diff --git a/src/infrastructure/config/settings.py b/src/infrastructure/config/settings.py
index eb31a11..e17a4cd 100644
--- a/src/infrastructure/config/settings.py
+++ b/src/infrastructure/config/settings.py
@@ -84,7 +84,8 @@ class Settings(BaseSettings):
     RABBIT_CONNECT_TIMEOUT: int = 5
     RABBIT_EMAIL_CODE_QUEUE: str = "email.verification_code"
 
-    ITPAY_AUTHORIZATION: str
+    ITPAY_PUBLIC_ID: str
+    ITPAY_API_SECRET: str
 
     LOG_LEVEL: Literal["DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"] = "INFO"
     LOG_FORMAT: Literal["JSON", "TEXT"] = "TEXT"
@@ -151,7 +152,6 @@ class Settings(BaseSettings):
         database = read_secret('database')
         csrf = read_secret_optional('csrf')
         rabbitmq = read_secret_optional('rabbitmq')
-        itpay = read_secret_optional('itpay')
 
         db_ci = {str(k).lower(): v for k, v in database.items()}
 
@@ -200,11 +200,27 @@ class Settings(BaseSettings):
             rb_set('password','RABBIT_PASSWORD')
             rb_set('vhost','RABBIT_VHOST')
 
-        if itpay:
+        itpay_public_id = data.get('ITPAY_PUBLIC_ID') or os.getenv('ITPAY_PUBLIC_ID')
+        itpay_api_secret = data.get('ITPAY_API_SECRET') or os.getenv('ITPAY_API_SECRET')
+        if itpay_public_id is not None and str(itpay_public_id).strip() and itpay_api_secret is not None and str(itpay_api_secret).strip():
+            data['ITPAY_PUBLIC_ID'] = str(itpay_public_id).strip()
+            data['ITPAY_API_SECRET'] = str(itpay_api_secret).strip()
+        else:
+            itpay = read_secret('itpay')
             itpay_ci = {str(k).lower(): v for k, v in itpay.items()}
-            secret = itpay_ci.get('secret')
-            if secret is not None and str(secret).strip():
-                data['ITPAY_AUTHORIZATION'] = f'Token {str(secret).strip()}'
+            public_id = itpay_ci.get('public_id')
+            api_secret = itpay_ci.get('api_secret')
+            if api_secret is None:
+                api_secret = itpay_ci.get('secret')
+            missing = []
+            if public_id is None or not str(public_id).strip():
+                missing.append('public_id')
+            if api_secret is None or not str(api_secret).strip():
+                missing.append('api_secret')
+            if missing:
+                raise RuntimeError(f'Vault secret itpay missing non-empty keys: {missing} (mount={mount},path=itpay)')
+            data['ITPAY_PUBLIC_ID'] = str(public_id).strip()
+            data['ITPAY_API_SECRET'] = str(api_secret).strip()
 
         return data
 
diff --git a/src/presentation/routing/order.py b/src/presentation/routing/order.py
index 56dde64..f1fb30e 100644
--- a/src/presentation/routing/order.py
+++ b/src/presentation/routing/order.py
@@ -52,14 +52,14 @@ async def create_order(
     }
     url = f'{ITPAY_API_BASE}/v1/payments'
     headers = {
-        'Authorization': settings.ITPAY_AUTHORIZATION,
         'Content-Type': 'application/json',
         'Accept': 'application/json',
     }
     try:
         timeout = aiohttp.ClientTimeout(total=30)
         async with aiohttp.ClientSession(timeout=timeout) as session:
-            async with session.post(url, json=payload, headers=headers) as resp:
+            auth = aiohttp.BasicAuth(settings.ITPAY_PUBLIC_ID, settings.ITPAY_API_SECRET)
+            async with session.post(url, json=payload, headers=headers, auth=auth) as resp:
                 response_text = await resp.text()
                 try:
                     response_json = json.loads(response_text)