diff --git a/mastodon/kustomization.yaml b/mastodon/kustomization.yaml
index 95ae436..d6119b9 100644
--- a/mastodon/kustomization.yaml
+++ b/mastodon/kustomization.yaml
@@ -12,6 +12,7 @@ resources:
   - pvc-assets.yaml
   - pvc-system.yaml
   - db-init-job.yaml
+  - vapid-init-job.yaml
   - deployment-web.yaml
   - deployment-sidekiq.yaml
   - deployment-streaming.yaml
diff --git a/mastodon/manifest.yaml b/mastodon/manifest.yaml
index 55a6da0..e4ca378 100644
--- a/mastodon/manifest.yaml
+++ b/mastodon/manifest.yaml
@@ -51,9 +51,9 @@ defaultSecrets:
   - key: otpSecret
     default: "{{ random.AlphaNum 128 }}"
   - key: vapidPrivateKey
-    # Must be generated with: bundle exec rake mastodon:webpush:generate_vapid_key
+    # Generated by vapid-init-job.yaml on first deploy
   - key: vapidPublicKey
-    # Must be generated with: bundle exec rake mastodon:webpush:generate_vapid_key
+    # Generated by vapid-init-job.yaml on first deploy
   - key: activeRecordPrimaryKey
     default: "{{ random.AlphaNum 32 }}"
   - key: activeRecordDeterministicKey
diff --git a/mastodon/vapid-init-job.yaml b/mastodon/vapid-init-job.yaml
new file mode 100644
index 0000000..b13841b
--- /dev/null
+++ b/mastodon/vapid-init-job.yaml
@@ -0,0 +1,68 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: mastodon-vapid-init
+  namespace: {{ .namespace }}
+spec:
+  ttlSecondsAfterFinished: 300
+  template:
+    metadata:
+      labels:
+        component: vapid-init
+    spec:
+      restartPolicy: OnFailure
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 991
+        runAsGroup: 991
+        fsGroup: 991
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+      - name: vapid-init
+        image: {{ .image }}
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: [ALL]
+          readOnlyRootFilesystem: false
+        command:
+        - sh
+        - -c
+        - |
+          set -e
+
+          # Check if VAPID keys already exist in the secret
+          if [ -n "$VAPID_PRIVATE_KEY" ] && [ "$VAPID_PRIVATE_KEY" != "null" ] && \
+             [ -n "$VAPID_PUBLIC_KEY" ] && [ "$VAPID_PUBLIC_KEY" != "null" ]; then
+            echo "VAPID keys already exist in secret, skipping generation"
+            exit 0
+          fi
+
+          echo "Generating VAPID keys..."
+          bundle exec rake mastodon:webpush:generate_vapid_key > /tmp/vapid_output.txt
+
+          echo "VAPID keys generated:"
+          cat /tmp/vapid_output.txt
+
+          echo ""
+          echo "NOTE: These keys must be manually added to secrets.yaml:"
+          echo "  apps.mastodon.vapidPrivateKey: <VAPID_PRIVATE_KEY from above>"
+          echo "  apps.mastodon.vapidPublicKey: <VAPID_PUBLIC_KEY from above>"
+        env:
+        - name: VAPID_PRIVATE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: mastodon-secrets
+              key: vapidPrivateKey
+              optional: true
+        - name: VAPID_PUBLIC_KEY
+          valueFrom:
+            secretKeyRef:
+              name: mastodon-secrets
+              key: vapidPublicKey
+              optional: true
+        - name: RAILS_ENV
+          value: production
+        - name: LOCAL_DOMAIN
+          value: "{{ .domain }}"