diff --git a/config/credentials.yml.enc b/config/credentials.yml.enc
index 8c828988..60e0bcc1 100644
--- a/config/credentials.yml.enc
+++ b/config/credentials.yml.enc
@@ -1 +1 @@
-p001YS2L7h/DJ9mWOUxcWD/wBNXQ41BOsN9vjnW9QWtECNNzMjRsPVZ8vkOXmRt5mHAOmvzAUhRbKmWE0PaUHMpJAVlct1mCpXlE2rHwKESuZ4S1tJFiSCfu0Uu97Nbw3kQScMJ9cB801QPpjDq5FxoCEz4XtuCEc8nuh23Ni8I77Jw9NG4VfiFFQHFhNk8xhAoAIiYekEoliRYJc1osmzSb8FcDlIV/GompPN4G2EaBcFvX1CMP2F2AYHR8EVvaeTmIv0GsdLL8NnEnsuqd+GZMljIr346aOSOzmUC76rgubpEdqG4mBZzzUjQxvXqnuawOmbQWAbDkDcSoZYwVhc2/QmR3VtFtV/YaBX27h2cp9Ef14FgpK7y1KO1vE7row8lxq4rwtZaGT0nbXf//4gpdDdrRKEOJRjwi5l+ydPgfa4aHQohFZ+4a7App3N5dovG1/c9W/a4T/7i5aBxYeiCKD6+byss74jJaqZ34eNxVQOZxoi+HfHPQwMRwsGVxKzGJaGLijwjuYq5iAdSBiMY2WouF17gNJKXgEILFvy/xAyHnUDM3K/traeC7ULRztdGGxHHIC2D26+s5mS5zI9OAM2lXI6ms4jKEui/BYKuQ/sHpB4Cg7wdk0JQ5SPW/8b35oW6Cuz31NrzUju5WXtXtGvlMPBKUWz8q8wIGEtM5Bc/5ASDS9Ag8J8seW2gprab2Ja7apUXPBUGuR5aU6JKLGNpAM/vV9lavgrm/rvXNlkPvgoULpBhtZI5EfuiSncke7NCuJUEw4fZr5KeRze5U7qyk1Jg+Fz2nQGvOn0T1PDvezN5yT+b/0YZnyTI9zmhur4KY4Z9OZgsMTG073qkdZF6y3qeWKHpWrhXKWc8i/CAVsUKrWQpSDWDhvzhhanR936OEoqqpKoGunsba1fh5oOdrTBiFnH+MfI/IAh7tjUjcQx6bu8/1rdaZ7omBdaeDx36SekoOqndCBgrMX0mri5hoG2LIVA==--VLKM05ugRRSrks6H--/nICajJes+PjNkh9lyRi0Q==
\ No newline at end of file
+nyb0iYp3ohic5yKU42wU1YFnL1YHMvOxyCZOz1Vs/fDgcSHFajsTaBM+smD+/+6xnhOlu9uaHIXCGUZiKnY6pjnJJRrO2w6h20p7tuulbPwJEKszljdnREMSII2ltatK0efb2X+UkqIU+fAr7L+6VglX6tYKSk06BC505HUKWhK+UHkHVx9UiQe6KJhX//+G/jE033kMnj/Krqn6QrJ3xwe1jWwdnAi/glJSLt2zGJDndPVPag/8UBeJqd3VtJOIDFTe0FxGvtc5KFUYrkZ1YJWWCIcGlDWpm0Mt3EEQ2yrqYC0VtSg6EedcDZBqcXF9uY2femXSriOmAw7hTHcF0YG0N0elweq8LCa3Q1sEW+BGibrPwIL14aogySDR7BYoq3LevW94ExnUsIwyGPRFpG+nDWA3HGb/BSySSIkLd70a3943S8a7klmo8fo1CArxfIt/8xyXrF0D6T+9FHnhvaj+pDSBOUxlcqZ3qvmLEWwMfCUBOLpTHo2ZlKpKlDJuJmAZ7/ah+Mg34WWPbsXU+7tUhKEXckvM/gaTvmByhxdBDE/7KsnP50qQods7ODjrDTaxHut9OBrl3ODc9Y14dp66OYIMy4X8sS/N5momi59E9MZaGj6bfaZor0ZxctRRJTjrEHFyvxO0CXYh5kkHLjs5BVB00wWHeNA9qgNEdsGVrYCa4v3RXZ6vc8JmtUXy1vwErC67uaemgWds38OV3/xViZFzbnZtqOiSWTzD8/myhKa75GLZ0vjk8+s96GDqX2+lHz6X+RA7NcCdGO+gW1f3Xm7M/Rp5nAUHSfrLG6Gv/RH8nkvGxkT6dcwZjSJ00+1ENL2qqN20008OX5TuWKeo1/TF4DFxJ+X1ipWqoZhypZOW38sRROqE5uGF1aBga8CbCLWF2p1E3HSi45vbSMnpWau4i+8KQvzfUksa7nk1O6qqEamdoJGb9OJuv//ZYcv1GyDfM/8iFIReIwsM7q/hlB0PjfFkoYsC5WRbRMncKEzzGs8fVpL4O4enDPe4ZopaYHecnPy1oDoxrpl6OOSSOjMxg+0=--+Jx8l9zhIw0wWX6f--2I4PF87PHuXTkmcBI3yhVA==
\ No newline at end of file
diff --git a/config/environments/development.rb b/config/environments/development.rb
index 7dba4447..2571aa7e 100644
--- a/config/environments/development.rb
+++ b/config/environments/development.rb
@@ -121,6 +121,10 @@ Rails.application.configure do
   config.neopass_access_secret = "1"
 
