diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index f6628297..1c35d994 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -12,6 +12,7 @@ class ApplicationController < ActionController::Base
   before_action :set_locale
 
   before_action :configure_permitted_parameters, if: :devise_controller?
+  before_action :check_neopass_access, if: :devise_controller?
   before_action :save_return_to_path,
     if: ->(c) { c.controller_name == 'sessions' && c.action_name == 'new' }
 
@@ -87,6 +88,12 @@ class ApplicationController < ActionController::Base
     devise_parameter_sanitizer.permit(:account_update, keys: [:email])
   end
 
+  def check_neopass_access
+    @can_use_neopass = (
+      params[:neopass] == Rails.configuration.neopass_access_secret
+    )
+  end
+
   def save_return_to_path
     if params[:return_to]
       Rails.logger.debug "Saving return_to path: #{params[:return_to].inspect}"
diff --git a/app/controllers/devise/omniauth_callbacks_controller.rb b/app/controllers/devise/omniauth_callbacks_controller.rb
new file mode 100644
index 00000000..4cc05da7
--- /dev/null
+++ b/app/controllers/devise/omniauth_callbacks_controller.rb
@@ -0,0 +1,8 @@
+class Devise::OmniauthCallbacksController < ApplicationController
+	# See https://github.com/omniauth/omniauth/wiki/FAQ#rails-session-is-clobbered-after-callback-on-developer-strategy
+	skip_before_action :verify_authenticity_token, only: :developer
+
+	def developer
+		render plain: "Success!"
+	end
+end
diff --git a/app/models/auth_user.rb b/app/models/auth_user.rb
index 7de07bc1..b68266ea 100644
--- a/app/models/auth_user.rb
+++ b/app/models/auth_user.rb
@@ -2,7 +2,8 @@ class AuthUser < AuthRecord
   self.table_name = 'users'
 
   devise :database_authenticatable, :encryptable, :registerable, :validatable,
-    :rememberable, :trackable, :recoverable, omniauthable: [:developer]
+    :rememberable, :trackable, :recoverable, :omniauthable,
+    omniauth_providers: [:developer]
 
   validates :name, presence: true, uniqueness: {case_sensitive: false},
     length: {maximum: 20}
diff --git a/app/views/devise/sessions/new.html.erb b/app/views/devise/sessions/new.html.erb
index 1296b896..b36b3f1f 100644
--- a/app/views/devise/sessions/new.html.erb
+++ b/app/views/devise/sessions/new.html.erb
@@ -1,5 +1,12 @@
 <h2>Log in</h2>
 
