diff --git a/.gitignore b/.gitignore
index b879f62..c50d844 100644
--- a/.gitignore
+++ b/.gitignore
@@ -8,4 +8,7 @@ tinyauth
 docker-compose.test.yml
 
 # users file
-users.txt
\ No newline at end of file
+users.txt
+
+# secret test file
+secret.txt
\ No newline at end of file
diff --git a/cmd/root.go b/cmd/root.go
index cd74805..eb40c4b 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -1,6 +1,7 @@
 package cmd
 
 import (
+	"strings"
 	cmd "tinyauth/cmd/user"
 	"tinyauth/internal/api"
 	"tinyauth/internal/auth"
@@ -32,32 +33,20 @@ var rootCmd = &cobra.Command{
 		validateErr := validator.Struct(config)
 		HandleError(validateErr, "Invalid config")
 
-		// Parse users
+		// Users
 		log.Info().Msg("Parsing users")
+		users, usersErr := utils.GetUsers(config.Users, config.UsersFile)
+		HandleError(usersErr, "Failed to parse users")
 
-		if config.UsersFile == "" && config.Users == "" {
-			log.Fatal().Msg("No users provided")
-		}
+		// Secrets
+		log.Info().Msg("Parsing secrets")
 
-		usersString := config.Users
-
-		if config.UsersFile != "" {
-			log.Info().Msg("Reading users from file")
-			usersFromFile, readErr := utils.GetUsersFromFile(config.UsersFile)
-			HandleError(readErr, "Failed to read users from file")
-			usersFromFileParsed := utils.ParseFileToLine(usersFromFile)
-			if usersString != "" {
-				usersString = usersString + "," + usersFromFileParsed
-			} else {
-				usersString = usersFromFileParsed
-			}
-		}
-
-		users, parseErr := utils.ParseUsers(usersString)
-		HandleError(parseErr, "Failed to parse users")
+		config.GithubClientSecret = utils.GetSecret(config.GithubClientSecret, config.GithubClientSecretFile)
+		config.GoogleClientSecret = utils.GetSecret(config.GoogleClientSecret, config.GoogleClientSecretFile)
+		config.GenericClientSecret = utils.GetSecret(config.GenericClientSecret, config.GenericClientSecretFile)
 
 		// Create oauth whitelist
-		oauthWhitelist := utils.ParseCommaString(config.OAuthWhitelist)
+		oauthWhitelist := strings.Split(config.OAuthWhitelist, ",")
 
 		// Create OAuth config
 		oauthConfig := types.OAuthConfig{
@@ -67,7 +56,7 @@ var rootCmd = &cobra.Command{
 			GoogleClientSecret:  config.GoogleClientSecret,
 			GenericClientId:     config.GenericClientId,
 			GenericClientSecret: config.GenericClientSecret,
-			GenericScopes:       utils.ParseCommaString(config.GenericScopes),
+			GenericScopes:       strings.Split(config.GenericScopes, ","),
 			GenericAuthURL:      config.GenericAuthURL,
 			GenericTokenURL:     config.GenericTokenURL,
 			GenericUserURL:      config.GenericUserURL,
@@ -131,10 +120,13 @@ func init() {
 	rootCmd.Flags().Bool("cookie-secure", false, "Send cookie over secure connection only.")
 	rootCmd.Flags().String("github-client-id", "", "Github OAuth client ID.")
 	rootCmd.Flags().String("github-client-secret", "", "Github OAuth client secret.")
+	rootCmd.Flags().String("github-client-secret-file", "", "Github OAuth client secret file.")
 	rootCmd.Flags().String("google-client-id", "", "Google OAuth client ID.")
 	rootCmd.Flags().String("google-client-secret", "", "Google OAuth client secret.")
+	rootCmd.Flags().String("google-client-secret-file", "", "Google OAuth client secret file.")
 	rootCmd.Flags().String("generic-client-id", "", "Generic OAuth client ID.")
 	rootCmd.Flags().String("generic-client-secret", "", "Generic OAuth client secret.")
+	rootCmd.Flags().String("generic-client-secret-file", "", "Generic OAuth client secret file.")
 	rootCmd.Flags().String("generic-scopes", "", "Generic OAuth scopes.")
 	rootCmd.Flags().String("generic-auth-url", "", "Generic OAuth auth URL.")
 	rootCmd.Flags().String("generic-token-url", "", "Generic OAuth token URL.")
@@ -151,10 +143,13 @@ func init() {
 	viper.BindEnv("cookie-secure", "COOKIE_SECURE")
 	viper.BindEnv("github-client-id", "GITHUB_CLIENT_ID")
 	viper.BindEnv("github-client-secret", "GITHUB_CLIENT_SECRET")
+	viper.BindEnv("github-client-secret-file", "GITHUB_CLIENT_SECRET_FILE")
 	viper.BindEnv("google-client-id", "GOOGLE_CLIENT_ID")
 	viper.BindEnv("google-client-secret", "GOOGLE_CLIENT_SECRET")
+	viper.BindEnv("google-client-secret-file", "GOOGLE_CLIENT_SECRET_FILE")
 	viper.BindEnv("generic-client-id", "GENERIC_CLIENT_ID")
 	viper.BindEnv("generic-client-secret", "GENERIC_CLIENT_SECRET")
+	viper.BindEnv("generic-client-secret-file", "GENERIC_CLIENT_SECRET_FILE")
 	viper.BindEnv("generic-scopes", "GENERIC_SCOPES")
 	viper.BindEnv("generic-auth-url", "GENERIC_AUTH_URL")
 	viper.BindEnv("generic-token-url", "GENERIC_TOKEN_URL")
diff --git a/internal/auth/auth.go b/internal/auth/auth.go
index b32b355..60085a2 100644
--- a/internal/auth/auth.go
+++ b/internal/auth/auth.go
@@ -31,7 +31,7 @@ func (auth *Auth) GetUser(username string) *types.User {
 }
 
