diff --git a/charts/exivity/templates/secret.yaml b/charts/exivity/templates/secret.yaml
index ee879f8..b97db3b 100644
--- a/charts/exivity/templates/secret.yaml
+++ b/charts/exivity/templates/secret.yaml
@@ -5,11 +5,14 @@ metadata:
   labels:
     {{- include "exivity.labels" $ | indent 4 }}
 data:
-  {{- if .Release.IsUpgrade }}
-  EXIVITY_APP_KEY: {{ index (lookup "v1" "Secret" .Release.Namespace (printf "%s-app-key" (include "exivity.fullname" $))).data "EXIVITY_APP_KEY" }}
-  {{- else if not (empty .Values.secret.appKey) }}
+  {{- if and .Values.secret.appKey (ne .Values.secret.appKey "") }}
+  {{/* Use provided APP_KEY (validation handled by values.schema.json) */}}
   EXIVITY_APP_KEY: {{ .Values.secret.appKey | b64enc }}
+  {{- else if .Release.IsUpgrade }}
+  {{/* Reuse existing secret during upgrade when no new key provided */}}
+  EXIVITY_APP_KEY: {{ index (lookup "v1" "Secret" .Release.Namespace (printf "%s-app-key" (include "exivity.fullname" $))).data "EXIVITY_APP_KEY" }}
   {{- else }}
+  {{/* Generate secure random 32-character APP_KEY for new installations */}}
   EXIVITY_APP_KEY: {{ randAlphaNum 32 | b64enc }}
   {{- end }}
 
diff --git a/charts/exivity/values.schema.json b/charts/exivity/values.schema.json
index dc0972b..be145db 100644
--- a/charts/exivity/values.schema.json
+++ b/charts/exivity/values.schema.json
@@ -40,11 +40,14 @@
         "appKey": {
           "type": "string",
           "default": "",
-          "title": "The appKey Schema",
+          "title": "Laravel Application Key",
+          "description": "The application encryption key used by Laravel for encrypting and decrypting sensitive data with AES-256-CBC cipher. This value can be left empty for automatic generation during installation or specified as a base64-encoded key with the 'base64:' prefix (standard Laravel format). If an invalid or incorrectly formatted key is provided, a Laravel RuntimeException will be thrown. A valid key can be generated using: php artisan key:generate --show",
           "examples": [
-            "ieR3rai9aijeghingo9LeaCaipah4lohxiliekaem3chahph0iemeeghai3ohfah"
+            "",
+            "ZC9GxTNHyDyYOZYidN240FuhsB0QJxZs",
+            "base64:MTIzNDU2Nzg5MDEyMzQ1Njc4OTAxMjM0NTY3ODkwMTI="
           ],
-          "maxLength": 64
+          "pattern": "^(|[a-zA-Z0-9]{32}|base64:[A-Za-z0-9+/]{16,88}={0,2})$"
         },
         "jwtSecret": {
           "type": "string",
diff --git a/charts/exivity/values.yaml b/charts/exivity/values.yaml
index 6d30074..7e0aaa1 100644
--- a/charts/exivity/values.yaml
+++ b/charts/exivity/values.yaml
@@ -9,7 +9,7 @@ licence: "demo"
 # Secret keys used for application security. Random values are generated on installation if not set.
 # Random values are generated on installation if not set, but it's recommended to specify values for production.
 secret:
-  appKey: "" # Used to encrypt application data. Specify a value for production. Max length: 64 characters.
+  appKey: "" # Laravel encryption key. Must be 32 characters (plain) or base64-encoded with 'base64:' prefix. Validated by values.schema.json. Generate with: php artisan key:generate --show
   jwtSecret: "" # Used for signing JWTs. Specify a value for production.
 
 ingress: