diff --git a/argocd/manifests/1password-connect/README.md b/argocd/manifests/1password-connect/README.md
index 210c1e6..29e6748 100644
--- a/argocd/manifests/1password-connect/README.md
+++ b/argocd/manifests/1password-connect/README.md
@@ -42,9 +42,11 @@ op connect token create blumeops --server <server-id> --vault blumeops
 ### 3. Store Credentials in 1Password
 
 Create a new item "1Password Connect" in the blumeops vault with:
-- `credentials-file` field: Paste the contents of `1password-credentials.json` (NOT base64 encoded)
+- `credentials-file` field: Paste the contents of `1password-credentials.json` (raw JSON, NOT base64 encoded)
 - `token` field: Paste the access token
 
+> **Note:** Chart 2.3.0+ mounts credentials as a file with standard k8s base64 encoding. The old `credentials-base64` field is no longer needed.
+
 ### 4. Create Bootstrap Secret
 
 ```bash
diff --git a/argocd/manifests/1password-connect/secret-credentials.yaml.tpl b/argocd/manifests/1password-connect/secret-credentials.yaml.tpl
index 27dae23..2bc833e 100644
--- a/argocd/manifests/1password-connect/secret-credentials.yaml.tpl
+++ b/argocd/manifests/1password-connect/secret-credentials.yaml.tpl
@@ -9,19 +9,16 @@
 # 2. Create token: op connect token create blumeops --server <server-id> --vault blumeops
 # 3. Create 1Password item "1Password Connect" in blumeops vault with:
 #    - credentials-file: contents of 1password-credentials.json (raw JSON)
-#    - credentials-base64: base64-encoded contents of 1password-credentials.json
 #    - token: the access token
 #
-#    To add credentials-base64 to existing item:
-#      CREDS=$(op item get "1Password Connect" --vault blumeops --format json | \
-#        jq -r '.fields[] | select(.label == "credentials-file") | .value' | base64)
-#      op item edit "1Password Connect" --vault blumeops "credentials-base64=$CREDS"
-#
 # Usage:
 #   kubectl --context=minikube-indri create namespace 1password
 #   op inject -i argocd/manifests/1password-connect/secret-credentials.yaml.tpl | \
 #     kubectl --context=minikube-indri apply -f -
 #
+# Note: chart 2.3.0+ mounts credentials as a file with standard k8s base64.
+# Use raw JSON here (not pre-encoded); k8s stringData handles encoding.
+#
 apiVersion: v1
 kind: Secret
 metadata:
@@ -29,8 +26,7 @@ metadata:
   namespace: 1password
 type: Opaque
 stringData:
-  # OP_SESSION env var expects base64-encoded credentials
-  1password-credentials.json: "{{ op://blumeops/1Password Connect/credentials-base64 }}"
+  1password-credentials.json: "{{ op://blumeops/1Password Connect/credentials-file }}"
 ---
 apiVersion: v1
 kind: Secret