diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index 6e529c4..f122bee 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -112,7 +112,11 @@ steps:
       - --concurrency=80
       - --timeout=300s
       - --add-cloudsql-instances=${_INSTANCE_CONN}
-      - --set-secrets=DATABASE_URL=DATABASE_URL:latest,JWT_SECRET=JWT_SECRET:latest,REPORT_EMAIL=REPORT_EMAIL:latest,STRIPE_SECRET_KEY=STRIPE_SECRET_KEY:latest,STRIPE_WEBHOOK_SECRET=STRIPE_WEBHOOK_SECRET:latest,STRIPE_PRICE_ID_PRO_MONTHLY=STRIPE_PRICE_ID_PRO_MONTHLY:latest,STRIPE_PRICE_ID_PRO_ANNUAL=STRIPE_PRICE_ID_PRO_ANNUAL:latest,STRIPE_PRICE_ID_PRO_OVERAGE=STRIPE_PRICE_ID_PRO_OVERAGE:latest
+      # --set-secrets REPLACES the service's entire secret set on every
+      # deploy, so it must list every secret wot-api needs - any omission
+      # is silently dropped. RESEND_API_KEY powers magic-link sign-in
+      # email; leaving it off here drops it on the next autodeploy.
+      - --set-secrets=DATABASE_URL=DATABASE_URL:latest,JWT_SECRET=JWT_SECRET:latest,REPORT_EMAIL=REPORT_EMAIL:latest,RESEND_API_KEY=RESEND_API_KEY:latest,STRIPE_SECRET_KEY=STRIPE_SECRET_KEY:latest,STRIPE_WEBHOOK_SECRET=STRIPE_WEBHOOK_SECRET:latest,STRIPE_PRICE_ID_PRO_MONTHLY=STRIPE_PRICE_ID_PRO_MONTHLY:latest,STRIPE_PRICE_ID_PRO_ANNUAL=STRIPE_PRICE_ID_PRO_ANNUAL:latest,STRIPE_PRICE_ID_PRO_OVERAGE=STRIPE_PRICE_ID_PRO_OVERAGE:latest
     waitFor: ['migrate-db']
 
   # --- Frontend (built AFTER backend URL is known) ---