diff --git a/.gitignore b/.gitignore
index cdcc0eaf..760139fc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,6 +4,8 @@
 
 ## Docker ##
 Dockerfile-x
+secrets.json
+
 
 ## FoundryVTT ##
 cookiejar.json
diff --git a/Dockerfile b/Dockerfile
index a38870c1..4acbdbb1 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -27,6 +27,10 @@ ARG FOUNDRY_USERNAME
 ARG FOUNDRY_VERSION
 ENV ARCHIVE="foundryvtt-${FOUNDRY_VERSION}.zip"
 
+# Need jq for reading secret during build
+RUN apk --update --no-cache add \
+  jq
+
 WORKDIR /root
 COPY --from=compile-typescript-stage \
   /root/package.json \
@@ -37,7 +41,12 @@ COPY --from=compile-typescript-stage \
   ./
 # .placeholder file to mitigate https://github.com/moby/moby/issues/37965
 RUN mkdir dist && touch dist/.placeholder
-RUN \
+RUN --mount=type=secret,id=config_json,target="/run/secrets/config.json",required=false \
+  secret_file="/run/secrets/config.json" && \
+  secret_password=$(jq --exit-status --raw-output .foundry_password ${secret_file} || echo) && \
+  secret_username=$(jq --exit-status --raw-output .foundry_username ${secret_file} || echo) && \
+  FOUNDRY_PASSWORD=${secret_password:-${FOUNDRY_PASSWORD:-}} && \
+  FOUNDRY_USERNAME=${secret_username:-${FOUNDRY_USERNAME:-}} && \
   if [ -n "${FOUNDRY_USERNAME}" ] && [ -n "${FOUNDRY_PASSWORD}" ]; then \
   npm install && \
   ./authenticate.js "${FOUNDRY_USERNAME}" "${FOUNDRY_PASSWORD}" cookiejar.json && \
diff --git a/README.md b/README.md
index 80b10285..5a47af3a 100644
--- a/README.md
+++ b/README.md
@@ -372,6 +372,8 @@ resulting in a faster startup.  It also moves the user authentication to
 build-time instead of start-time.  **Note**: Credentials are only used to fetch
 a distribution, and are not stored in the resulting image.
 
+### Credentials ###
+
 Build the image with credentials:
 
 ```console
@@ -383,6 +385,20 @@ docker build \
   https://github.com/felddy/foundryvtt-docker.git#develop
 ```
 
+### Secrets file ###
+
+Follow the [Using secrets](#using-secrets) section to create a secrets.json file and then add the secret to the build with the `--secret` argument. The Dockerfile expects the file to use `id=config_json`.
+
+```console
+docker build \
+  --build-arg VERSION=12.331.0 \
+  --secret id=config_json,src=secrets.json \
+  --tag felddy/foundryvtt:12.331.0 \
+  https://github.com/felddy/foundryvtt-docker.git#develop
+```
+
+### Temporary URL ###
+
 Or build the image using a temporary URL:
 
 ```console