diff --git a/scripts/update-kong-keys.sh b/scripts/update-kong-keys.sh
new file mode 100644
index 0000000..e62ee00
--- /dev/null
+++ b/scripts/update-kong-keys.sh
@@ -0,0 +1,236 @@
+#!/bin/bash
+# Update kong.yml with API keys from .env
+# Run this after setting up .env with your production keys
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
+ENV_FILE="$PROJECT_DIR/.env"
+KONG_FILE="$PROJECT_DIR/supabase/docker/kong.yml"
+
+# Check if .env exists
+if [ ! -f "$ENV_FILE" ]; then
+    echo "Error: .env file not found at $ENV_FILE"
+    exit 1
+fi
+
+# Load environment variables
+source "$ENV_FILE"
+
+# Verify keys are set
+if [ -z "$ANON_KEY" ]; then
+    echo "Error: ANON_KEY is not set in .env"
+    exit 1
+fi
+
+if [ -z "$SERVICE_ROLE_KEY" ]; then
+    echo "Error: SERVICE_ROLE_KEY is not set in .env"
+    exit 1
+fi
+
+# Backup original kong.yml
+cp "$KONG_FILE" "$KONG_FILE.bak"
+
+# Create updated kong.yml
+cat > "$KONG_FILE" << EOF
+_format_version: "2.1"
+_transform: true
+
+###
+### Consumers / Users
+###
+consumers:
+  - username: ANON
+    keyauth_credentials:
+      - key: $ANON_KEY
+  - username: SERVICE_ROLE
+    keyauth_credentials:
+      - key: $SERVICE_ROLE_KEY
+
+###
+### Access Control Lists
+###
+acls:
+  - consumer: ANON
+    group: anon
+  - consumer: SERVICE_ROLE
+    group: admin
+
+###
+### API Routes
+###
+services:
+  ## Redirect /auth/verify to SvelteKit app for email links
+  - name: auth-verify-redirect
+    url: http://portal:3000/auth/verify
+    routes:
+      - name: auth-verify-redirect
+        strip_path: false
+        paths:
+          - /auth/verify
+        preserve_host: false
+    plugins:
+      - name: cors
+
+  ## Auth Service (GoTrue)
+  - name: auth-v1-open
+    url: http://auth:9999/verify
+    routes:
+      - name: auth-v1-open
+        strip_path: true
+        paths:
+          - /auth/v1/verify
+    plugins:
+      - name: cors
+
+  - name: auth-v1-open-callback
+    url: http://auth:9999/callback
+    routes:
+      - name: auth-v1-open-callback
+        strip_path: true
+        paths:
+          - /auth/v1/callback
+    plugins:
+      - name: cors
+
+  - name: auth-v1-open-authorize
+    url: http://auth:9999/authorize
+    routes:
+      - name: auth-v1-open-authorize
+        strip_path: true
+        paths:
+          - /auth/v1/authorize
+    plugins:
+      - name: cors
+
+  - name: auth-v1
+    url: http://auth:9999/
+    routes:
+      - name: auth-v1
+        strip_path: true
+        paths:
+          - /auth/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  ## REST Service (PostgREST)
+  - name: rest-v1
+    url: http://rest:3000/
+    routes:
+      - name: rest-v1
+        strip_path: true
+        paths:
+          - /rest/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  ## Realtime Service
+  - name: realtime-v1-ws
+    url: http://realtime:4000/socket
+    routes:
+      - name: realtime-v1-ws
+        strip_path: true
+        paths:
+          - /realtime/v1/websocket
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  - name: realtime-v1
+    url: http://realtime:4000/
+    routes:
+      - name: realtime-v1
+        strip_path: true
+        paths:
+          - /realtime/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  ## Storage Service - Public objects (no auth required)
+  - name: storage-v1-public
+    url: http://storage:5000/object/public
+    routes:
+      - name: storage-v1-public
+        strip_path: true
+        paths:
+          - /storage/v1/object/public
+    plugins:
+      - name: cors
+
+  ## Storage Service - All other operations (auth required)
+  - name: storage-v1
+    url: http://storage:5000/
+    routes:
+      - name: storage-v1
+        strip_path: true
+        paths:
+          - /storage/v1/
+    plugins:
+      - name: cors
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+            - anon
+
+  ## PostgreSQL Meta (for Studio)
+  - name: meta
+    url: http://meta:8080/
+    routes:
+      - name: meta
+        strip_path: true
+        paths:
+          - /pg/
+    plugins:
+      - name: key-auth
+        config:
+          hide_credentials: false
+      - name: acl
+        config:
+          hide_groups_header: true
+          allow:
+            - admin
+EOF
+
+echo "Kong configuration updated successfully!"
+echo "Restart Kong to apply changes: docker compose restart kong"