diff --git a/Dockerfile b/Dockerfile
index fa5223a..4a40e33 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,6 +20,7 @@ FROM registry.access.redhat.com/ubi9/ubi-minimal:9.3
 COPY --from=builder /workspace/bin/ciam-rebac /usr/local/bin/
 COPY --from=builder /workspace/configs/config.yaml /usr/local/bin/
 
+ENV SPICEDB_PRESHARED $SPICEDB_PRESHARED
 EXPOSE 8000
 EXPOSE 9000
 
diff --git a/Makefile b/Makefile
index 4baccb9..d21eff5 100644
--- a/Makefile
+++ b/Makefile
@@ -85,9 +85,8 @@ kind/spicedb:
 
 .PHONY: run
 # run api locally
-run:
-	./bin/ciam-rebac -conf configs
-
+run: build
+	 ./bin/ciam-rebac -conf configs
 # show help
 help:
 	@echo ''
diff --git a/cmd/ciam-rebac/main.go b/cmd/ciam-rebac/main.go
index bc0222b..e8a90f8 100644
--- a/cmd/ciam-rebac/main.go
+++ b/cmd/ciam-rebac/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"flag"
+	"github.com/go-kratos/kratos/v2/config/env"
 	"os"
 
 	"ciam-rebac/internal/conf"
@@ -60,6 +61,7 @@ func main() {
 	)
 	c := config.New(
 		config.WithSource(
+			env.NewSource("SPICEDB_"),
 			file.NewSource(flagconf),
 		),
 	)
@@ -74,6 +76,14 @@ func main() {
 		panic(err)
 	}
 
+	preshared, err := c.Value("PRESHARED").String()
+	if err != nil {
+		log.NewHelper(logger).Errorf("Failed to read preshared key env %d", err)
+	}
+	if preshared != "" {
+		bc.Data.SpiceDb.Token = preshared
+	}
+
 	app, cleanup, err := wireApp(bc.Server, bc.Data, logger)
 	if err != nil {
 		panic(err)
diff --git a/configs/config.yaml b/configs/config.yaml
index 6460a6d..241e6e2 100644
--- a/configs/config.yaml
+++ b/configs/config.yaml
@@ -9,4 +9,4 @@ data:
   spiceDb:
     useTLS: false
     endpoint: spicedb:50051
-    tokenFile: /spicedb_pre_shared
+    token: "${SPICEDB_PRESHARED:foobar}"
diff --git a/docker-compose.yaml b/docker-compose.yaml
index 7267c73..d147633 100644
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -3,8 +3,8 @@ version: "3.8"
 services:
   rebac:
     image: "quay.io/ciam_authz/insights-rebac:latest"
-    configs:
-      - spicedb_pre_shared
+    environment:
+      - "SPICEDB_PRESHARED=${SPICEDB_GRPC_PRESHARED_KEY}"
     build:
       dockerfile: Dockerfile
     profiles: ["rebac"]
diff --git a/internal/conf/conf.pb.go b/internal/conf/conf.pb.go
index d27f14c..5c52f5c 100644
--- a/internal/conf/conf.pb.go
+++ b/internal/conf/conf.pb.go
@@ -1,7 +1,7 @@
 // Code generated by protoc-gen-go. DO NOT EDIT.
 // versions:
 // 	protoc-gen-go v1.32.0
-// 	protoc        v3.21.12
+// 	protoc        v3.19.4
 // source: conf/conf.proto
 
 package conf
@@ -309,9 +309,9 @@ type Data_SpiceDb struct {
 	sizeCache     protoimpl.SizeCache
 	unknownFields protoimpl.UnknownFields
 
-	UseTLS    bool   `protobuf:"varint,1,opt,name=useTLS,proto3" json:"useTLS,omitempty"`
-	Endpoint  string `protobuf:"bytes,2,opt,name=endpoint,proto3" json:"endpoint,omitempty"`
-	TokenFile string `protobuf:"bytes,3,opt,name=tokenFile,proto3" json:"tokenFile,omitempty"`
+	UseTLS   bool   `protobuf:"varint,1,opt,name=useTLS,proto3" json:"useTLS,omitempty"`
+	Endpoint string `protobuf:"bytes,2,opt,name=endpoint,proto3" json:"endpoint,omitempty"`
+	Token    string `protobuf:"bytes,3,opt,name=token,proto3" json:"token,omitempty"`
 }
 
 func (x *Data_SpiceDb) Reset() {
@@ -360,9 +360,9 @@ func (x *Data_SpiceDb) GetEndpoint() string {
 	return ""
 }
 