+<% if @can_use_neopass %>
+  <%= button_to "Log in with NeoPass",
+                auth_user_developer_omniauth_authorize_path,
+                data: {turbo: false} # important for developer strategy
+  %>
+<% end %>
+
 <%= form_for(resource, as: resource_name, url: session_path(resource_name)) do |f| %>
   <div class="field">
     <%= f.label :name, 'Username' %><br />
diff --git a/app/views/devise/shared/_links.html.erb b/app/views/devise/shared/_links.html.erb
index 7a75304b..933dda99 100644
--- a/app/views/devise/shared/_links.html.erb
+++ b/app/views/devise/shared/_links.html.erb
@@ -17,9 +17,3 @@
 <%- if devise_mapping.lockable? && resource_class.unlock_strategy_enabled?(:email) && controller_name != 'unlocks' %>
   <%= link_to "Didn't receive unlock instructions?", new_unlock_path(resource_name) %><br />
 <% end %>
-
-<%- if devise_mapping.omniauthable? %>
-  <%- resource_class.omniauth_providers.each do |provider| %>
-    <%= button_to "Sign in with #{OmniAuth::Utils.camelize(provider)}", omniauth_authorize_path(resource_name, provider), data: { turbo: false } %><br />
-  <% end %>
-<% end %>
diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc
index 6874e54c..8c828988 100644
--- a/config/credentials.yml.enc
+++ b/config/credentials.yml.enc
@@ -1 +1 @@
-b0WTE8+0LBv1VLmSEw0wmJJmjFctFHF9oIM4xKHJsWapYBppphc3Lvx+cCvIZRq9+K0KSR+ugkJKd+c8UqW0RxanjDFm4o7aZpxpI4WuKzqjcYhnBHXzx5HFdlLkXqPoU3NgSPvcPVPEk5AW5jPSCB7MBQOr4S5l1/mybJX4m0AlhoyXVAaPGOb0vZ3skk0eLeFn60aRq4TTrG7xiSkxfH5X0cOjPpNBmN/s03A8z72oYSy9Oa28V0GjFkXhxN9jnOpZJ/P3RBRovGInpcCFcle/EIUl/O+l9VP1tfR+szhBSbCXA2/wYedaZIvTuwF6iyCYz2k3lgD9qr3iQ+mACxoa/a2PE6grsSHD/FTzIcQPxmivoUFiRMtBdrJHCX6JUboprWG+y5SrQYFtJ0JkjpfnJYb4sqszMyQkvOP+GvQQ++CQFYHlD1fBweCKwFD6GNevj2AuCdxFGnCUn8Vjkj++qk8o63LsbO++6iFQXZnVMFC+7Cgq7Xnp74oDs1Jg9UD8uYHZcKQGcJv7y86BSAyuMb6lwlQqUhdfG7k/PpN0f2yC6JLAqKZ8VChTVjn62TIXkTenPY6ZsKwk9wstNAjVukCCGKXDt4uaRIurQnBT2lkTHdqnMIiYSEqBlvc/yAuDyxyXqndMvYhDsdetNdnIxATRkpA+mU4CHlgcv30J5l3obLN8UA0oHPL9lTMWU63E4JyQTwVEHGLy+J8TMZgJX1imCCzCzWL7ytdDy7HdZFXrVPxj+z95/PH//2NcvuAdwbnKX7Pk0ujEBwSnkmiw1UZgl5VT5G2yLwYqFY1VgyINBN42ynFFRfiNjk9Q9bIHk3i2bQnDAw9EtAuKbpdJ9IXboTAOHOIZpanW6RiIfIGk+MM5GLKOSthv6XCzhLue7P//tprHT85yE1vnhLNeCGg1EtgDlM9y--xXvKjFS/mwn+dHoa--u457xDa2Q8CLtVbYkL6pig==
\ No newline at end of file
+p001YS2L7h/DJ9mWOUxcWD/wBNXQ41BOsN9vjnW9QWtECNNzMjRsPVZ8vkOXmRt5mHAOmvzAUhRbKmWE0PaUHMpJAVlct1mCpXlE2rHwKESuZ4S1tJFiSCfu0Uu97Nbw3kQScMJ9cB801QPpjDq5FxoCEz4XtuCEc8nuh23Ni8I77Jw9NG4VfiFFQHFhNk8xhAoAIiYekEoliRYJc1osmzSb8FcDlIV/GompPN4G2EaBcFvX1CMP2F2AYHR8EVvaeTmIv0GsdLL8NnEnsuqd+GZMljIr346aOSOzmUC76rgubpEdqG4mBZzzUjQxvXqnuawOmbQWAbDkDcSoZYwVhc2/QmR3VtFtV/YaBX27h2cp9Ef14FgpK7y1KO1vE7row8lxq4rwtZaGT0nbXf//4gpdDdrRKEOJRjwi5l+ydPgfa4aHQohFZ+4a7App3N5dovG1/c9W/a4T/7i5aBxYeiCKD6+byss74jJaqZ34eNxVQOZxoi+HfHPQwMRwsGVxKzGJaGLijwjuYq5iAdSBiMY2WouF17gNJKXgEILFvy/xAyHnUDM3K/traeC7ULRztdGGxHHIC2D26+s5mS5zI9OAM2lXI6ms4jKEui/BYKuQ/sHpB4Cg7wdk0JQ5SPW/8b35oW6Cuz31NrzUju5WXtXtGvlMPBKUWz8q8wIGEtM5Bc/5ASDS9Ag8J8seW2gprab2Ja7apUXPBUGuR5aU6JKLGNpAM/vV9lavgrm/rvXNlkPvgoULpBhtZI5EfuiSncke7NCuJUEw4fZr5KeRze5U7qyk1Jg+Fz2nQGvOn0T1PDvezN5yT+b/0YZnyTI9zmhur4KY4Z9OZgsMTG073qkdZF6y3qeWKHpWrhXKWc8i/CAVsUKrWQpSDWDhvzhhanR936OEoqqpKoGunsba1fh5oOdrTBiFnH+MfI/IAh7tjUjcQx6bu8/1rdaZ7omBdaeDx36SekoOqndCBgrMX0mri5hoG2LIVA==--VLKM05ugRRSrks6H--/nICajJes+PjNkh9lyRi0Q==
\ No newline at end of file
diff --git a/config/environments/development.rb b/config/environments/development.rb
index dbdfcab7..11162255 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -116,4 +116,7 @@ Rails.application.configure do
   # When developing the `public_data:commit` command, save to the local `tmp`
   # folder. (In production, we keep this in a long-term location instead!)
   config.public_data_root = Rails.root / "tmp" / "public_data"
+
+  # To see NeoPass features, add ?neopass=1 to relevant pages.
+  config.neopass_access_secret = "1"
 end
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 1a11dbb1..be3a6aff 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -134,4 +134,7 @@ Rails.application.configure do
   # Save our public data exports in `public/public-data`. (This should be
   # symlinked to a shared folder persisted across all versions.)
   config.public_data_root = Rails.root / "public" / "public-data"
+
+  # To see NeoPass features, add ?neopass=<SECRET> to relevant pages.
+  config.neopass_access_secret = Rails.credentials.neopass.access_secret
 end
diff --git a/config/environments/test.rb b/config/environments/test.rb
index 2f300377..e1aac422 100644
--- a/config/environments/test.rb
+++ b/config/environments/test.rb
@@ -71,4 +71,7 @@ Rails.application.configure do
   # we keep this in a long-term location instead!)
   config.neopets_media_archive_root = Rails.root / "tmp" /
     "neopets_media_archive" / "test"
+
+  # To see NeoPass features, add ?neopass=1 to relevant pages.
+  config.neopass_access_secret = "1"
 end