diff --git a/python/helpers/login.py b/python/helpers/login.py
index 046f6131d..2b02c5701 100644
--- a/python/helpers/login.py
+++ b/python/helpers/login.py
@@ -3,13 +3,13 @@ import hashlib
 
 
 def get_credentials_hash():
-    user = dotenv.get_dotenv_value("AUTH_LOGIN")
-    password = dotenv.get_dotenv_value("AUTH_PASSWORD")
+    user = dotenv.get_dotenv_value(dotenv.KEY_AUTH_LOGIN)
+    password = dotenv.get_dotenv_value(dotenv.KEY_AUTH_PASSWORD)
     if not user:
         return None
     return hashlib.sha256(f"{user}:{password}".encode()).hexdigest()
 
 
 def is_login_required():
-    user = dotenv.get_dotenv_value("AUTH_LOGIN")
+    user = dotenv.get_dotenv_value(dotenv.KEY_AUTH_LOGIN)
     return bool(user)
diff --git a/python/helpers/settings.py b/python/helpers/settings.py
index 5064c8c30..3d3efa899 100644
--- a/python/helpers/settings.py
+++ b/python/helpers/settings.py
@@ -359,6 +359,7 @@ def get_settings() -> Settings:
     if not _settings:
         _settings = get_default_settings()
     norm = normalize_settings(_settings)
+    _load_sensitive_settings(norm)
     return norm
 
 
@@ -380,7 +381,7 @@ def set_settings(settings: Settings, apply: bool = True):
     _write_settings_file(_settings)
     if apply:
         _apply_settings(previous)
-    return _settings
+    return reload_settings()
 
 
 def set_settings_delta(delta: dict, apply: bool = True):
@@ -436,6 +437,29 @@ def _adjust_to_version(settings: Settings, default: Settings):
 
 
 
+def _load_sensitive_settings(settings: Settings):
+    # load api keys from .env
+    providers = get_providers("chat") + get_providers("embedding")
+    for provider in providers:
+        provider_name = provider["value"]
+        api_key = settings["api_keys"].get(provider_name) or models.get_api_key(provider_name)
+        if api_key and api_key != "None":
+            settings["api_keys"][provider_name] = api_key
+
+    # load auth fields from .env
+    settings["auth_login"] = dotenv.get_dotenv_value(dotenv.KEY_AUTH_LOGIN) or ""
+    settings["auth_password"] = dotenv.get_dotenv_value(dotenv.KEY_AUTH_PASSWORD) or ""
+    settings["rfc_password"] = dotenv.get_dotenv_value(dotenv.KEY_RFC_PASSWORD) or ""
+    settings["root_password"] = dotenv.get_dotenv_value(dotenv.KEY_ROOT_PASSWORD) or ""
+
+    # load secrets raw content
+    secrets_manager = get_default_secrets_manager()
+    try:
+        settings["secrets"] = secrets_manager.read_secrets_raw()
+    except Exception:
+        settings["secrets"] = ""
+
+
 def _read_settings_file() -> Settings | None:
     if os.path.exists(SETTINGS_FILE):
         content = files.read_file(SETTINGS_FILE)