diff --git a/CHANGELOG.md b/CHANGELOG.md
index 7b4ce9b4243dee8779554927d64cc7221c6db7f3..f8dbcfaa13b802ba02283127c429dec96152ea27 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # Changelog
 
+## Unreleased
+
+* Allow setting SCIM token for use with the `scimserviceprovider` app.
+
 ## [0.15.20] - 2023-12-21
 
 * Fix logic to decide source of nextcloud apps: pinned from upstream repo, or
diff --git a/templates/nextcloud-onlyoffice-config.yaml b/templates/nextcloud-onlyoffice-config.yaml
index c8402f20d1d037c93346da614c1493155cbe49a4..442c359968573f5c18432ab1454e3319545fbe0a 100644
--- a/templates/nextcloud-onlyoffice-config.yaml
+++ b/templates/nextcloud-onlyoffice-config.yaml
@@ -13,6 +13,8 @@ data:
   setup-apps.sh: |
     #!/bin/bash
 
+    set -o errexit
+
     # This script gets executed by the Kubernetes Job `{{ .Release.Name }}-setup-apps`,
     # which gets created by Helm after every chart install and upgrade.
     #
@@ -180,6 +182,10 @@ data:
     run_as "php $occ db:add-missing-primary-keys --no-interaction"
     run_as "php $occ db:convert-filecache-bigint --no-interaction"
 
+    {{- if .Values.scim.token }}
+    set -x
+    run_as "php $occ config:app:set scimserviceprovider jwt-secret --value="'"{{ .Values.scim.token }}"'
+    {{- end }}
   #
   # All values in config.json are applied by the nextcloud occ command
   #   config:import.
diff --git a/values-local.yaml.example b/values-local.yaml.example
index bf300d15d8c5d79d19dc4cacdfa88fdf0f9e1305..a3fa4a2198fca1bb454d2309a03e94913e056bf7 100644
--- a/values-local.yaml.example
+++ b/values-local.yaml.example
@@ -93,3 +93,7 @@ rabbitmq:
 #   # clientSecret: YouReallyNeedToChangeThis
 #   logoutUrl: https://sso.stackspin.example.net/oauth2/sessions/logout
 #   loginButtonText: Log in with OIDC
+
+scim:
+  url: "https://files.example.com/index.php/apps/scimserviceprovider/"
+  token: JWT token
diff --git a/values.yaml b/values.yaml
index a33bd8d46928b8679aec6a4515b98da1329d2703..e26f9859887ff2d1051f96119e507b4d604bf24f 100644
--- a/values.yaml
+++ b/values.yaml
@@ -207,6 +207,10 @@ oidc:
   logoutUrl: https://sso.stackspin.example.net/oauth2/sessions/logout
   loginButtonText: Log in with OIDC
 
+scim: {}
+  # url: ...
+  # token: ...
+
 tests:
   image:
     # https://hub.docker.com/r/cypress/included/tags