diff --git a/stacks/tripit/authentik.tf b/stacks/tripit/authentik.tf
index 6b2a9921..a426101a 100644
--- a/stacks/tripit/authentik.tf
+++ b/stacks/tripit/authentik.tf
@@ -65,6 +65,13 @@ resource "authentik_provider_oauth2" "tripit_app" {
       matching_mode = "strict"
       url           = "me.viktorbarzin.tripit://callback"
     },
+    {
+      # "Log in with Authentik" on the website: TripIt is the OIDC client and
+      # mints its own session on callback (tripit ADR-0028, #90). Same public
+      # tripit-app provider as the Shell — just the web redirect URI added.
+      matching_mode = "strict"
+      url           = "https://tripit.viktorbarzin.me/api/auth/callback/authentik"
+    },
   ]
 
   access_token_validity      = "hours=1"
diff --git a/stacks/tripit/main.tf b/stacks/tripit/main.tf
index ced66a04..d2acbf7d 100644
--- a/stacks/tripit/main.tf
+++ b/stacks/tripit/main.tf
@@ -216,6 +216,10 @@ resource "kubernetes_manifest" "external_secret" {
         }
       }
       data = [
+        # HS256 key signing TripIt's OWN session JWTs (tripit ADR-0028, #90).
+        # Delivered via env_from -> SESSION_SIGNING_KEY env; the app fails closed
+        # (TripIt sessions disabled) until this real key replaces the dev default.
+        { secretKey = "SESSION_SIGNING_KEY", remoteRef = { key = "tripit", property = "SESSION_SIGNING_KEY" } },
         { secretKey = "VAPID_PUBLIC_KEY", remoteRef = { key = "tripit", property = "VAPID_PUBLIC_KEY" } },
         { secretKey = "VAPID_PRIVATE_KEY", remoteRef = { key = "tripit", property = "VAPID_PRIVATE_KEY" } },
         { secretKey = "VAPID_SUBJECT", remoteRef = { key = "tripit", property = "VAPID_SUBJECT" } },