diff --git a/changelog.d/5-internal/WPB-10302 b/changelog.d/5-internal/WPB-10302
new file mode 100644
index 00000000000..8780ddd6ac7
--- /dev/null
+++ b/changelog.d/5-internal/WPB-10302
@@ -0,0 +1 @@
+Read sftTokenSecret from secrets.yaml and mount to /etc/wire/brig/secrets/sftTokenSecret by default
diff --git a/charts/brig/templates/configmap.yaml b/charts/brig/templates/configmap.yaml
index 669e047bdc9..32ccd3acc04 100644
--- a/charts/brig/templates/configmap.yaml
+++ b/charts/brig/templates/configmap.yaml
@@ -233,11 +233,11 @@ data:
       {{- if .sftDiscoveryIntervalSeconds }}
       sftDiscoveryIntervalSeconds: {{ .sftDiscoveryIntervalSeconds }}
       {{- end }}
-      {{- if .sftToken }}
+      {{- if $.Values.secrets.sftTokenSecret }}
       sftToken:
         {{- with .sftToken }}
         ttl: {{ .ttl }}
-        secret: {{ .secret }}
+        secret: {{ .secret | default "/etc/wire/brig/secrets/sftTokenSecret" }}
         {{- end }}
       {{- end }}
     {{- end }}
diff --git a/charts/brig/templates/secret.yaml b/charts/brig/templates/secret.yaml
index b596954c7d8..0a566d04a00 100644
--- a/charts/brig/templates/secret.yaml
+++ b/charts/brig/templates/secret.yaml
@@ -20,6 +20,9 @@ data:
   awsKeyId: {{ .awsKeyId | b64enc | quote }}
   awsSecretKey: {{ .awsSecretKey | b64enc | quote }}
   {{- end }}
+  {{- if .sftTokenSecret }}
+  sftTokenSecret: {{ .sftTokenSecret | b64enc | quote }}
+  {{- end }}
   {{- if (not $.Values.config.useSES) }}
   smtp-password.txt: {{ .smtpPassword | b64enc | quote }}
   {{- end }}
diff --git a/charts/brig/values.yaml b/charts/brig/values.yaml
index c5f981d63bd..561eb6c3bbd 100644
--- a/charts/brig/values.yaml
+++ b/charts/brig/values.yaml
@@ -99,6 +99,14 @@ config:
     providerTokenTimeout: 900
     legalholdUserTokenTimeout: 4838400
     legalholdAccessTokenTimeout: 900
+  # sft:
+  #   sftBaseDomain: sft.wire.example.com
+  #   sftSRVServiceName: sft
+  #   sftDiscoveryIntervalSeconds: 10
+  #   sftListLength: 20
+  #   sftToken:
+  #     ttl: 120
+  #     secret: /etc/wire/brig/secrets/sftTokenSecret # this is the default path for secret.sftTokenSecret
   optSettings:
     setActivationTimeout: 1209600
     setTeamInvitationTimeout: 1814400