diff --git a/charts/countly/templates/external-secret-common.yaml b/charts/countly/templates/external-secret-common.yaml
index 3360f84..1a4a0bb 100644
--- a/charts/countly/templates/external-secret-common.yaml
+++ b/charts/countly/templates/external-secret-common.yaml
@@ -1,7 +1,7 @@
 {{- if eq (.Values.secrets.mode | default "values") "externalSecret" }}
 {{- if not .Values.secrets.common.existingSecret }}
 {{- $commonRemote := .Values.secrets.externalSecret.remoteRefs.common | default dict -}}
-{{- $commonUsesExternal := or $commonRemote.encryptionReportsKey $commonRemote.webSessionSecret $commonRemote.passwordSecret $commonRemote.mailConfigAuthUser $commonRemote.mailConfigAuthPass -}}
+{{- $commonUsesExternal := or $commonRemote.encryptionReportsKey $commonRemote.webSessionSecret $commonRemote.passwordSecret $commonRemote.jwtSecret $commonRemote.mailConfigAuthUser $commonRemote.mailConfigAuthPass -}}
 {{- if $commonUsesExternal }}
 apiVersion: external-secrets.io/v1
 kind: ExternalSecret
@@ -21,7 +21,7 @@ spec:
   target:
     name: {{ include "countly.fullname" . }}-common
     creationPolicy: Owner
-    {{- $hasCommonTemplateData := or (not $commonRemote.encryptionReportsKey) (not $commonRemote.webSessionSecret) (not $commonRemote.passwordSecret) (and .Values.secrets.common.mailConfigAuthUser (not $commonRemote.mailConfigAuthUser)) (and .Values.secrets.common.mailConfigAuthPass (not $commonRemote.mailConfigAuthPass)) }}
+    {{- $hasCommonTemplateData := or (not $commonRemote.encryptionReportsKey) (not $commonRemote.webSessionSecret) (not $commonRemote.passwordSecret) (and .Values.secrets.common.jwtSecret (not $commonRemote.jwtSecret)) (and .Values.secrets.common.mailConfigAuthUser (not $commonRemote.mailConfigAuthUser)) (and .Values.secrets.common.mailConfigAuthPass (not $commonRemote.mailConfigAuthPass)) }}
     {{- if $hasCommonTemplateData }}
     template:
       engineVersion: v2
@@ -36,6 +36,9 @@ spec:
         {{- if not .Values.secrets.externalSecret.remoteRefs.common.passwordSecret }}
         COUNTLY_CONFIG__PASSWORDSECRET: {{ .Values.secrets.common.passwordSecret | quote }}
         {{- end }}
+        {{- if and .Values.secrets.common.jwtSecret (not .Values.secrets.externalSecret.remoteRefs.common.jwtSecret) }}
+        COUNTLY_CONFIG__API_JWT_SECRET: {{ .Values.secrets.common.jwtSecret | quote }}
+        {{- end }}
         {{- if and .Values.secrets.common.mailConfigAuthUser (not .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthUser) }}
         COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER: {{ .Values.secrets.common.mailConfigAuthUser | quote }}
         {{- end }}
@@ -59,6 +62,11 @@ spec:
       remoteRef:
         key: {{ required "secrets.externalSecret.remoteRefs.common.passwordSecret is required" .Values.secrets.externalSecret.remoteRefs.common.passwordSecret }}
     {{- end }}
+    {{- if .Values.secrets.externalSecret.remoteRefs.common.jwtSecret }}
+    - secretKey: COUNTLY_CONFIG__API_JWT_SECRET
+      remoteRef:
+        key: {{ required "secrets.externalSecret.remoteRefs.common.jwtSecret is required" .Values.secrets.externalSecret.remoteRefs.common.jwtSecret }}
+    {{- end }}
     {{- if .Values.secrets.externalSecret.remoteRefs.common.mailConfigAuthUser }}
     - secretKey: COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER
       remoteRef:
diff --git a/charts/countly/templates/secret-common.yaml b/charts/countly/templates/secret-common.yaml
index 8191732..b778a18 100644
--- a/charts/countly/templates/secret-common.yaml
+++ b/charts/countly/templates/secret-common.yaml
@@ -22,6 +22,9 @@ data:
   COUNTLY_CONFIG__ENCRYPTION_REPORTS_KEY: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__ENCRYPTION_REPORTS_KEY" "value" .Values.secrets.common.encryptionReportsKey "namespace" .Release.Namespace) }}
   COUNTLY_CONFIG__WEB_SESSION_SECRET: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__WEB_SESSION_SECRET" "value" .Values.secrets.common.webSessionSecret "namespace" .Release.Namespace) }}
   COUNTLY_CONFIG__PASSWORDSECRET: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__PASSWORDSECRET" "value" .Values.secrets.common.passwordSecret "namespace" .Release.Namespace) }}
+  {{- if or .Values.secrets.common.jwtSecret (and $existing (hasKey $existing.data "COUNTLY_CONFIG__API_JWT_SECRET")) }}
+  COUNTLY_CONFIG__API_JWT_SECRET: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__API_JWT_SECRET" "value" .Values.secrets.common.jwtSecret "namespace" .Release.Namespace) }}
+  {{- end }}
   {{- if or .Values.secrets.common.mailConfigAuthUser (and $existing (hasKey $existing.data "COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER")) }}
   COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER: {{ include "countly.secret.value" (dict "secretName" $secretName "key" "COUNTLY_CONFIG__MAIL_CONFIG_AUTH_USER" "value" .Values.secrets.common.mailConfigAuthUser "namespace" .Release.Namespace) }}
   {{- end }}
diff --git a/charts/countly/values.schema.json b/charts/countly/values.schema.json
index 5d2595e..4b448f5 100644
--- a/charts/countly/values.schema.json
+++ b/charts/countly/values.schema.json
@@ -175,6 +175,9 @@
             "passwordSecret": {
               "type": "string"
             },
+            "jwtSecret": {
+              "type": "string"
+            },
             "mailConfigAuthUser": {
               "type": "string"
             },
diff --git a/charts/countly/values.yaml b/charts/countly/values.yaml
index 4646efa..6299dc6 100644
--- a/charts/countly/values.yaml
+++ b/charts/countly/values.yaml
@@ -486,6 +486,8 @@ secrets:
     webSessionSecret: ""
     # -- Internal password hashing secret
     passwordSecret: ""
+    # -- JWT signing secret for /v2 auth (min 32 chars recommended)
+    jwtSecret: ""
     # -- Optional SMTP auth username
     mailConfigAuthUser: ""
     # -- Optional SMTP auth password
@@ -528,6 +530,7 @@ secrets:
         encryptionReportsKey: ""
         webSessionSecret: ""
         passwordSecret: ""
+        jwtSecret: ""
         # Optional SMTP auth refs when using External Secrets.
         # Example:
         # mailConfigAuthUser: "my-smtp-auth-user-secret"
diff --git a/environments/reference/countly.yaml b/environments/reference/countly.yaml
index 72a62b9..aaa56d8 100644
--- a/environments/reference/countly.yaml
+++ b/environments/reference/countly.yaml
@@ -468,6 +468,7 @@ secrets:
     encryptionReportsKey: ""              # REQUIRED: min 8 chars
     webSessionSecret: ""                  # REQUIRED: min 8 chars
     passwordSecret: ""                    # REQUIRED: min 8 chars
+    jwtSecret: ""                         # Optional: required only for /v2 auth (min 32 chars recommended)
 
   clickhouse:
     existingSecret: ""
@@ -498,6 +499,7 @@ secrets:
         encryptionReportsKey: ""
         webSessionSecret: ""
         passwordSecret: ""
+        jwtSecret: ""
       clickhouse:
         url: ""
         username: ""
diff --git a/environments/reference/credentials-countly.yaml b/environments/reference/credentials-countly.yaml
index cf3d718..991be3b 100644
--- a/environments/reference/credentials-countly.yaml
+++ b/environments/reference/credentials-countly.yaml
@@ -6,6 +6,7 @@ secrets:
     encryptionReportsKey: ""     # REQUIRED: min 8 chars
     webSessionSecret: ""         # REQUIRED: min 8 chars
     passwordSecret: ""           # REQUIRED: min 8 chars
+    jwtSecret: ""                # Optional: required only for /v2 auth (min 32 chars recommended)
     mailConfigAuthUser: ""       # Optional: SMTP auth user
     mailConfigAuthPass: ""       # Optional: SMTP auth password
   clickhouse:
@@ -30,6 +31,7 @@ secrets:
 #         encryptionReportsKey: "acme-countly-encryption-reports-key"
 #         webSessionSecret: "acme-countly-web-session-secret"
 #         passwordSecret: "acme-countly-password-secret"
+#         jwtSecret: "acme-countly-jwt-secret"
 #         # Example SMTP auth refs:
 #         mailConfigAuthUser: "my-smtp-auth-user-secret"
 #         mailConfigAuthPass: "my-smtp-auth-pass-secret"
diff --git a/environments/reference/external-secrets.example.yaml b/environments/reference/external-secrets.example.yaml
index 6ff8dc5..56bb20a 100644
--- a/environments/reference/external-secrets.example.yaml
+++ b/environments/reference/external-secrets.example.yaml
@@ -17,6 +17,7 @@
 #           encryptionReportsKey: "acme-countly-encryption-reports-key"
 #           webSessionSecret: "acme-countly-web-session-secret"
 #           passwordSecret: "acme-countly-password-secret"
+#           jwtSecret: "acme-countly-jwt-secret"
 #           # Example SMTP auth refs:
 #           mailConfigAuthUser: "my-smtp-auth-user-secret"
 #           mailConfigAuthPass: "my-smtp-auth-pass-secret"
diff --git a/environments/reference/secrets.example.yaml b/environments/reference/secrets.example.yaml
index 181cb54..144934b 100644
--- a/environments/reference/secrets.example.yaml
+++ b/environments/reference/secrets.example.yaml
@@ -20,6 +20,7 @@ secrets:
     encryptionReportsKey: "CHANGEME-min-8-chars"
     webSessionSecret: "CHANGEME-min-8-chars"
     passwordSecret: "CHANGEME-min-8-chars"
+    jwtSecret: "CHANGEME-min-32-chars-for-v2-auth"
   clickhouse:
     password: "CHANGEME-match-clickhouse-chart"
   mongodb: