diff --git a/compose.yaml b/compose.yaml
index 8d33900..cfbdefb 100644
--- a/compose.yaml
+++ b/compose.yaml
@@ -1,15 +1,19 @@
 services:
   grist:
-    image: gristlabs/grist:1.1.7
+    image: gristlabs/grist:1.1.12
     networks:
       - proxy
       - internal
     environment:
-      - GRIST_DATABASE_URL=postgresql://${STACK_NAME}_db:5432/grist
+      - TYPEORM_DATABASE=grist
+      - TYPEORM_TYPE=postgres
+      - TYPEORM_USERNAME=grist
+      - TYPEORM_PASSWORD_FILE=/run/secrets/db_password
+      - TYPEORM_HOST=db
       - GRIST_REDIS_URL=redis://${STACK_NAME}_redis:6379
       - GRIST_DATA_DIR=/var/grist-data
       - GRIST_SUPPORT_ANON
-      - GRIST_SESSION_SECRET
+      - GRIST_SESSION_SECRET_FILE=/run/secrets/session_secret
       - GRIST_SANDBOX_FLAVOR
       - APP_HOME_URL=https://${DOMAIN}
       - APP_DOC_URL=https://${DOMAIN}
@@ -17,19 +21,24 @@ services:
       - GRIST_ORG_IN_PATH
       - COOKIE_MAX_AGE
       - GRIST_FORCE_LOGIN
-      - GRIST_SAML_SP_HOST=https://${DOMAIN}
-      - GRIST_SAML_SP_KEY=/keys/private.key
-      - GRIST_SAML_SP_CERT=/keys/certificate.crt
-      - GRIST_SAML_IDP_LOGIN
-      - GRIST_SAML_IDP_LOGOUT
-      - GRIST_SAML_IDP_SKIP_SLO
-      - GRIST_SAML_IDP_CERTS=/keys/idp-cert.pem
-      - GRIST_SAML_IDP_UNENCRYPTED
       - GRIST_HIDE_UI_ELEMENTS
       - GRIST_DEFAULT_EMAIL
+      - GRIST_OIDC_SP_HOST
+      - GRIST_OIDC_IDP_ISSUER
+      - GRIST_OIDC_IDP_SCOPES
+      - GRIST_OIDC_IDP_CLIENT_ID
+      - GRIST_OIDC_IDP_CLIENT_SECRET_FILE=/run/secrets/oidc_idp_client_secret
+    secrets:
+      - db_password
+      - session_secret
+      - oidc_idp_client_secret
     volumes:
-      - grist_keys:/keys
       - grist_data:/persist
+    configs:
+      - source: entrypoint
+        target: /entrypoint.sh
+        mode: 0555
+    entrypoint: /entrypoint.sh
     depends_on:
       - db
       - redis
@@ -64,17 +73,25 @@ services:
     volumes:
       - 'redis_data:/data'
 
+configs:
+  entrypoint:
+    file: entrypoint.sh
+
 secrets:
   db_password:
     external: true
     name: ${STACK_NAME}_db_password
+  session_secret:
+    external: true
+    name: ${STACK_NAME}_session_secret
+  oidc_idp_client_secret:
+    external: true
+    name: ${STACK_NAME}_oidc_idp_client_secret
 
 volumes:
   postgresql_data:
   redis_data:
   grist_data:
-  grist_keys:
-
 
 networks:
   proxy:
diff --git a/entrypoint.sh b/entrypoint.sh
new file mode 100644
index 0000000..f58f57c
--- /dev/null
+++ b/entrypoint.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+set -e
+
+file_env() {
+   local var="$1"
+   local fileVar="${var}_FILE"
+
+   if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
+      echo >&2 "error: both $var and $fileVar are set (but are exclusive)"
+      exit 1
+   fi
+
+   if [ "${!var:-}" ]; then
+      export "$var"="${!var}"
+   elif [ "${!fileVar:-}" ]; then
+      export "$var"="$(< "${!fileVar}")"
+   else
+      echo >&2 "error: neither $var nor $fileVar is set"
+      exit 1
+   fi
+
+   unset "$fileVar"
+}
+
+file_env TYPEORM_PASSWORD
+file_env GRIST_SESSION_SECRET
+file_env GRIST_OIDC_IDP_CLIENT_SECRET
+
+exec ./sandbox/run.sh $@
diff --git a/prepare_keys.sh b/prepare_keys.sh
deleted file mode 100755
index a09220a..0000000
--- a/prepare_keys.sh
+++ /dev/null
@@ -1,41 +0,0 @@
-#!/bin/bash
-
-# Stack name and volume name
-VOLUME_NAME="${STACK_NAME}_grist_keys"
-
-# Temporary container name for key and certificate generation
-KEY_CERT_GEN_CONTAINER="temp-generate-key-cert"
-
-# Temporary container name for cert writing
-CERT_WRITE_CONTAINER="temp-store-cert"
-
-# Environment variable containing the X509 certificate
-X509_CERT_CONTENT="${GRIST_SAML_IDP_CERTS_STRING}"
-
-# Check if the Docker volume exists
-if ! docker volume inspect $VOLUME_NAME > /dev/null 2>&1; then
-    echo "Creating Docker volume: $VOLUME_NAME"
-    docker volume create $VOLUME_NAME
-fi
-
-# Run a temporary Alpine container to generate the key and certificate
-docker run --name $KEY_CERT_GEN_CONTAINER -v $VOLUME_NAME:/keys -it alpine sh -c "
-    apk add openssl; \
-    echo 'Generating RSA private key and self-signed certificate...'; \
-    openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout /keys/private.key -out /keys/certificate.crt; \
-    echo 'RSA private key and self-signed certificate generated in the $VOLUME_NAME volume.'
-"
-docker rm -f $KEY_CERT_GEN_CONTAINER
-
-
-# Check if X509 certificate content is provided and not empty
-if [ -n "$X509_CERT_CONTENT" ]; then
-    docker run --name $CERT_WRITE_CONTAINER -v $VOLUME_NAME:/keys -it alpine sh -c "
-        echo 'Writing X509 certificate to PEM file...'; \
-        echo '-----BEGIN CERTIFICATE-----' > /keys/idp-cert.pem; \
-        echo \"$X509_CERT_CONTENT\" >> /keys/idp-cert.pem; \
-        echo '-----END CERTIFICATE-----' >> /keys/idp-cert.pem;
-        echo 'X509 certificate written to /keys/idp-cert.pem.'
-    "
-    docker rm -f $CERT_WRITE_CONTAINER
-fi