   # Use the local NeoPass development server.
+  #
+  # NOTE: In my testing, using the live NeoPass server here returns "403
+  #       Forbidden", I suspect because the development callback URL didn't
+  #       make it into the live config? Ah, well!
   config.neopass_origin = "https://localhost:8585"
 
   # Set the NeoPass redirect callback URL.
diff --git a/config/environments/production.rb b/config/environments/production.rb
index 7f026729..14dc7d29 100644
--- a/config/environments/production.rb
+++ b/config/environments/production.rb
@@ -137,7 +137,7 @@ Rails.application.configure do
 
   # To see NeoPass features, add ?neopass=<SECRET> to relevant pages.
   config.neopass_access_secret =
-    Rails.application.credentials.neopass.access_secret
+    Rails.application.credentials.neopass.access_secret!
 
   # Use the live NeoPass production server.
   config.neopass_origin = "https://oidc.neopets.com"
diff --git a/config/initializers/devise.rb b/config/initializers/devise.rb
index a39ee956..cc97d3e6 100644
--- a/config/initializers/devise.rb
+++ b/config/initializers/devise.rb
@@ -275,19 +275,25 @@ Devise.setup do |config|
   # up on your models and hooks.
   config.omniauth :openid_connect, {
     name: :neopass,
-    scope: [:openid, :email, :profile],
+    scope: [:openid, :email],
     response_type: :code,
     issuer: Rails.configuration.neopass_origin,
     discovery: true,
     client_options: {
-      identifier: "DTI-TODO",
-      secret: "DTI-TODO",
+      identifier: "19ea1361-f0b1-48f2-9405-b570c655afd9",
+      secret: Rails.application.credentials.dig(:neopass, :client_secret),
       redirect_uri: Rails.configuration.neopass_redirect_uri,
     },
   }
 
-  # Output OmniAuth debug info to the server logs in development
-  OmniAuth.config.logger = Rails.logger if Rails.env.development?
+  # Output OmniAuth debug info to the server logs.
+  #
+  # TODO: We should perhaps evaluate whether these logs contain sensitive
+  #       information in production? I wouldn't think so, and it will be useful
+  #       for debugging NeoPass, but let's keep an eye on that! Consider
+  #       setting this to only be true in development mode, if we're not
+  #       actively using it anymore.
+  OmniAuth.config.logger = Rails.logger
 
   # ==> Warden configuration
   # If you want to use other strategies, that are not supported by Devise, or