diff --git a/templates/backend-deployment.yaml b/templates/backend-deployment.yaml
index 9207659..59e305f 100644
--- a/templates/backend-deployment.yaml
+++ b/templates/backend-deployment.yaml
@@ -73,6 +73,19 @@ spec:
                   name: {{ .Values.config.existingSecret }}
                   key: CLOUDFLARE_ZONE_ID
                   optional: true
+            # OpenBao token — scoped read-only on v3/data/*. Used to
+            # fetch S3 creds at request time for the backup list +
+            # restore-by-key endpoints. Optional: missing token =
+            # backup-list endpoint returns runs without S3 file
+            # listings (degrades gracefully).
+            - name: TOWER_VAULT_ADDR
+              value: "https://vault.odoosky.org"
+            - name: TOWER_VAULT_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ .Values.config.existingSecret }}
+                  key: VAULT_TOKEN
+                  optional: true
           readinessProbe:
             httpGet:
               path: /healthz
diff --git a/values.yaml b/values.yaml
index 5005703..44e6382 100644
--- a/values.yaml
+++ b/values.yaml
@@ -4,7 +4,7 @@ backend:
   enabled: true
   image:
     repository: docker.io/odoosky/tower
-    tag: "0.12.0"
+    tag: "0.13.0"
     pullPolicy: IfNotPresent  # IfNotPresent because the image is in
                               # containerd's k8s.io namespace already
                               # (lab1 single-server). Replace with
@@ -22,7 +22,7 @@ frontend:
   enabled: true
   image:
     repository: docker.io/odoosky/tower-ui
-    tag: "0.11.0"
+    tag: "0.12.0"
     pullPolicy: IfNotPresent
   replicas: 1
   resources: