diff --git a/config.sh b/config.sh
index 03bf68bf..39b3ce78 100755
--- a/config.sh
+++ b/config.sh
@@ -350,6 +350,21 @@ generate_all_secrets() {
     ((kept+=4))
   fi
 
+  # Gitea SSO + service password salt (isolated from JWT secrets)
+  local sso_secret svc_salt
+  sso_secret=$(generate_secret)
+  svc_salt=$(generate_secret)
+  local sso_changed=false
+  update_env_var_if_empty "GITEA_SSO_SECRET" "$sso_secret" && sso_changed=true
+  update_env_var_if_empty "SERVICE_PASSWORD_SALT" "$svc_salt" && sso_changed=true
+  if [[ "$sso_changed" == "true" ]]; then
+    success "Gitea SSO secret + service password salt"
+    ((generated+=2))
+  else
+    info "Gitea SSO secret + service password salt (kept existing)"
+    ((kept+=2))
+  fi
+
   # Database passwords (24-char alphanum)
   local pg_pass redis_pass
   pg_pass=$(generate_password 24)