diff --git a/infra/k3s/20-secrets.yaml.example b/infra/k3s/20-secrets.yaml.example
index 47b26f1..c78a419 100644
--- a/infra/k3s/20-secrets.yaml.example
+++ b/infra/k3s/20-secrets.yaml.example
@@ -27,5 +27,9 @@ stringData:
   JWT_APP_SECRET: "REPLACE_WITH_VALUE_FROM_EMBERTIME"
   # HMAC secret shared between coturn and Prosody. Prosody mints
   # time-limited TURN credentials; coturn validates with the same key.
-  # Generate fresh via generate-secrets.sh.
+  # Set under BOTH key names — same value:
+  #   - TURN_CREDENTIALS (Prosody mod_external_services convention)
+  #   - TURN_CREDENTIALS_SECRET (coturn / our manifest convention)
+  # generate-secrets.sh writes both for you.
+  TURN_CREDENTIALS: "REPLACE_WITH_32_RANDOM_CHARS"
   TURN_CREDENTIALS_SECRET: "REPLACE_WITH_32_RANDOM_CHARS"
diff --git a/scripts/generate-secrets.sh b/scripts/generate-secrets.sh
index 4b1a830..a023807 100755
--- a/scripts/generate-secrets.sh
+++ b/scripts/generate-secrets.sh
@@ -32,5 +32,9 @@ stringData:
   JICOFO_AUTH_PASSWORD: "${JICOFO_AUTH_PASSWORD}"
   JVB_AUTH_USER: "jvb"
   JVB_AUTH_PASSWORD: "${JVB_AUTH_PASSWORD}"
+  # Same HMAC value under two keys: Prosody's mod_external_services
+  # template reads TURN_CREDENTIALS; coturn's start-script reads
+  # TURN_CREDENTIALS_SECRET. Both must match.
+  TURN_CREDENTIALS: "${TURN_CREDENTIALS_SECRET}"
   TURN_CREDENTIALS_SECRET: "${TURN_CREDENTIALS_SECRET}"
 EOF