diff --git a/docs/usage/assets/images/app-settings/add-a-secret.png b/docs/usage/assets/images/app-settings/add-a-secret.png
new file mode 100644
index 0000000000000000000000000000000000000000..7db7c46b8ef5aeaaac2abdb70f6339397254497e
Binary files /dev/null and b/docs/usage/assets/images/app-settings/add-a-secret.png differ
diff --git a/docs/usage/assets/images/app-settings/add-repo-secret.png b/docs/usage/assets/images/app-settings/add-repo-secret.png
new file mode 100644
index 0000000000000000000000000000000000000000..96d6fe719758304bdc85a8577a70587b88ade6b9
Binary files /dev/null and b/docs/usage/assets/images/app-settings/add-repo-secret.png differ
diff --git a/docs/usage/assets/images/app-settings/app-credentials.png b/docs/usage/assets/images/app-settings/app-credentials.png
new file mode 100644
index 0000000000000000000000000000000000000000..40cf67d970309a628d109e164d3d1c02c7efcc0c
Binary files /dev/null and b/docs/usage/assets/images/app-settings/app-credentials.png differ
diff --git a/docs/usage/assets/images/app-settings/encrypted-secrets-error.png b/docs/usage/assets/images/app-settings/encrypted-secrets-error.png
new file mode 100644
index 0000000000000000000000000000000000000000..f7d764b01b9e6198bb4f741b777e10cefddc0b13
Binary files /dev/null and b/docs/usage/assets/images/app-settings/encrypted-secrets-error.png differ
diff --git a/docs/usage/assets/images/app-settings/org-and-repo-secrets.png b/docs/usage/assets/images/app-settings/org-and-repo-secrets.png
new file mode 100644
index 0000000000000000000000000000000000000000..bd3108174c9db719d335bfdf943227b9064f1483
Binary files /dev/null and b/docs/usage/assets/images/app-settings/org-and-repo-secrets.png differ
diff --git a/docs/usage/assets/images/app-settings/org-settings-button.png b/docs/usage/assets/images/app-settings/org-settings-button.png
new file mode 100644
index 0000000000000000000000000000000000000000..61a38b20aed5cde268a60561452c5d9898e0bea7
Binary files /dev/null and b/docs/usage/assets/images/app-settings/org-settings-button.png differ
diff --git a/docs/usage/assets/images/app-settings/repo-settings-button.png b/docs/usage/assets/images/app-settings/repo-settings-button.png
new file mode 100644
index 0000000000000000000000000000000000000000..09ccceeb4193361183f93cb4d8261dec25687ce1
Binary files /dev/null and b/docs/usage/assets/images/app-settings/repo-settings-button.png differ
diff --git a/docs/usage/assets/images/app-settings/stored-secret-encrypted.png b/docs/usage/assets/images/app-settings/stored-secret-encrypted.png
new file mode 100644
index 0000000000000000000000000000000000000000..bf3e46dde7f78ca5bf7e686fa3b98fb859254655
Binary files /dev/null and b/docs/usage/assets/images/app-settings/stored-secret-encrypted.png differ
diff --git a/docs/usage/assets/images/app-settings/stored-secret-plaintext.png b/docs/usage/assets/images/app-settings/stored-secret-plaintext.png
new file mode 100644
index 0000000000000000000000000000000000000000..1b2e5f3e56f5756b24b1dbc96d22148ee4f28a5b
Binary files /dev/null and b/docs/usage/assets/images/app-settings/stored-secret-plaintext.png differ
diff --git a/docs/usage/getting-started/app-secrets.md b/docs/usage/getting-started/app-secrets.md
new file mode 100644
index 0000000000000000000000000000000000000000..ca624437a897ca2397c1b91f13c70dc014f1acbf
--- /dev/null
+++ b/docs/usage/getting-started/app-secrets.md
@@ -0,0 +1,82 @@
+# Using secrets with Mend cloud Apps
+
+The information on this page is for the Mend-hosted cloud apps:
+
+- Renovate App on GitHub
+- Mend App on Bitbucket
+
+If you self-host, you can skip reading this page.
+
+## Migrate secrets in your Renovate config file!
+
+The Mend-hosted cloud app will stop reading secrets from the Renovate config file in your repository on 01-Oct-2024.
