diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
index 8896cad..c46ab43 100644
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -28,6 +28,9 @@ jobs:
       - name: Build and push frontend image
         run: |
           docker build --platform linux/amd64 \
+            --build-arg VITE_API_URL=${{ secrets.VITE_API_URL }} \
+            --build-arg VITE_SUPABASE_URL=${{ secrets.VITE_SUPABASE_URL }} \
+            --build-arg VITE_SUPABASE_ANON_KEY=${{ secrets.VITE_SUPABASE_ANON_KEY }} \
             -t gitea.nerdboden.de/thefurya/nuzlocke-tracker-frontend:latest \
             -f frontend/Dockerfile.prod ./frontend
           docker push gitea.nerdboden.de/thefurya/nuzlocke-tracker-frontend:latest
@@ -41,6 +44,12 @@ jobs:
           SCP_CMD="scp -o StrictHostKeyChecking=no -i ~/.ssh/deploy_key"
           DEPLOY_DIR="/mnt/user/appdata/nuzlocke-tracker"
 
+          # Write .env from secrets (overwrites any existing file)
+          printf '%s\n' \
+            "POSTGRES_PASSWORD=${{ secrets.POSTGRES_PASSWORD }}" \
+            "SUPABASE_JWT_SECRET=${{ secrets.SUPABASE_JWT_SECRET }}" \
+          | $SSH_CMD "cat > '${DEPLOY_DIR}/.env'"
+
           $SCP_CMD docker-compose.prod.yml "root@192.168.1.10:${DEPLOY_DIR}/docker-compose.yml"
           $SCP_CMD backup.sh "root@192.168.1.10:${DEPLOY_DIR}/backup.sh"
           $SSH_CMD "chmod +x '${DEPLOY_DIR}/backup.sh'"
diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml
index 17cdbe2..87a51b7 100644
--- a/docker-compose.prod.yml
+++ b/docker-compose.prod.yml
@@ -6,6 +6,7 @@ services:
     environment:
       - DEBUG=false
       - DATABASE_URL=postgresql://postgres:${POSTGRES_PASSWORD}@db:5432/nuzlocke
+      - SUPABASE_JWT_SECRET=${SUPABASE_JWT_SECRET}
     depends_on:
       db:
         condition: service_healthy
@@ -13,6 +14,13 @@ services:
 
   frontend:
     image: gitea.nerdboden.de/thefurya/nuzlocke-tracker-frontend:latest
+    build:
+      context: ./frontend
+      dockerfile: Dockerfile.prod
+      args:
+        - VITE_API_URL=${VITE_API_URL}
+        - VITE_SUPABASE_URL=${VITE_SUPABASE_URL}
+        - VITE_SUPABASE_ANON_KEY=${VITE_SUPABASE_ANON_KEY}
     ports:
       - "9080:80"
     depends_on:
diff --git a/frontend/Dockerfile.prod b/frontend/Dockerfile.prod
index 20ac482..7b27c3d 100644
--- a/frontend/Dockerfile.prod
+++ b/frontend/Dockerfile.prod
@@ -8,6 +8,11 @@ COPY package*.json ./
 RUN npm ci
 
 COPY . .
+
+ARG VITE_API_URL
+ARG VITE_SUPABASE_URL
+ARG VITE_SUPABASE_ANON_KEY
+
 RUN npm run build
 
 # Stage 2: Serve