diff --git a/secrets/clients/README.md b/secrets/clients/README.md
new file mode 100644
index 0000000..09cc0ea
--- /dev/null
+++ b/secrets/clients/README.md
@@ -0,0 +1,122 @@
+# Client Secrets Directory
+
+This directory contains SOPS-encrypted secrets files for each deployed client.
+
+## Files
+
+### Active Clients
+
+- **`dev.sops.yaml`** - Development/canary server secrets
+  - Status: Deployed
+  - Purpose: Testing and canary deployments
+
+### Templates
+
+- **`template.sops.yaml`** - Template for creating new client secrets
+  - Status: Reference only (not deployed)
+  - Purpose: Copy this file when onboarding new clients
+
+## Creating Secrets for a New Client
+
+```bash
+# 1. Copy the template
+cp secrets/clients/template.sops.yaml secrets/clients/newclient.sops.yaml
+
+# 2. Edit with SOPS
+export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
+sops secrets/clients/newclient.sops.yaml
+
+# 3. Update all fields:
+#    - client_name: newclient
+#    - client_domain: newclient.vrije.cloud
+#    - authentik_domain: auth.newclient.vrije.cloud
+#    - nextcloud_domain: nextcloud.newclient.vrije.cloud
+#    - REGENERATE all passwords and tokens (never reuse!)
+
+# 4. Deploy the client
+./scripts/deploy-client.sh newclient
+```
+
+## Important Security Notes
+
+⚠️ **Never commit plaintext secrets!**
+
+- Only `*.sops.yaml` files should be committed
+- Temporary files (`*-temp.yaml`, `*.tmp`) are gitignored
+- Always verify secrets are encrypted: `file secrets/clients/*.sops.yaml`
+
+⚠️ **Always regenerate secrets for new clients!**
+
+- Never copy passwords between clients
+- Use strong random passwords (32+ characters)
+- Each client must have unique credentials
+
+## File Naming Convention
+
+- **Production clients**: `clientname.sops.yaml`
+- **Development/test**: `dev.sops.yaml`
+- **Templates**: `template.sops.yaml`
+- **Never commit**: `*-temp.yaml`, `*.tmp`, `*_plaintext.yaml`
+
+## Viewing Secrets
+
+```bash
+# View encrypted file (shows SOPS metadata)
+cat secrets/clients/dev.sops.yaml
+
+# Decrypt and view (requires age key)
+export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
+sops -d secrets/clients/dev.sops.yaml
+```
+
+## Required Secrets per Client
+
+Each client secrets file must contain:
+
+### Authentik (Identity Provider)
+- `authentik_db_password` - PostgreSQL database password
+- `authentik_secret_key` - Django secret key
+- `authentik_bootstrap_password` - Initial admin (akadmin) password
+- `authentik_bootstrap_token` - API token for automation
+- `authentik_bootstrap_email` - Admin email address
+
+### Nextcloud (File Storage)
+- `nextcloud_admin_user` - Admin username (usually "admin")
+- `nextcloud_admin_password` - Admin password
+- `nextcloud_db_password` - MariaDB database password
+- `nextcloud_db_root_password` - MariaDB root password
+- `redis_password` - Redis cache password
+
+### Optional
+- `collabora_admin_password` - Collabora Online admin password (if using)
+
+## Troubleshooting
+
+### "No such file or directory: age-key.txt"
+```bash
+# Ensure SOPS_AGE_KEY_FILE is set correctly
+export SOPS_AGE_KEY_FILE="./keys/age-key.txt"
+# Or use absolute path
+export SOPS_AGE_KEY_FILE="/full/path/to/infrastructure/keys/age-key.txt"
+```
+
+### "Failed to decrypt"
+- Verify you have the correct age private key
+- Check that `.sops.yaml` references the correct age public key
+- Ensure the file was encrypted with the same age key
+
+### "File contains plaintext secrets"
+```bash
+# Check if file is properly encrypted
+file secrets/clients/dev.sops.yaml
+# Should show: ASCII text (with SOPS encryption metadata)
+
+# Re-encrypt if needed
+sops -e -i secrets/clients/dev.sops.yaml
+```
+
+## See Also
+
+- [../README.md](../../secrets/README.md) - Secrets management overview
+- [../../docs/architecture-decisions.md](../../docs/architecture-decisions.md) - SOPS decision rationale
+- [SOPS Documentation](https://github.com/getsops/sops)
diff --git a/secrets/clients/test.sops.yaml b/secrets/clients/template.sops.yaml
similarity index 100%
rename from secrets/clients/test.sops.yaml
rename to secrets/clients/template.sops.yaml
diff --git a/secrets/clients/test-temp.sops.yaml b/secrets/clients/test-temp.sops.yaml
deleted file mode 100644
index e69de29..0000000