+You must migrate any secrets you currently keep in the Renovate config file, and put them in the app settings page on [developer.mend.io](https://developer.mend.io).
+To add secrets you must have admin-level rights.
+
+Read [Migrating encrypted secrets from Repo Config to App Settings](migrating-secrets.md) to learn more.
+
+## Managing secrets for the Mend-hosted cloud apps
+
+This section explains how you manage secrets for the Mend-hosted cloud apps.
+If you self-host you do not need this section.
+
+### Adding a secret
+
+To add a secret for the Mend cloud app:
+
+1. Go to the web UI at [developer.mend.io](https://developer.mend.io).
+2. Open your organization/repository settings.
+3. Put the secret in the _Credentials_ section:
+
+ 
+
+4. Reference the secret from Renovate config files inside the repo.
+
+ ```json
+ {
+ "hostRules": [
+ {
+ "matchHost": "github.com",
+ "token": "{{ secrets.MY-ORG-SECRET-1 }}"
+ }
+ ]
+ }
+ ```
+
+## Organization secrets vs repository secrets
+
+### Secret scope
+
+Secrets can be scoped to your organization _or_ to your repository:
+
+| Secret scoped to your | What will happen? |
+| --------------------- | -------------------------------------------------------------- |
+| Organization | Secrets are inherited by all repositories in your organization |
+| Repository | Secrets are referenced by that repository only |
+
+### Make changes on the right page
+
+The web UI has _two_ settings pages.
+One page is for the organization, and the other page is for the repository.
+
+Make sure you're making the changes on the right page!
+
+### Example
+
+
+
+The screenshot shows inherited organization secrets and specific repository secrets.
+
+### Managing organization-level secrets
+
+The **Installed Repositories** table means you are on your organization's page.
+Select the _Settings_ button to manage your organization secrets:
+
+
+
+### Managing repository-level secrets
+
+The **Recent jobs** table means you are on your repository's page.
+Select the _Settings_ button to manage your repository secrets:
+
+
diff --git a/docs/usage/getting-started/migrating-secrets.md b/docs/usage/getting-started/migrating-secrets.md
new file mode 100644
index 0000000000000000000000000000000000000000..b8819ac636995c561b8fa108262437128b9f2742
--- /dev/null
+++ b/docs/usage/getting-started/migrating-secrets.md
@@ -0,0 +1,91 @@
+# Migrating Secrets from Repo Config to App Settings
+
+On 01-Oct-2024 the Mend Renovate cloud apps will stop reading any encrypted secrets from the Renovate configuration file on your repository.
+Previously, you could encrypt a secret with the [Renovate encryption tool](https://app.renovatebot.com/encrypt) and then put it in your Renovate config file.
+Going forward, all secrets must be stored in the App settings on the cloud.
+They can be referenced from the Renovate config files inside the repo using `{{ secrets.SECRET_NAME }}` notation.
+
+```json title "Deprecated: example of encrypted secrets in Renovate config"
+{
+ "hostRules": [
+ {
+ "matchHost": "github.com",
+ "encrypted": {
+ "token": "drsMDVf6M2hTZCN......+gQm/0Rpw"
+ }
+ }
+ ]
+}
+```
+
+```json "Correct method: reference app secrets in the Renovate config"
+{
+ "hostRules": [
+ {
+ "matchHost": "github.com",
+ "token": "{{ secrets.GITHUB_COM_TOKEN }}"
+ }
+ ]
+}
+```
+
+<!-- prettier-ignore -->
+!!! tip "Migrate your secrets in encrypted form"
+ Mend recommends that you copy your secrets in their _encrypted_ form when you migrate.
+ The web UI will decrypt and store the value securely.
+ Do not change the secret during the migration, as this introduces an extra point of failure.
+ After the migration you can of course change/rotate the secret.
+
+## Migrating encrypted secrets using the encrypted value
+
+1. Copy the encrypted secret from your Renovate config file.
+
+2. Go to the correct settings page for your organization or repository in the web UI at [developer.mend.io](https://developer.mend.io).
+
+3. On the **Credentials** page, select `ADD SECRET` to add the encrypted secret.
+
+4. Give a value for `Secret name`, paste the encrypted secret into the `Secret Value` field, and select `SAVE`.
+
+ > [!NOTE]
+ >
+ > When you migrate a secret from a repository, make sure you are adding the secret to the _same_ organization or repository for which you generated the secret!
