diff --git a/apps/knowledge/knowledge.yaml b/apps/knowledge/knowledge.yaml
index 84159be..bcd2913 100644
--- a/apps/knowledge/knowledge.yaml
+++ b/apps/knowledge/knowledge.yaml
@@ -40,6 +40,17 @@ metadata:
   labels:
     app.kubernetes.io/part-of: bluejay-infra
 ---
+# MCP API key — synced from 1Password so /mcp stays gated without baking
+# secrets into Git. The PASSWORD category maps the concealed field to Secret
+# key `password`, which the Deployment reads into FlowerCore:Mcp:ApiKey:Key.
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: knowledge-mcp-api-key
+  namespace: knowledge
+spec:
+  itemPath: "vaults/IAmWorkin/items/KnowledgeApiKey"
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -124,6 +135,11 @@ spec:
             # workstation GPU when present.
             - name: FlowerCore__Ollama__BaseUrl
               value: "http://10.0.57.17:11434"
+            - name: FlowerCore__Mcp__ApiKey__Key
+              valueFrom:
+                secretKeyRef:
+                  name: knowledge-mcp-api-key
+                  key: password
           resources:
             requests:
               cpu: 100m