FlowFuse · ppawlowski · Jun 2, 2026 · Jun 3, 2026 · Jun 3, 2026 · Jun 3, 2026
diff --git a/helm/flowfuse/README.md b/helm/flowfuse/README.md
@@ -113,10 +113,10 @@ To use STMP to send email
   - `forge.broker.url` URL to access the broker from inside the cluster (default `mqtt://flowforge-broker.[namespace]:1883`)
   - `forge.broker.public_url` URL to access the broker from outside the cluster (default `ws://mqtt.[forge.domain]`, uses `wss://` if `forge.https` is `true`)
   - `forge.broker.hostname` the custom Fully Qualified Domain Name (FQDN) where the broker will be hosted (default `mqtt.[forge.domain]`)
-  - `forge.broker.teamBroker.enabled` Enables Team Broker feature (default `false`)
+  - `forge.broker.teamBroker.enabled` Enables Team Broker feature (default `false`). Requires `forge.broker.enabled=true`
   - `forge.broker.teamBroker.api.url` URL for the Team Broker API (default `http://emqx-dashboard.<release-namespace>:18083`)
-  - `forge.broker.teamBroker.api.key` API key for the Team Broker API (default not set)
-  - `forge.broker.teamBroker.api.secret` API secret for the Team Broker API (default not set)
+  - `forge.broker.teamBroker.api.key` API key name for the Team Broker API (optional; must be set together with `api.secret`)
+  - `forge.broker.teamBroker.api.secret` API secret for the Team Broker API (optional; must be set together with `api.key`)
   - `forge.broker.createMetricsUser` defines if a dedicated MQTT user with broker metrics collection permissions should be created (default `true`)
   - `forge.broker.affinity` allows to configure [affinity or anti-affinity](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity) for the broker pod
   - `forge.broker.resources` allows to configure [resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for the broker container

diff --git a/helm/flowfuse/templates/_helpers.tpl b/helm/flowfuse/templates/_helpers.tpl
@@ -126,7 +126,7 @@ Note: The value for key .Values.postgresql.auth.existingSecret is inherited from
     (not (and .Values.forge.email ((and .Values.forge.email.smtp (not .Values.forge.email.smtp.existingSecret)))))
     (not ((.Values.forge.assistant).enabled))
     (not ((.Values.forge.expert).enabled))
-    (not ((.Values.forge.broker.teamBroker).enabled))) -}}
+    (not (include "forge.teamBrokerApiUsesCustomKey" .))) -}}
 true
 {{- else -}}
 false
@@ -350,11 +350,53 @@ Get the name from the release name.
 {{- end -}}
 
 {{/*
-Get the secret object name with Team Broker secret.
+Determine whether the Team Broker API uses a dedicated, user-supplied credential
+(forge.broker.teamBroker.api.key + api.secret) instead of the shared EMQX bootstrap key.
+Returns "true" only when both api.key and api.secret are provided.
 */}}
-{{- define "forge.teamBrokerSecretName" -}}
-{{- if (.Values.forge.broker.teamBroker).enabled -}}
+{{- define "forge.teamBrokerApiUsesCustomKey" -}}
+{{- if and ((.Values.forge.broker.teamBroker).api).key ((.Values.forge.broker.teamBroker).api).secret -}}
+true
+{{- end -}}
+{{- end -}}
+
+{{/*
+Resolve the Team Broker API key name. Defaults to the shared EMQX bootstrap API key name
+("flowfuse"); when a dedicated credential is supplied, uses forge.broker.teamBroker.api.key.
+*/}}
+{{- define "forge.teamBrokerApiKey" -}}
+{{- if ((.Values.forge.broker.teamBroker).api).key -}}
+    {{- .Values.forge.broker.teamBroker.api.key -}}
+{{- else -}}
+    {{- printf "flowfuse" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Name of the secret the Team Broker API secret is read from.
+- Dedicated credential: the chart-managed flowfuse-secrets.
+- Shared bootstrap key: broker.existingSecret when provided, else emqx-config-secrets.
+*/}}
+{{- define "forge.teamBrokerApiSecretName" -}}
+{{- if include "forge.teamBrokerApiUsesCustomKey" . -}}
     {{- printf "flowfuse-secrets" -}}
+{{- else if .Values.broker.existingSecret -}}
+    {{- .Values.broker.existingSecret -}}
+{{- else -}}
+    {{- printf "emqx-config-secrets" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Data key within the Team Broker API secret holding the secret value.
+- Dedicated credential: teamBrokerApiSecret (in flowfuse-secrets).
+- Shared bootstrap key: api_key_secret (in the EMQX secret).
+*/}}
+{{- define "forge.teamBrokerApiSecretKey" -}}
+{{- if include "forge.teamBrokerApiUsesCustomKey" . -}}
+    {{- printf "teamBrokerApiSecret" -}}
+{{- else -}}
+    {{- printf "api_key_secret" -}}
 {{- end -}}
 {{- end -}}
 
