diff --git a/scripts/sso_portal_e2e_client_secret_sync.sh b/scripts/sso_portal_e2e_client_secret_sync.sh
new file mode 100755
index 0000000..bf944ca
--- /dev/null
+++ b/scripts/sso_portal_e2e_client_secret_sync.sh
@@ -0,0 +1,20 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+SOURCE_NAMESPACE="${SOURCE_NAMESPACE:-sso}"
+DEST_NAMESPACE="${DEST_NAMESPACE:-bstein-dev-home}"
+SECRET_NAME="${SECRET_NAME:-portal-e2e-client}"
+
+client_id="$(kubectl -n "${SOURCE_NAMESPACE}" get secret "${SECRET_NAME}" -o jsonpath='{.data.client_id}')"
+client_secret="$(kubectl -n "${SOURCE_NAMESPACE}" get secret "${SECRET_NAME}" -o jsonpath='{.data.client_secret}')"
+
+cat <<EOF | kubectl -n "${DEST_NAMESPACE}" apply -f - >/dev/null
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ${SECRET_NAME}
+type: Opaque
+data:
+  client_id: ${client_id}
+  client_secret: ${client_secret}
+EOF
diff --git a/services/bstein-dev-home/kustomization.yaml b/services/bstein-dev-home/kustomization.yaml
index 2b710d1..3a423ef 100644
--- a/services/bstein-dev-home/kustomization.yaml
+++ b/services/bstein-dev-home/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
   - namespace.yaml
   - image.yaml
   - rbac.yaml
+  - portal-e2e-client-secret-sync-rbac.yaml
   - chat-ai-gateway-configmap.yaml
   - chat-ai-gateway-deployment.yaml
   - chat-ai-gateway-service.yaml
diff --git a/services/bstein-dev-home/portal-e2e-client-secret-sync-rbac.yaml b/services/bstein-dev-home/portal-e2e-client-secret-sync-rbac.yaml
new file mode 100644
index 0000000..045bd0a
--- /dev/null
+++ b/services/bstein-dev-home/portal-e2e-client-secret-sync-rbac.yaml
@@ -0,0 +1,24 @@
+# services/bstein-dev-home/portal-e2e-client-secret-sync-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: portal-e2e-client-secret-sync-target
+  namespace: bstein-dev-home
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: portal-e2e-client-secret-sync-target
+  namespace: bstein-dev-home
+subjects:
+  - kind: ServiceAccount
+    name: portal-e2e-client-secret-sync
+    namespace: sso
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: portal-e2e-client-secret-sync-target
diff --git a/services/keycloak/kustomization.yaml b/services/keycloak/kustomization.yaml
index b9266b8..24490de 100644
--- a/services/keycloak/kustomization.yaml
+++ b/services/keycloak/kustomization.yaml
@@ -8,6 +8,8 @@ resources:
   - deployment.yaml
   - realm-settings-job.yaml
   - portal-e2e-client-job.yaml
+  - portal-e2e-client-secret-sync-rbac.yaml
+  - portal-e2e-client-secret-sync-cronjob.yaml
   - portal-e2e-target-client-job.yaml
   - portal-e2e-token-exchange-permissions-job.yaml
   - portal-e2e-token-exchange-test-job.yaml
@@ -23,3 +25,6 @@ configMapGenerator:
     files:
       - test_portal_token_exchange.py=../../scripts/tests/test_portal_token_exchange.py
       - test_keycloak_execute_actions_email.py=../../scripts/tests/test_keycloak_execute_actions_email.py
+  - name: portal-e2e-client-secret-sync-script
+    files:
+      - sso_portal_e2e_client_secret_sync.sh=../../scripts/sso_portal_e2e_client_secret_sync.sh
diff --git a/services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml b/services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml
new file mode 100644
index 0000000..cbe47b9
--- /dev/null
+++ b/services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml
@@ -0,0 +1,32 @@
+# services/keycloak/portal-e2e-client-secret-sync-cronjob.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: portal-e2e-client-secret-sync
+  namespace: sso
+spec:
+  schedule: "*/10 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 1
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      backoffLimit: 1
+      template:
+        spec:
+          serviceAccountName: portal-e2e-client-secret-sync
+          restartPolicy: Never
+          containers:
+            - name: sync
+              image: bitnami/kubectl:1.33.1
+              command: ["/usr/bin/env", "bash"]
+              args: ["/scripts/sso_portal_e2e_client_secret_sync.sh"]
+              volumeMounts:
+                - name: script
+                  mountPath: /scripts
+                  readOnly: true
+          volumes:
+            - name: script
+              configMap:
+                name: portal-e2e-client-secret-sync-script
+                defaultMode: 0555
diff --git a/services/keycloak/portal-e2e-client-secret-sync-rbac.yaml b/services/keycloak/portal-e2e-client-secret-sync-rbac.yaml
new file mode 100644
index 0000000..e2d39bb
--- /dev/null
+++ b/services/keycloak/portal-e2e-client-secret-sync-rbac.yaml
@@ -0,0 +1,31 @@
+# services/keycloak/portal-e2e-client-secret-sync-rbac.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: portal-e2e-client-secret-sync
+  namespace: sso
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: portal-e2e-client-secret-sync-source
+  namespace: sso
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["portal-e2e-client"]
+    verbs: ["get"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: portal-e2e-client-secret-sync-source
+  namespace: sso
+subjects:
+  - kind: ServiceAccount
+    name: portal-e2e-client-secret-sync
+    namespace: sso
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: portal-e2e-client-secret-sync-source