-func (x *Data_SpiceDb) GetTokenFile() string {
+func (x *Data_SpiceDb) GetToken() string {
 	if x != nil {
-		return x.TokenFile
+		return x.Token
 	}
 	return ""
 }
@@ -399,19 +399,19 @@ var file_conf_conf_proto_rawDesc = []byte{
 	0x64, 0x72, 0x12, 0x33, 0x0a, 0x07, 0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x18, 0x03, 0x20,
 	0x01, 0x28, 0x0b, 0x32, 0x19, 0x2e, 0x67, 0x6f, 0x6f, 0x67, 0x6c, 0x65, 0x2e, 0x70, 0x72, 0x6f,
 	0x74, 0x6f, 0x62, 0x75, 0x66, 0x2e, 0x44, 0x75, 0x72, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x07,
-	0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x22, 0x97, 0x01, 0x0a, 0x04, 0x44, 0x61, 0x74, 0x61,
+	0x74, 0x69, 0x6d, 0x65, 0x6f, 0x75, 0x74, 0x22, 0x8f, 0x01, 0x0a, 0x04, 0x44, 0x61, 0x74, 0x61,
 	0x12, 0x32, 0x0a, 0x07, 0x73, 0x70, 0x69, 0x63, 0x65, 0x44, 0x62, 0x18, 0x01, 0x20, 0x01, 0x28,
 	0x0b, 0x32, 0x18, 0x2e, 0x6b, 0x72, 0x61, 0x74, 0x6f, 0x73, 0x2e, 0x61, 0x70, 0x69, 0x2e, 0x44,
 	0x61, 0x74, 0x61, 0x2e, 0x53, 0x70, 0x69, 0x63, 0x65, 0x44, 0x62, 0x52, 0x07, 0x73, 0x70, 0x69,
-	0x63, 0x65, 0x44, 0x62, 0x1a, 0x5b, 0x0a, 0x07, 0x53, 0x70, 0x69, 0x63, 0x65, 0x44, 0x62, 0x12,
+	0x63, 0x65, 0x44, 0x62, 0x1a, 0x53, 0x0a, 0x07, 0x53, 0x70, 0x69, 0x63, 0x65, 0x44, 0x62, 0x12,
 	0x16, 0x0a, 0x06, 0x75, 0x73, 0x65, 0x54, 0x4c, 0x53, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, 0x52,
 	0x06, 0x75, 0x73, 0x65, 0x54, 0x4c, 0x53, 0x12, 0x1a, 0x0a, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f,
 	0x69, 0x6e, 0x74, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x65, 0x6e, 0x64, 0x70, 0x6f,
-	0x69, 0x6e, 0x74, 0x12, 0x1c, 0x0a, 0x09, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x46, 0x69, 0x6c, 0x65,
-	0x18, 0x03, 0x20, 0x01, 0x28, 0x09, 0x52, 0x09, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x46, 0x69, 0x6c,
-	0x65, 0x42, 0x1f, 0x5a, 0x1d, 0x63, 0x69, 0x61, 0x6d, 0x2d, 0x72, 0x65, 0x62, 0x61, 0x63, 0x2f,
-	0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x3b, 0x63, 0x6f,
-	0x6e, 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x69, 0x6e, 0x74, 0x12, 0x14, 0x0a, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x18, 0x03, 0x20, 0x01,
+	0x28, 0x09, 0x52, 0x05, 0x74, 0x6f, 0x6b, 0x65, 0x6e, 0x42, 0x1f, 0x5a, 0x1d, 0x63, 0x69, 0x61,
+	0x6d, 0x2d, 0x72, 0x65, 0x62, 0x61, 0x63, 0x2f, 0x69, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c,
+	0x2f, 0x63, 0x6f, 0x6e, 0x66, 0x3b, 0x63, 0x6f, 0x6e, 0x66, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74,
+	0x6f, 0x33,
 }
 
 var (
diff --git a/internal/conf/conf.proto b/internal/conf/conf.proto
index f736819..101af6a 100644
--- a/internal/conf/conf.proto
+++ b/internal/conf/conf.proto
@@ -29,7 +29,7 @@ message Data {
   message SpiceDb {
     bool useTLS = 1;
     string endpoint = 2;
-    string tokenFile = 3;
+    string token = 3;
   }
   SpiceDb spiceDb = 1;
 }
diff --git a/internal/data/spicedb.go b/internal/data/spicedb.go
index 34c88f3..c3637d0 100644
--- a/internal/data/spicedb.go
+++ b/internal/data/spicedb.go
@@ -12,7 +12,6 @@ import (
 	"github.com/go-kratos/kratos/v2/log"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials/insecure"
-	"os"
 )
 
 // SpiceDbRepository .
@@ -27,9 +26,9 @@ func NewSpiceDbRepository(c *conf.Data, logger log.Logger) (*SpiceDbRepository,
 	var opts []grpc.DialOption
 	opts = append(opts, grpc.WithBlock()) // TODO: always did it this way with authz. Still the right option?
 
-	token, err := readToken(c.SpiceDb.TokenFile)
-	if err != nil {
-		err = fmt.Errorf("error extracting token from file: %w", err)
+	token := c.SpiceDb.Token
+	if token == "" {
+		err := fmt.Errorf("token is empty: %s", token)
 		log.NewHelper(logger).Error(err)
 		return nil, nil, err
 	}
@@ -134,12 +133,3 @@ func createSpiceDbRelationship(relationship *apiV1.Relationship) *v1.Relationshi
 		Subject:  subject,
 	}
 }
-
-func readToken(file string) (string, error) {
-	bytes, err := os.ReadFile(file)
-	if err != nil {
-		return "", err
-	}
-
-	return string(bytes), nil
-}