 func (auth *Auth) CheckPassword(user types.User, password string) bool {
-	hashedPasswordErr := bcrypt.CompareHashAndPassword([]byte(user.Username), []byte(password))
+	hashedPasswordErr := bcrypt.CompareHashAndPassword([]byte(user.Password), []byte(password))
 	return hashedPasswordErr == nil
 }
 
diff --git a/internal/types/types.go b/internal/types/types.go
index 4b98a30..5056dbc 100644
--- a/internal/types/types.go
+++ b/internal/types/types.go
@@ -19,26 +19,29 @@ type User struct {
 type Users []User
 
 type Config struct {
-	Port                int    `validate:"number" mapstructure:"port"`
-	Address             string `mapstructure:"address, ip4_addr"`
-	Secret              string `validate:"required,len=32" mapstructure:"secret"`
-	AppURL              string `validate:"required,url" mapstructure:"app-url"`
-	Users               string `mapstructure:"users"`
-	UsersFile           string `mapstructure:"users-file"`
-	CookieSecure        bool   `mapstructure:"cookie-secure"`
-	GithubClientId      string `mapstructure:"github-client-id"`
-	GithubClientSecret  string `mapstructure:"github-client-secret"`
-	GoogleClientId      string `mapstructure:"google-client-id"`
-	GoogleClientSecret  string `mapstructure:"google-client-secret"`
-	GenericClientId     string `mapstructure:"generic-client-id"`
-	GenericClientSecret string `mapstructure:"generic-client-secret"`
-	GenericScopes       string `mapstructure:"generic-scopes"`
-	GenericAuthURL      string `mapstructure:"generic-auth-url"`
-	GenericTokenURL     string `mapstructure:"generic-token-url"`
-	GenericUserURL      string `mapstructure:"generic-user-info-url"`
-	DisableContinue     bool   `mapstructure:"disable-continue"`
-	OAuthWhitelist      string `mapstructure:"oauth-whitelist"`
-	CookieExpiry        int    `mapstructure:"cookie-expiry"`
+	Port                    int    `validate:"number" mapstructure:"port"`
+	Address                 string `mapstructure:"address, ip4_addr"`
+	Secret                  string `validate:"required,len=32" mapstructure:"secret"`
+	AppURL                  string `validate:"required,url" mapstructure:"app-url"`
+	Users                   string `mapstructure:"users"`
+	UsersFile               string `mapstructure:"users-file"`
+	CookieSecure            bool   `mapstructure:"cookie-secure"`
+	GithubClientId          string `mapstructure:"github-client-id"`
+	GithubClientSecret      string `mapstructure:"github-client-secret"`
+	GithubClientSecretFile  string `mapstructure:"github-client-secret-file"`
+	GoogleClientId          string `mapstructure:"google-client-id"`
+	GoogleClientSecret      string `mapstructure:"google-client-secret"`
+	GoogleClientSecretFile  string `mapstructure:"google-client-secret-file"`
+	GenericClientId         string `mapstructure:"generic-client-id"`
+	GenericClientSecret     string `mapstructure:"generic-client-secret"`
+	GenericClientSecretFile string `mapstructure:"generic-client-secret-file"`
+	GenericScopes           string `mapstructure:"generic-scopes"`
+	GenericAuthURL          string `mapstructure:"generic-auth-url"`
+	GenericTokenURL         string `mapstructure:"generic-token-url"`
+	GenericUserURL          string `mapstructure:"generic-user-info-url"`
+	DisableContinue         bool   `mapstructure:"disable-continue"`
+	OAuthWhitelist          string `mapstructure:"oauth-whitelist"`
+	CookieExpiry            int    `mapstructure:"cookie-expiry"`
 }
 
 type UserContext struct {
diff --git a/internal/utils/utils.go b/internal/utils/utils.go
index e281375..b6ecafc 100644
--- a/internal/utils/utils.go
+++ b/internal/utils/utils.go
@@ -44,14 +44,14 @@ func GetRootURL(urlSrc string) (string, error) {
 	return urlFinal, nil
 }
 
-func GetUsersFromFile(usersFile string) (string, error) {
-	_, statErr := os.Stat(usersFile)
+func ReadFile(file string) (string, error) {
+	_, statErr := os.Stat(file)
 
 	if statErr != nil {
 		return "", statErr
 	}
 
-	data, readErr := os.ReadFile(usersFile)
+	data, readErr := os.ReadFile(file)
 
 	if readErr != nil {
 		return "", readErr
@@ -75,9 +75,43 @@ func ParseFileToLine(content string) string {
 	return strings.Join(users, ",")
 }
 
-func ParseCommaString(str string) []string {
-	if str == "" {
-		return []string{}
+func GetSecret(env string, file string) string {
+	if env == "" && file == "" {
+		return ""
 	}
-	return strings.Split(str, ",")
+
+	if env != "" {
+		return env
+	}
+
+	contents, err := ReadFile(file)
+
+	if err != nil {
+		return ""
+	}
+
+	return contents
+}
+
+func GetUsers(env string, file string) (types.Users, error) {
+	var users string
+
+	if env == "" && file == "" {
+		return types.Users{}, errors.New("no users provided")
+	}
+
+	if env != "" {
+		users += env
+	}
+
+	if file != "" {
+		fileContents, fileErr := ReadFile(file)
+
+		if fileErr == nil {
+			users += ","
+			users += ParseFileToLine(fileContents)
+		}
+	}
+
+	return ParseUsers(users)
 }