+ >
+ > - A secret generated for a specific repository can only be added to that _same_ repository.
+ > - A secret generated for a specific repository can only be added to the repository settings for the matching repository. This secret can _not_ be added to the organization's settings.
+ > - A secret generated without a specific repository _can_ be added into the organization _or_ into the repository settings under that organization.
+
+ When you try to add a secret in the wrong place, the settings UI will help you:
+
+ 
+
+5. When you see the confirmation box with the text: **“Successfully migrated secretâ€**, your secret is now stored in the correct organization or repository.
+
+
+
+> [!IMPORTANT]
+>
+> If the confirmation box does _not_ say **“Successfully migrated secretâ€**, but says: **“Successfully stored secretâ€** then the secret was not detected as a Renovate encrypted secret, and the value was treated as plaintext.
+> If you were expecting to import a secret originally encrypted by Renovate:
+>
+> - Make sure you are pasting the secret into the correct organization or repository
+> - Check that you copied the encrypted secret correctly, and try again.
+
+## To migrate encrypted secrets using the plain text value
+
+1. Go to the settings for the correct organization or repository in the web UI at [developer.mend.io](https://developer.mend.io).
+
+2. On the **Credentials** page, select `ADD SECRET` to add the plaintext secret.
+
+ 
+
+3. Give a value for `Secret name`, paste the plaintext secret into the `Secret Value` field, and select `SAVE`.
+
+ 
+
+4. Wait for the confirmation dialog: **“Successfully stored secretâ€**.
+
+ 
+
+## Related links
+
+- [Using Secrets with Mend Cloud Apps](app-secrets.md)
diff --git a/docs/usage/getting-started/private-packages.md b/docs/usage/getting-started/private-packages.md
index 1aa2ddca721aeca70899c9ac7ebad251ad86a641..2e776a1e2d3198a4e5a8c7c9ffb92c13a6b7f302 100644
--- a/docs/usage/getting-started/private-packages.md
+++ b/docs/usage/getting-started/private-packages.md
@@ -585,30 +585,33 @@ The solution to this is that you should break your presets into public and priva
It is strongly recommended that you avoid committing secrets to repositories, including private ones, and this includes secrets needed by Renovate to access private modules.
The preferred approach to secrets is that the bot administrator configures them as `hostRules` which are then applied to all repositories which the bot accesses.
+<!-- prettier-ignore -->
+!!! warning "Store secrets for your Mend-hosted app via the web UI"
+ Mend no longer supports putting encrypted secrets in the Renovate config file on your repository.
+ Going forward, all secrets must be stored in the App settings via the web UI.
+ If you have encrypted secrets in your Renovate config, you must migrate them to the web UI.
+ Read [Migrating Secrets from Repo Config to App Settings](migrating-secrets.md) to learn how.
+
If you need to provide credentials to the Mend Renovate App, please do this:
-- Encrypt each secret string using <https://app.renovatebot.com/encrypt>. Note: this encrypts using the app's public key fully in the browser and does not send the original secret to any server. You can download this file and perform the encryption fully offline if you like.
-- Wrap each secret field in an [encrypted](../configuration-options.md#encrypted) object and paste in the encrypted secret value instead. An example is shown below:
+1. Add each secret string in the Credentials section of Organisation or Repository settings in the web UI at [http://developer.mend.io](http://developer.mend.io).
-```json
-{
- "hostRules": [
- {
- "matchHost": "registry.npmjs.org",
- "encrypted": {
- "token": "3f832f2983yf89hsd98ahadsjfasdfjaslf............"
- }
- },
- {
- "matchHost": "https://custom.registry.company.com/pypi/",
- "username": "bot1",
- "encrypted": {
- "password": "p278djfdsi9832jnfdshufwji2r389fdskj........."
- }
- }
- ]
-}
-```
+ 
+
+2. Reference secrets inside your Renovate config files with notation: `{{ secrets.YOUR_SECRET }}`.
+
+ ```json
+ {
+ "hostRules": [
+ {
+ "matchHost": "github.com",
+ "token": "{{ secrets.GITHUB_COM_TOKEN }}"
+ }
+ ]
+ }
+ ```
+
+For more details, see [Using Secrets with Mend Cloud Apps](app-secrets.md).
### Access to GitHub Actions Secrets