diff --git a/services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml b/services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
index f63f244d..1a552245 100644
--- a/services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
+++ b/services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
@@ -1,11 +1,11 @@
 # services/keycloak/oneoffs/metis-oidc-secret-ensure-job.yaml
-# One-off job for sso/metis-oidc-secret-ensure-1.
+# One-off job for sso/metis-oidc-secret-ensure-2.
 # Purpose: ensure the Metis oauth2-proxy OIDC client and Vault secret exist.
 # Keep this completed Job around; bump the suffix if it ever needs to be rerun.
 apiVersion: batch/v1
 kind: Job
 metadata:
-  name: metis-oidc-secret-ensure-1
+  name: metis-oidc-secret-ensure-2
   namespace: sso
 spec:
   backoffLimit: 0
@@ -122,8 +122,17 @@ spec:
                 exit 1
               fi
 
-              COOKIE_SECRET="$(curl -sS -H "X-Vault-Token: ${vault_token}" \
-                "${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc" | jq -r '.data.data.cookie_secret // empty')"
+              read_status="$(curl -sS -o /tmp/metis-oidc-read.json -w "%{http_code}" \
+                -H "X-Vault-Token: ${vault_token}" \
+                "${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc" || true)"
+              COOKIE_SECRET=""
+              if [ "${read_status}" = "200" ]; then
+                COOKIE_SECRET="$(jq -r '.data.data.cookie_secret // empty' /tmp/metis-oidc-read.json)"
+              elif [ "${read_status}" != "404" ]; then
+                echo "Vault read failed (status ${read_status})" >&2
+                cat /tmp/metis-oidc-read.json >&2 || true
+                exit 1
+              fi
               if [ -n "${COOKIE_SECRET}" ]; then
                 length="$(printf '%s' "${COOKIE_SECRET}" | wc -c | tr -d ' ')"
                 if [ "${length}" != "16" ] && [ "${length}" != "24" ] && [ "${length}" != "32" ]; then
@@ -139,5 +148,23 @@ spec:
                 --arg client_secret "${CLIENT_SECRET}" \
                 --arg cookie_secret "${COOKIE_SECRET}" \
                 '{data:{client_id:$client_id,client_secret:$client_secret,cookie_secret:$cookie_secret}}')"
-              curl -sS -X POST -H "X-Vault-Token: ${vault_token}" \
-                -d "${payload}" "${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc" >/dev/null
+              write_status="$(curl -sS -o /tmp/metis-oidc-write.json -w "%{http_code}" -X POST \
+                -H "X-Vault-Token: ${vault_token}" \
+                -H 'Content-Type: application/json' \
+                -d "${payload}" "${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc")"
+              if [ "${write_status}" != "200" ] && [ "${write_status}" != "204" ]; then
+                echo "Vault write failed (status ${write_status})" >&2
+                cat /tmp/metis-oidc-write.json >&2 || true
+                exit 1
+              fi
+
+              verify_status="$(curl -sS -o /tmp/metis-oidc-verify.json -w "%{http_code}" \
+                -H "X-Vault-Token: ${vault_token}" \
+                "${vault_addr}/v1/kv/data/atlas/maintenance/metis-oidc" || true)"
+              if [ "${verify_status}" != "200" ]; then
+                echo "Vault verify failed (status ${verify_status})" >&2
+                cat /tmp/metis-oidc-verify.json >&2 || true
+                exit 1
+              fi
+
+              echo "Metis OIDC secret ready in Vault"