diff --git a/services/communication/kustomization.yaml b/services/communication/kustomization.yaml
index 2baa863..7213794 100644
--- a/services/communication/kustomization.yaml
+++ b/services/communication/kustomization.yaml
@@ -6,6 +6,8 @@ resources:
   - synapse-rendered.yaml
   - synapse-signingkey-ensure-job.yaml
   - mas-configmap.yaml
+  - mas-admin-client-secret.yaml
+  - mas-admin-client-secret-ensure-job.yaml
   - mas-deployment.yaml
   - mas-ingress.yaml
   - element-rendered.yaml
diff --git a/services/communication/mas-admin-client-secret-ensure-job.yaml b/services/communication/mas-admin-client-secret-ensure-job.yaml
new file mode 100644
index 0000000..9005b78
--- /dev/null
+++ b/services/communication/mas-admin-client-secret-ensure-job.yaml
@@ -0,0 +1,75 @@
+# services/communication/mas-admin-client-secret-ensure-job.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: mas-admin-client-secret-writer
+  namespace: comms
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: mas-admin-client-secret-writer
+  namespace: comms
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    resourceNames: ["mas-admin-client"]
+    verbs: ["get", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: mas-admin-client-secret-writer
+  namespace: comms
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: mas-admin-client-secret-writer
+subjects:
+  - kind: ServiceAccount
+    name: mas-admin-client-secret-writer
+    namespace: comms
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: mas-admin-client-secret-ensure-1
+  namespace: comms
+spec:
+  backoffLimit: 2
+  template:
+    spec:
+      serviceAccountName: mas-admin-client-secret-writer
+      restartPolicy: OnFailure
+      volumes:
+        - name: work
+          emptyDir: {}
+      initContainers:
+        - name: generate
+          image: alpine:3.20
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -euo pipefail
+              umask 077
+              openssl rand -hex 32 > /work/client_secret
+          volumeMounts:
+            - name: work
+              mountPath: /work
+      containers:
+        - name: patch
+          image: bitnami/kubectl:latest
+          command: ["/bin/sh", "-c"]
+          args:
+            - |
+              set -euo pipefail
+              if kubectl -n comms get secret mas-admin-client -o jsonpath='{.data.client_secret}' 2>/dev/null | grep -q .; then
+                exit 0
+              fi
+              secret_b64="$(base64 /work/client_secret | tr -d '\n')"
+              payload="$(printf '{"data":{"client_secret":"%s"}}' "${secret_b64}")"
+              kubectl -n comms patch secret mas-admin-client --type=merge -p "${payload}" >/dev/null
+          volumeMounts:
+            - name: work
+              mountPath: /work
+
diff --git a/services/communication/mas-admin-client-secret.yaml b/services/communication/mas-admin-client-secret.yaml
new file mode 100644
index 0000000..7f4ec19
--- /dev/null
+++ b/services/communication/mas-admin-client-secret.yaml
@@ -0,0 +1,9 @@
+# services/communication/mas-admin-client-secret.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: mas-admin-client
+  namespace: comms
+type: Opaque
+data: {}
+