@@ -365,17 +407,20 @@ Resolve Team Broker API URL: user-provided value, or default to the in-cluster E
 {{- if ((.Values.forge.broker.teamBroker).api).url -}}
   {{- .Values.forge.broker.teamBroker.api.url -}}
 {{- else -}}
-  {{- printf "http://emqx-dashboard.%s:18083" .Release.Namespace -}}
+  {{- printf "http://emqx-dashboard.%s:18083/api/v5" .Release.Namespace -}}
 {{- end -}}
 {{- end -}}
 
 {{/*
-Create Team Broker API secret
+Render the custom Team Broker API secret into flowfuse-secrets.
+Created when a custom credential is supplied; api.key and api.secret are required together.
 */}}
 {{- define "forge.teamBrokerApiSecret" -}}
-{{- if and (.Values.forge.broker.teamBroker).enabled (.Values.forge.broker.teamBroker).api -}}
-{{- $_ := required "A valid .Values.forge.broker.teamBroker.api.key is required!" .Values.forge.broker.teamBroker.api.key -}}
-{{- $token := required "A valid .Values.forge.broker.teamBroker.api.secret is required!" .Values.forge.broker.teamBroker.api.secret -}}
+{{- if (.Values.forge.broker.teamBroker).enabled -}}
+{{- if or ((.Values.forge.broker.teamBroker).api).key ((.Values.forge.broker.teamBroker).api).secret -}}
+{{- $_ := required "A valid .Values.forge.broker.teamBroker.api.key is required when api.secret is set!" ((.Values.forge.broker.teamBroker).api).key -}}
+{{- $token := required "A valid .Values.forge.broker.teamBroker.api.secret is required when api.key is set!" ((.Values.forge.broker.teamBroker).api).secret -}}
 teamBrokerApiSecret: {{ $token | b64enc | quote }}
 {{- end -}}
-{{- end -}}
+{{- end -}}
+{{- end -}}
diff --git a/helm/flowfuse/templates/configmap.yaml b/helm/flowfuse/templates/configmap.yaml
@@ -224,10 +224,10 @@ data:
       teamBroker:
         enabled: true
         host: {{ include "forge.teamBrokerHost" . }}
-        {{- if .Values.forge.broker.teamBroker.api }}
+        {{- if .Values.forge.broker.teamBroker.enabled }}
         api:
           url: {{ include "forge.teamBrokerApiUrl" . }}
-          key: {{ .Values.forge.broker.teamBroker.api.key }}
+          key: {{ include "forge.teamBrokerApiKey" . }}
           secret: <%= ENV['TEAM_BROKER_API_SECRET'] %>
         {{- end }}
       {{ end -}}

diff --git a/helm/flowfuse/templates/deployment.yaml b/helm/flowfuse/templates/deployment.yaml
@@ -90,12 +90,12 @@ spec:
                 key: expertToken
                 optional: true
         {{- end }}
-        {{- if and (.Values.forge.broker.teamBroker).enabled (.Values.forge.broker.teamBroker).api }}
+        {{- if and .Values.forge.broker.enabled (.Values.forge.broker.teamBroker).enabled }}
           - name: TEAM_BROKER_API_SECRET
             valueFrom:
               secretKeyRef:
-                name: {{ include "forge.teamBrokerSecretName" . }}
-                key: teamBrokerApiSecret
+                name: {{ include "forge.teamBrokerApiSecretName" . }}
+                key: {{ include "forge.teamBrokerApiSecretKey" . }}
                 optional: true
         {{- end }}
       {{- if .Values.forge.localPostgresql }}

diff --git a/helm/flowfuse/templates/emqx.yaml b/helm/flowfuse/templates/emqx.yaml
@@ -83,7 +83,7 @@ spec:
             type: ClusterIP
         {{- end }}
 ---
-{{- if not .Values.broker.exisitingSecret }}
+{{- if not .Values.broker.existingSecret }}
 apiVersion: v1
 kind: Secret
 metadata: