services:
       - "CPAD_CONF=/cryptpad/config/config.js"
       # SSO plugin
       - SSO_PLUGIN_VERSION
-      - SSO_ENABLED
+      - "SSO_ENABLED=${SSO_ENABLED:-false}"
       - SSO_ENFORCED
       - SSO_PROVIDER_NAME
       - SSO_OIDC_URL
       - SSO_CLIENT_ID
-      - SSO_CLIENT_SECRET
       - SSO_JWT_ALG
-
+    secrets:
+      - sso_client_s
     volumes:
       - cryptpad_blob:/cryptpad/blob
       - cryptpad_block:/cryptpad/block
@@ -52,7 +52,6 @@ services:
         - "coop-cloud.${STACK_NAME}.timeout=${TIMEOUT:-120}"
         - "coop-cloud.${STACK_NAME}.version=0.5.0+v2026.2.0"
         - "backupbot.backup=true"
-        - "backupbot.backup.volumes.cryptpad_config=false"
     healthcheck:
       test: ["CMD", "curl", "-f", "http://localhost:3000"]
       interval: 30s
@@ -96,6 +95,11 @@ volumes:
   cryptpad_config:
   cryptpad_plugins:
 
+secrets:
+  sso_client_s:
+    external: true
+    name: ${STACK_NAME}_sso_client_s_${SSO_CLIENT_SECRET_VERSION}
+
 configs:
   config_js:
     name: ${STACK_NAME}_config_${CONFIG_VERSION}
diff --git a/sso-entrypoint.sh b/sso-entrypoint.sh
index 750c515..460ff46 100644
--- a/sso-entrypoint.sh
+++ b/sso-entrypoint.sh
@@ -3,7 +3,13 @@ set -e
 
 # SSO plugin installer — runs before the original CryptPad entrypoint.
 # Clones the cryptpad/sso plugin into the plugins volume if not already present
-# or if the version has changed, then delegates to the real entrypoint.
+# or if the version has changed.
+
+# Skips SSO setup entirely when SSO_ENABLED is not "true".
+if [ "${SSO_ENABLED}" != "true" ]; then
+  echo "[sso-entrypoint] SSO not enabled, skipping plugin install"
+  exec "$@"
+fi
 
 PLUGIN_DIR="/cryptpad/lib/plugins/sso"
 VERSION_FILE="${PLUGIN_DIR}/.version"
@@ -28,4 +34,4 @@ else
 fi
 
 # Hand off to the original CryptPad entrypoint
-exec /bin/bash /cryptpad/docker-entrypoint.sh "$@"
+exec "$@"
diff --git a/sso.js.tmpl b/sso.js.tmpl
index 5509aee..7e6926e 100644
--- a/sso.js.tmpl
+++ b/sso.js.tmpl
@@ -12,7 +12,7 @@ module.exports = {
             type: "oidc",
             url: "{{ env "SSO_OIDC_URL" }}",
             client_id: "{{ env "SSO_CLIENT_ID" }}",
-            client_secret: "{{ env "SSO_CLIENT_SECRET" }}",
+            client_secret: "{{ secret "sso_client_s" }}",
             id_token_alg: "{{ env "SSO_JWT_ALG" }}",
             use_pkce: true,
             use_nonce: true