diff --git a/age-secrets.nix b/age-secrets.nix
index 709c59f..db2b772 100644
--- a/age-secrets.nix
+++ b/age-secrets.nix
@@ -39,10 +39,9 @@
       group = "caddy";
     };
 
-    # TODO! fix permissions
     jellyfin-api-key = {
       file = ./secrets/jellyfin-api-key.age;
-      mode = "0444";
+      mode = "0400";
       owner = "root";
       group = "root";
     };
diff --git a/services/jellyfin-qbittorrent-monitor.nix b/services/jellyfin-qbittorrent-monitor.nix
index 430cc15..3ca0818 100644
--- a/services/jellyfin-qbittorrent-monitor.nix
+++ b/services/jellyfin-qbittorrent-monitor.nix
@@ -17,7 +17,7 @@
     serviceConfig = {
       Type = "simple";
       ExecStart = pkgs.writeShellScript "jellyfin-monitor-start" ''
-        export JELLYFIN_API_KEY=$(cat ${config.age.secrets.jellyfin-api-key.path})
+        export JELLYFIN_API_KEY=$(cat $CREDENTIALS_DIRECTORY/jellyfin-api-key)
         exec ${
           pkgs.python3.withPackages (ps: with ps; [ requests ])
         }/bin/python ${./jellyfin-qbittorrent-monitor.py}
@@ -37,6 +37,9 @@
       RestrictRealtime = true;
       RestrictSUIDSGID = true;
       RemoveIPC = true;
+
+      # Load credentials from agenix secrets
+      LoadCredential = "jellyfin-api-key:${config.age.secrets.jellyfin-api-key.path}";
     };
 
     environment = {